Snyk’s offline scanning capability allows you to scan your code for vulnerabilities and license compliance in air-gapped environments where direct internet access is restricted.
Here’s how it works. First, you’ll need to download the Snyk CLI and the latest vulnerability database from a machine that does have internet access. These downloaded components are then transferred to your air-gapped environment.
On the internet-connected machine, install the Snyk CLI:
npm install -g snyk
Next, download the vulnerability database. You’ll typically want to do this regularly to ensure you have the latest vulnerability information. The command to download the database is:
snyk monitor --file=snyk-config.json --json --json-file-output=snyk-db-manifest.json
This command, when run with appropriate configuration (e.g., specifying a target directory for downloads), will fetch the necessary database files. The snyk-config.json would specify your Snyk project configuration, and the output snyk-db-manifest.json will list the downloaded files.
Once you have the Snyk CLI binary and the vulnerability database files on a portable medium (like a USB drive), transfer them to your air-gapped machine.
On the air-gapped machine, you’ll point the Snyk CLI to the local database. This is achieved by setting the SNYK_API and SNYK_HOST environment variables to point to your local Snyk instance or a local mirror, and potentially the SNYK_DB_PATH if you’ve structured your local database in a specific way.
A common setup involves a local Snyk Broker or a direct local scan using the downloaded database. For a direct local scan, you would typically configure the CLI to use local files. Let’s assume you’ve placed the downloaded database files in a directory named /opt/snyk-db on your air-gapped system.
You would then run your scan command, pointing to the local database:
SNYK_API=http://localhost:8080 SNYK_HOST=http://localhost:8080 SNYK_DB_PATH=/opt/snyk-db snyk test --org=<your-org-id> --file=package.json
In this example, SNYK_API and SNYK_HOST are set to a local Snyk Broker or a mock server if you’ve set one up. If you’re purely relying on the downloaded database without a broker, you might need to configure Snyk differently, often by setting specific flags or environment variables that tell the CLI to operate offline and use local files.
The SNYK_DB_PATH environment variable is crucial if Snyk needs to know where to find the local vulnerability definitions. The exact mechanism can vary slightly based on the Snyk CLI version and your specific air-gapped setup (e.g., whether you’re using a Snyk Broker appliance or just local files).
To illustrate the core concept of using local data, imagine the Snyk CLI normally makes API calls to api.snyk.io to fetch vulnerability data. When offline, you’re essentially intercepting those calls or providing the data directly.
Let’s say you’re scanning a Node.js project. The command would look something like this:
SNYK_API=http://localhost:8080 SNYK_HOST=http://localhost:8080 snyk test --file=package-lock.json --exclude-unknown
The --exclude-unknown flag is often useful in offline environments to prevent Snyk from trying to reach out to external sources for information it can’t find locally.
The Snyk Broker is a more robust solution for air-gapped environments. It acts as a proxy and cache for Snyk’s services. You install the Broker on a machine within the air-gapped network that has a connection to the internet (or a specific internal network segment that can reach Snyk). The Broker then downloads the necessary data from Snyk.io and serves it to the Snyk CLI instances running within the air-gapped environment.
When using a Snyk Broker, your Snyk CLI commands on the air-gapped machines are configured to point to the Broker’s address. For example, if your Broker is running on http://snyk-broker.internal:8080, your CLI commands would be:
SNYK_API=http://snyk-broker.internal:8080 SNYK_HOST=http://snyk-broker.internal:8080 snyk test --file=pom.xml
The Broker handles fetching the latest vulnerability data and making it available to the CLI. It essentially mirrors the necessary Snyk cloud services locally.
The key advantage here is that your air-gapped systems never directly contact snyk.io. All communication is proxied through the Broker, which is managed and updated separately. This maintains the integrity of your air-gapped network.
The process of updating the vulnerability database on the Broker itself needs to be managed. This typically involves running a command on the Broker machine that pulls the latest data from Snyk.io, or by periodically updating the Broker appliance with newer versions that contain updated databases.
The most surprising thing about Snyk’s offline scanning is that it doesn’t just make the vulnerability database available locally; it also allows for the offline operation of many Snyk CLI features by proxying API calls through a local Snyk Broker. This means that things like custom rules, IaC scanning, and even some license compliance checks can function without direct internet access, provided the Broker is configured and updated correctly.
Consider the scenario where you have a custom Snyk policy defined in your Snyk project settings in the cloud. When scanning offline, the Snyk Broker can cache and serve these policy details to the CLI, ensuring that your organization’s security policies are enforced even in the most isolated environments. This requires the Broker to be able to periodically sync with Snyk’s cloud to get the latest policy configurations.
The next concept you’ll encounter is managing the lifecycle of these offline components, specifically how to automate the synchronization of vulnerability databases and Snyk CLI updates across multiple air-gapped environments.