Skip to content
Latchkey

How to Run a Dependency Security Scan in CircleCI

Scan dependencies in CircleCI with the Snyk orb for rich SCA, or a zero-dependency npm audit step.

Use the snyk/snyk orb to scan and optionally fail on a severity threshold, or run npm audit directly when you just need a lightweight dependency gate.

Snyk orb scan with a threshold

The orb runs a vulnerability scan and fails the job on high-or-worse findings.

.circleci/config.yml
version: 2.1
orbs:
  snyk: snyk/snyk@2

jobs:
  scan:
    docker:
      - image: cimg/node:20.11
    steps:
      - checkout
      - run: npm ci
      - snyk/scan:
          severity-threshold: high
          fail-on-issues: true

Gotchas

  • The Snyk orb needs SNYK_TOKEN set in a context or project env var.
  • Set severity-threshold so low-severity advisories do not block every build.
  • For a no-orb option, npm audit --audit-level=high works but lacks Snyk's fix advice and monitoring.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →