ClawHub

Snyk Vulnerability Scanner

Security

Automates Snyk security vulnerability scanning, GitHub issue reporting, and auto-fix PR creation for repositories. Use when scanning repositories for security vulnerabilities, generating vulnerability reports as GitHub issues, or automatically fixing vulnerabilities via pull requests. Requires Snyk CLI authentication, GitHub CLI authentication, and repository access permissions. Supports npm, Python, Gradle, and Maven projects. Creates PRs against dev branch by default.

Install

openclaw skills install snyk-vulnerability-scanner

Snyk Vulnerability Scanner

Automated security vulnerability scanning and fixing for GitHub repositories using Snyk.

What It Does

  1. Scans repositories for security vulnerabilities using Snyk
  2. Reports findings as GitHub issues (grouped by package)
  3. Auto-fixes vulnerabilities by applying Snyk patches and creating PRs

Prerequisites

Before using this skill, ensure:

  1. Snyk CLI is installed: npm install -g snyk and authenticated: snyk auth
  2. GitHub CLI is installed: brew install gh and authenticated: gh auth login
  3. jq is installed: brew install jq (for JSON processing)
  4. You have write access to the target repository

Workflow

Scan Repository → Create GitHub Issues → Auto-Fix → Create PR

Severity Levels

  • critical - Critical vulnerabilities only
  • high - High and critical vulnerabilities (default)
  • medium - Medium, high, and critical
  • low - All severities

Usage

Full Automated Workflow

Run complete scan → report → fix workflow:

./scripts/run-full-workflow.sh <repo-url> [base-branch] [severity] [skip-issues] [skip-fix] [dry-run]

Parameters:

  • repo-url - Full GitHub URL (required)
  • base-branch - Target branch for PRs (default: dev)
  • severity - Comma-separated levels (default: high,critical)
  • skip-issues - true to skip GitHub issue creation (default: false)
  • skip-fix - true to skip auto-fix (default: false)
  • dry-run - true to simulate without making changes (default: false)

Examples:

# Full workflow with defaults
./scripts/run-full-workflow.sh https://github.com/owner/repo

# Scan only, skip fixes
./scripts/run-full-workflow.sh https://github.com/owner/repo dev high false true false

# Dry run - everything but no changes
./scripts/run-full-workflow.sh https://github.com/owner/repo dev high,critical false false true

# Fix only (skip issues), target main branch
./scripts/run-full-workflow.sh https://github.com/owner/repo main high true false false

Step-by-Step Usage

1. Scan Only

./scripts/snyk-scan.sh <repo-url> [output-file] [severity-filter]

Generates a JSON file with vulnerability details.

Example:

./scripts/snyk-scan.sh https://github.com/owner/repo results.json high,critical

2. Create GitHub Issues

python3 scripts/create-github-issues.py <results.json> <repo-url>

Creates one GitHub issue per vulnerable package, grouping all CVEs for that package.

3. Auto-Fix and Create PR

./scripts/snyk-auto-fix.sh <repo-url> [base-branch] [dry-run]

Applies Snyk fixes and creates a PR to the specified branch.

Example:

./scripts/snyk-auto-fix.sh https://github.com/owner/repo dev false

Supported Package Managers

  • npm/yarn (package.json)
  • Python (requirements.txt, Pipfile, pyproject.toml)
  • Gradle (build.gradle)
  • Maven (pom.xml)

GitHub Issues

Issues are created with:

  • Labels: security, vulnerability, snyk
  • Package name in title with severity level
  • Detailed body with all CVEs for that package
  • Link to Snyk for more info
  • Auto-fix availability indicator

Duplicate prevention: Issues won't be created if a similar issue already exists for the same package.

Pull Requests

PRs include:

  • Branch name: snyk-fix-<timestamp>
  • Body with fix summary, changed files, and remaining vulnerabilities
  • Labels: security, dependencies, snyk
  • Target: dev branch (configurable)

Cron/Automated Runs

For periodic scans, use the skill via cron:

# Add to cron for daily scans at 9am
0 9 * * * cd ~/.openclaw/workspace/skills/snyk-vulnerability-scanner && ./scripts/run-full-workflow.sh https://github.com/owner/repo

Or via OpenClaw cron for direct integration:

{
  "name": "snyk-daily-scan",
  "schedule": { "kind": "cron", "expr": "0 9 * * *" },
  "payload": {
    "kind": "agentTurn",
    "message": "Run Snyk vulnerability scan on https://github.com/owner/repo and create fixes for dev branch"
  }
}

Scripts Reference

ScriptPurpose
run-full-workflow.shMain entry point - runs complete workflow
snyk-scan.shScans repo, outputs JSON results
create-github-issues.pyCreates GitHub issues from scan results
snyk-auto-fix.shApplies fixes and creates PRs

Troubleshooting

"Snyk not authenticated" → Run: snyk auth

"GitHub CLI not authenticated" → Run: gh auth login

"No vulnerabilities found" → Check Snyk dashboard for your project; may need to import repo first

"Permission denied" on scripts → Run: chmod +x scripts/*.sh

Auto-fix not working → Some vulnerabilities can't be auto-fixed; check Snyk dashboard for remediation advice

Dry run shows changes but real run doesn't → Check that Snyk has fixable suggestions for the vulnerabilities; some require manual updates

More in Security