snyk-vulnerability-scanner

Automates Snyk security vulnerability scanning, GitHub issue reporting, and auto-fix PR creation for repositories. Use when scanning repositories for security vulnerabilities, generating vulnerability reports as GitHub issues, or automatically fixing vulnerabilities via pull requests. Requires Snyk CLI authentication, GitHub CLI authentication, and repository access permissions. Supports npm, Python, Gradle, and Maven projects. Creates PRs against dev branch by default.

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "snyk-vulnerability-scanner" with this command: npx skills add cr0m3/snyk-vulnerability-scanner

Snyk Vulnerability Scanner

Automated security vulnerability scanning and fixing for GitHub repositories using Snyk.

What It Does

  1. Scans repositories for security vulnerabilities using Snyk
  2. Reports findings as GitHub issues (grouped by package)
  3. Auto-fixes vulnerabilities by applying Snyk patches and creating PRs

Prerequisites

Before using this skill, ensure:

  1. Snyk CLI is installed: npm install -g snyk and authenticated: snyk auth
  2. GitHub CLI is installed: brew install gh and authenticated: gh auth login
  3. jq is installed: brew install jq (for JSON processing)
  4. You have write access to the target repository

Workflow

Scan Repository → Create GitHub Issues → Auto-Fix → Create PR

Severity Levels

  • critical - Critical vulnerabilities only
  • high - High and critical vulnerabilities (default)
  • medium - Medium, high, and critical
  • low - All severities

Usage

Full Automated Workflow

Run complete scan → report → fix workflow:

./scripts/run-full-workflow.sh <repo-url> [base-branch] [severity] [skip-issues] [skip-fix] [dry-run]

Parameters:

  • repo-url - Full GitHub URL (required)
  • base-branch - Target branch for PRs (default: dev)
  • severity - Comma-separated levels (default: high,critical)
  • skip-issues - true to skip GitHub issue creation (default: false)
  • skip-fix - true to skip auto-fix (default: false)
  • dry-run - true to simulate without making changes (default: false)

Examples:

# Full workflow with defaults
./scripts/run-full-workflow.sh https://github.com/owner/repo

# Scan only, skip fixes
./scripts/run-full-workflow.sh https://github.com/owner/repo dev high false true false

# Dry run - everything but no changes
./scripts/run-full-workflow.sh https://github.com/owner/repo dev high,critical false false true

# Fix only (skip issues), target main branch
./scripts/run-full-workflow.sh https://github.com/owner/repo main high true false false

Step-by-Step Usage

1. Scan Only

./scripts/snyk-scan.sh <repo-url> [output-file] [severity-filter]

Generates a JSON file with vulnerability details.

Example:

./scripts/snyk-scan.sh https://github.com/owner/repo results.json high,critical

2. Create GitHub Issues

python3 scripts/create-github-issues.py <results.json> <repo-url>

Creates one GitHub issue per vulnerable package, grouping all CVEs for that package.

3. Auto-Fix and Create PR

./scripts/snyk-auto-fix.sh <repo-url> [base-branch] [dry-run]

Applies Snyk fixes and creates a PR to the specified branch.

Example:

./scripts/snyk-auto-fix.sh https://github.com/owner/repo dev false

Supported Package Managers

  • npm/yarn (package.json)
  • Python (requirements.txt, Pipfile, pyproject.toml)
  • Gradle (build.gradle)
  • Maven (pom.xml)

GitHub Issues

Issues are created with:

  • Labels: security, vulnerability, snyk
  • Package name in title with severity level
  • Detailed body with all CVEs for that package
  • Link to Snyk for more info
  • Auto-fix availability indicator

Duplicate prevention: Issues won't be created if a similar issue already exists for the same package.

Pull Requests

PRs include:

  • Branch name: snyk-fix-<timestamp>
  • Body with fix summary, changed files, and remaining vulnerabilities
  • Labels: security, dependencies, snyk
  • Target: dev branch (configurable)

Cron/Automated Runs

For periodic scans, use the skill via cron:

# Add to cron for daily scans at 9am
0 9 * * * cd ~/.openclaw/workspace/skills/snyk-vulnerability-scanner && ./scripts/run-full-workflow.sh https://github.com/owner/repo

Or via OpenClaw cron for direct integration:

{
  "name": "snyk-daily-scan",
  "schedule": { "kind": "cron", "expr": "0 9 * * *" },
  "payload": {
    "kind": "agentTurn",
    "message": "Run Snyk vulnerability scan on https://github.com/owner/repo and create fixes for dev branch"
  }
}

Scripts Reference

ScriptPurpose
run-full-workflow.shMain entry point - runs complete workflow
snyk-scan.shScans repo, outputs JSON results
create-github-issues.pyCreates GitHub issues from scan results
snyk-auto-fix.shApplies fixes and creates PRs

Troubleshooting

"Snyk not authenticated" → Run: snyk auth

"GitHub CLI not authenticated" → Run: gh auth login

"No vulnerabilities found" → Check Snyk dashboard for your project; may need to import repo first

"Permission denied" on scripts → Run: chmod +x scripts/*.sh

Auto-fix not working → Some vulnerabilities can't be auto-fixed; check Snyk dashboard for remediation advice

Dry run shows changes but real run doesn't → Check that Snyk has fixable suggestions for the vulnerabilities; some require manual updates

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

Security Check

🔒 Pre-installation security verification for external code and dependencies. Automated risk analysis for GitHub repos, npm packages, PyPI libraries, and she...

Registry SourceRecently Updated
3840Profile unavailable
Security

Update Scout

Automate update tracking for OpenClaw and any other GitHub-released tools. Scout monitors your watchlist weekly, reviews release notes with a security lens,...

Registry SourceRecently Updated
2730Profile unavailable
Security

Sentinel Vanguard AI Skill Security Auditor

AI Agent skill security auditor. Use this skill whenever the user wants to audit, review, vet, or assess the safety and security of any AI skill, Claude skil...

Registry SourceRecently Updated
1450Profile unavailable
Security

RepoMedic

Safely triage and remediate GitHub dependency hygiene issues with explicit guardrails. Use when Dependabot PRs fail, pnpm lockfiles break, transitive vulnerabilities appear (e.g., glob/lodash/brace-expansion), or CI/Vercel fails due to dependency resolution. Prioritize low-risk fixes, branch+PR workflow, and plain-English explanations.

Registry SourceRecently Updated
1.6K1Profile unavailable