snyk test: Find Vulnerable Dependencies
snyk test analyzes your dependency manifest against Snyk's vulnerability database and exits 1 when issues at or above the threshold are found.
snyk test is the SCA (software composition analysis) entry point: it reads your lockfile/manifest and reports known CVEs in your dependencies.
What it does
snyk test resolves the dependency tree, queries the Snyk database, and lists vulnerabilities with severity and a fix path. Exit 0 means no issues at/above the threshold, 1 means vulnerabilities were found, and 2 means a usage/auth error. It does not change your code.
Common usage
snyk auth $SNYK_TOKEN
snyk test --severity-threshold=high
# monorepo: scan every manifest it finds
snyk test --all-projects --severity-threshold=mediumOptions
| Flag | What it does |
|---|---|
| --severity-threshold <lvl> | low, medium, high, or critical gate |
| --all-projects | Detect and scan all manifests in the repo |
| --json / --sarif-file-output | Machine-readable output |
| --fail-on <type> | all, upgradable, or patchable issues to fail on |
| --org <id> | Run under a specific Snyk organization |
| --file <manifest> | Test a specific manifest file |
In CI
snyk test already exits 1 on findings, so it fails the job without extra wiring; set --severity-threshold=high to avoid blocking on low-severity noise. Authenticate with SNYK_TOKEN as a secret. Use --fail-on=upgradable if you only want to block when a fix is actually available.
Common errors in CI
"Authentication error (SNYK-0005)" or "Missing API token" means SNYK_TOKEN is unset (fork PRs cannot read it). "Could not detect supported target files" means no recognized manifest in the path; pass --file or --all-projects. "Failed to get dependencies" often means the project was not installed first (run npm ci before snyk test for some ecosystems).