/
Snyk

Snyk

FOLIO uses Snyk to scan for security vulnerabilities.

We collect, triage and maintain the results in the https://app.snyk.io/org/folio-org organisation that is restricted to the FOLIO Security Team.

Free Plan

 

FOLIO is on the free plan and has this scan limitations (see screenshot in the rightmost column):

 

 

public repositories

private repositories

FOLIO's usage of Snyk Tests October 2025

 

public repositories

private repositories

FOLIO's usage of Snyk Tests October 2025

Open Source (maven/npm/... dependencies) via Web UI

unlimited

200 tests/month

snyk-test-usage.png

 

Code (SAST of source code)

100 tests/month

Infrastructure/IaC (Kubernetes/Helm/AWS/Azure/...)

300 tests/month

Container (Docker/OCI)

100 tests/month

 

The unlimited "Open Source" scans are scheduled daily, all other scans are scheduled weekly: https://app.snyk.io/org/folio-org/manage/usage

Click "Retest now" to trigger an immediate scan of the main/master branch of the repository. If “Retest now” is not available, for example for container scans after reaching the limit, simply re-add the project from Docker Hub or GitHub.

"GitHub" Scan

Pros:

  • Unlimited dependency scans (maven, npm, ...) of public repositories.

  • Any number of branches per repository: Snyk picks up all changes for all imported branches and reports issues for all of them.

  • Better priorization by reachable vulnerabilities heuristics.

  • Fixed: Some time ago it didn't support <dependencyManagement> of pom.xml files so the CLI had been used. This has been fixed.

Con:

  • On import it only imports the default branch (usually master or main). Changing the default branch for a few seconds allows to import any branch. After import snyk doesn't care whether a branch is still the default branch.

"CLI" Scan

Pro: Sometimes it might work for reporitories where the Snyk "GitHub" scan doesn't work but currently all those cases have been fixed by the Snyk people.

Cons:

  • Counts to the private repository limit that has only a few CLI scans available in our free Snyk plan, therefore we don't use this.

  • The SNYK_TOKEN is needed, it's available as a secret for GitHub Actions in all https://github.com/folio-org repositories.

  • To automatically run the Snyk CLI on a merge or a pull request a CI process like Jenkins or GitHub Action is needed to start it.

  • Reachable vulnerability analysis for better priorization via the Snyk CLI is not currently supported.

Ignored

Use these texts as a comment when setting a false positive report to "ignore".

Deactivated

  • https://github.com/folio-org/NCIP2-Toolkit because it is used to generate jar files, but only a few are used by mod-ncip, and Snyk tests the used jar files when testing mod-ncip. NCIP2-Toolkit contains 87 critical vulnerabilities in the Dockerfile and several hundred vulnerabilities in total. However, the Snyk "Code analysis" of NCIP2-Toolkit is still enabled because it can only run on source code, not on the jar used in mod-ncip.

Go

Snyk’s dependency analysis of go.mod/go.sum files is completely broken, it reports non-existing vulnerable dependencies. Therefore all dependency analysis snyk projects for Go are deleted but other snyk projects (like source code analysis, Dockerfile analysis) are kept.

After each re-import we need to delete these Go dependency projects (but keep others of that repository):

Import all folio-org

Developers add new GitHub repositories to https://github.com/folio-org, and add new files like Dockerfile or package.json or new pom.xml subprojects to existing repositories that require a new snyk project. Therefore we need to regularly (re)import all GitHub repositories.

Steps:

  • Click "Add project" "GitHub"

  • Go to folio-org section

  • Click "Show more" until all repositories are listed

  • Select all by clicking the box next to "folio-org"

  • Deselect all archived repositories, they have the archive symbol next to them.

  • Deselect NCIP2-Toolkit, see above to learn why.

  • Click "Add selected repositories" at top

  • For repositories that have go.mod delete the go depenencies snyk project (see above) but keep all other snyk projects (source code static analysis, Dockerfile analysis, etc.)

The last date when we have imported all folio-org repositories: 2025-12-10

Import others

Some projects from outside the GitHub folio-org organisation are relevant to FOLIO and are imported into the folio-org Snyk project to monitor them alongside the regular.

https://github.com/k-int/web-toolkit-ce is used by ERM modules: https://github.com/search?q=org%3Afolio-org+web-toolkit-ce&type=code

https://gitlab.com/knowledge-integration/folio/grails-okapi is used by ERM modules: https://github.com/search?q=org%3Afolio-org+grails-okapi&type=code

https://github.com/zonkyio/embedded-database-spring-test is io.zonky.test:embedded-database-spring-test that is used by a few FOLIO repositories: https://github.com/search?q=org%3Afolio-org+embedded-database-spring-test&type=code

https://github.com/indexdata/localindices is the legacy harvester to work with FOLIO: https://github.com/indexdata/localindices/search?q=folio

Manual dependency scan

Developers may want to check the dependencies locally before commiting the change for a pull request branch.

maven

mvn dependency:tree -Dverbose -Dincludes=org.springframework:spring-web

If you keep the colon : you can omit the groupId:

mvn dependency:tree -Dverbose -Dincludes=:spring-web

For repeated use you may create ~/bin/dep with this content:

mvn dependency:tree -Dverbose -Dincludes=$1

gradle

cd service
./gradlew dependencies