Snyk is an open source tool for checking project packages for vulnerabilities. It currently checks the main package sources like npm and Nuget. While it has many integrations with source control (github, bitbucket, etc), there’s no VSTS build pipeline integration yet.
As such, I’ve gone and used the API instead! It was fairly straightforward to set up, which is good for the safety of our clients.
EDIT: As noted by a colleague, there are different pricing plans and the free may not suit all situations.
npm install -g snyk
snyk test --file=slnname.sln
Snyk requires authentication, but if the environment variable SNYK_TOKEN is present, it’s used automatically as the authentication key. As such, ALL commands you want to run with Snyk will require this environment variable set.
snyk test command must be run from a directory containing a package manangement file (package.json, packages.config, etc)
The full list of supported package managers is on their website, but it’s quite extensive.
Some other things to note: