Articles

Snyk Code SAST: Set Up Static Application Security Testing (2026)

April 18, 2026 5 min read

Snyk Code SAST works by analyzing your source code for potential security vulnerabilities without ever needing to compile or run it.

Here’s how you get Snyk Code SAST set up and integrated into your workflow:

Integrating Snyk Code into Your Development Workflow

Snyk Code is a static application security testing (SAST) tool that scans your application’s source code to identify security vulnerabilities. Unlike dynamic analysis (DAST) or software composition analysis (SCA) which look at running applications or dependencies, SAST operates directly on the code itself. This means it can catch vulnerabilities early in the development lifecycle, before code is even committed or deployed.

How Snyk Code Works Under the Hood

Snyk Code employs a multi-pronged approach to analysis. It uses a combination of:

  • Abstract Syntax Tree (AST) analysis: Snyk parses your code into an AST, which is a tree representation of the code’s structure. This allows Snyk to understand the code’s logic and flow.
  • Data flow analysis: Snyk tracks how data moves through your application. This is crucial for identifying vulnerabilities like SQL injection or cross-site scripting (XSS), where malicious data can be injected and processed unsafely.
  • Taint analysis: A specific type of data flow analysis, taint analysis marks data that originates from untrusted sources (e.g., user input) as "tainted." Snyk then checks if this tainted data reaches sensitive sinks (e.g., database queries, command executions) without proper sanitization.
  • Machine learning models: Snyk trains machine learning models on vast datasets of code, including both vulnerable and secure code. These models help identify complex vulnerability patterns that might be missed by traditional rule-based systems.

By combining these techniques, Snyk Code aims to provide accurate and actionable vulnerability findings.

Setting Up Snyk Code

The primary way to integrate Snyk Code is through its CLI or IDE plugins.

1. Snyk CLI Installation

The Snyk CLI is the most versatile way to integrate Snyk Code into your workflow, allowing for integration into CI/CD pipelines.

  • Installation (macOS/Linux):

    brew install snyk

    If you don’t use Homebrew, you can download the binary from the Snyk releases page on GitHub.

  • Installation (Windows): Download the appropriate MSI installer from the Snyk releases page.

  • Authentication: After installation, you need to authenticate the CLI with your Snyk account.

    snyk auth

    This command will open a browser window to your Snyk account for authentication.

2. Running Your First Scan

Navigate to your project’s root directory in your terminal.

cd /path/to/your/project

Then, run the Snyk Code scan:

snyk code test

Snyk will analyze your code and report any vulnerabilities found, categorizing them by severity (Low, Medium, High, Critical).

Example Output:

Testing /path/to/your/project...

✗ High severity vulnerability in express-session
  Description: Use of insecure 'cookie.secure' setting
  Info: https://snyk.io/vuln/SNYK-JS-EXPRESSSESSION-1018907
  Introduced through express-session@1.17.1
  From: express-session@1.17.1
  ...

✗ Medium severity vulnerability in lodash
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/SNYK-JS-LODASH-1018045
  Introduced through lodash@4.17.20
  From: lodash@4.17.20
  ...

Organization: your-org
Package manager: npm
...

3. IDE Integrations

For a more seamless developer experience, Snyk offers plugins for popular IDEs:

  • VS Code: Search for "Snyk" in the VS Code Extensions Marketplace and install it. After installation, you’ll be prompted to log in to your Snyk account.
  • JetBrains IDEs (IntelliJ IDEA, PyCharm, etc.): Search for "Snyk" in the JetBrains Plugin Marketplace.
  • Other IDEs: Snyk also offers plugins for editors like Vim and Emacs.

Once installed and authenticated, these plugins will provide real-time feedback on vulnerabilities as you code, often highlighting the exact line of code with the issue.

Configuring Snyk Code

Snyk Code can be configured to tailor its scanning behavior. The primary configuration file is .snyk.

Example .snyk file:

version: "1.0.0"
checks:
  code:
    # Enable or disable specific languages. Defaults to all supported languages.
    languages:
      - java
      - javascript
      - python
    # Ignore specific paths from scanning
    ignore:
      - "**/generated/**"
      - "**/vendor/**"
      - "**/node_modules/**"
    # Control the severity level of issues to report.
    # By default, Snyk reports all severities.
    severityThreshold: "high" # Only report High and Critical issues

This file should be placed in the root of your project.

Integrating into CI/CD Pipelines

Integrating Snyk Code into your CI/CD pipeline is crucial for continuous security. The exact commands depend on your CI/CD platform (e.g., GitHub Actions, GitLab CI, Jenkins).

Example (GitHub Actions):

Create a workflow file (e.g., .github/workflows/snyk.yml):

name: Snyk Security Scan

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Set up Node.js # Example for Node.js projects
      uses: actions/setup-node@v3
      with:
        node-version: '16'
    - name: Install dependencies # Example for Node.js projects
      run: npm ci
    - name: Run Snyk Code scan
      uses: snyk/actions/node@master # Use the appropriate Snyk action for your language
      env:

        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Your Snyk API token

      # Add other Snyk action parameters as needed, e.g., for specific tests or configurations

You’ll need to generate a Snyk API token from your Snyk account settings and add it as a secret in your CI/CD platform (e.g., SNYK_TOKEN in GitHub Secrets).

Understanding the Findings

Snyk Code reports vulnerabilities with:

  • Severity: Critical, High, Medium, Low.
  • Vulnerability Type: e.g., SQL Injection, XSS, Insecure Deserialization.
  • Description: A clear explanation of the vulnerability.
  • Info: A link to Snyk’s vulnerability database for more details, including how to fix it.
  • File and Line Number: The exact location in your code.
  • Code Snippet: The relevant portion of code where the vulnerability is detected.
  • Data Flow Path (for some vulnerabilities): Illustrates how tainted data flows to a vulnerable sink.

The most important aspect is to understand the data flow path when available. This visual representation shows how user input or other untrusted data enters your application and reaches a dangerous function without proper validation or sanitization.

The next step after integrating Snyk Code is often to explore how Snyk can automatically remediate some of these findings or how to fine-tune the analysis to reduce noise.

Want structured learning?

Take the full Snyk course →