How to Run a Dependency Security Scan in CircleCI
Scan dependencies in CircleCI with the Snyk orb for rich SCA, or a zero-dependency npm audit step.
Use the snyk/snyk orb to scan and optionally fail on a severity threshold, or run npm audit directly when you just need a lightweight dependency gate.
Snyk orb scan with a threshold
The orb runs a vulnerability scan and fails the job on high-or-worse findings.
.circleci/config.yml
version: 2.1
orbs:
snyk: snyk/snyk@2
jobs:
scan:
docker:
- image: cimg/node:20.11
steps:
- checkout
- run: npm ci
- snyk/scan:
severity-threshold: high
fail-on-issues: trueGotchas
- The Snyk orb needs
SNYK_TOKENset in a context or project env var. - Set
severity-thresholdso low-severity advisories do not block every build. - For a no-orb option,
npm audit --audit-level=highworks but lacks Snyk's fix advice and monitoring.
Related guides
How to Run a Security Scan (CodeQL + Dependencies) in GitHub ActionsRun a SAST and dependency security scan in GitHub Actions with CodeQL and a dependency audit, uploading SARIF…
How to Run SAST and Dependency Scanning in GitLab CIRun SAST and dependency scanning in GitLab CI by including the built-in security templates, which add scanner…