snyk + npm audit. Will it blend?

Created on 11 May 2018  路  6Comments  路  Source: snyk/snyk

Hi 馃憢

I'm wondering now that npm audit is out, how could we bring together both tools somehow. Are there any plans regarding this?

I personally didn't have time to analyse the way npm audit is doing it's magic, maybe it's using snyk under the hood! 馃槣

Sorry if this is not the correct repo to ask about this 馃槄

Most helpful comment

Hey all! Here's a un-biased, 3rd party (from the folks at nearForm) blog post that gives a really detailed comparison between Snyk and npm audit. I think this will clarify a lot for people watching this issue!

https://www.nearform.com/blog/comparing-npm-audit-with-snyk/

TL;DR

"The npm audit is a great free tool for package vulnerability awareness. It comes integrated with the main Node.JS package manager. Still, Snyk offers substantially more functionality with a more friendly user interface and its liberal licensing, it deserves a consideration for DevSecOps arsenal, by enterprise IT teams that require a more complete security solution."

All 6 comments

npm audit is using nsp(node security platform). not snyk.
I scanned 20 packages which come from github. the result is
image
It seems that npm audit returns more Vulnerabilitys, But I checked their vulnerability db, synk has 1142 vulnerabilities but npm only has 612 vulnerabilities, looks wired. 馃槚

Hello 馃憢

npm audit includes devDependencies, whereas snyk does not (by default).

You can include dev deps with the Snyk CLI as follows: snyk test --dev

Hope that helps!

@darscan Thanks so much, that's totally make sense now, snyk results are better than npm audit now

This also confused me. I assumed they were the same thing bc the reports are so similar. I have the opposite case though - more issues on Snyk than npm audit.

Hey all! Here's a un-biased, 3rd party (from the folks at nearForm) blog post that gives a really detailed comparison between Snyk and npm audit. I think this will clarify a lot for people watching this issue!

https://www.nearform.com/blog/comparing-npm-audit-with-snyk/

TL;DR

"The npm audit is a great free tool for package vulnerability awareness. It comes integrated with the main Node.JS package manager. Still, Snyk offers substantially more functionality with a more friendly user interface and its liberal licensing, it deserves a consideration for DevSecOps arsenal, by enterprise IT teams that require a more complete security solution."

Hi everyone, this issue has been untouched for a while so I'm closing it. We'd love to hear if you have any more feedback or questions about Snyk and npm audit or just Snyk in general, so feel free to open a new issue. Thanks! 馃憢

Was this page helpful?
0 / 5 - 0 ratings