Snyk使用教程#
软件介绍#
Snyk是一款专业的软件供应链安全平台,专注于发现和修复应用程序依赖项中的已知漏洞。它提供全面的漏洞数据库、实时监控和自动化修复功能,是现代DevSecOps流程中的重要工具。
主要功能#
- 依赖项漏洞扫描
- 实时漏洞监控
- 自动化修复建议
- 许可证合规性检查
- 容器安全扫描
- 基础设施即代码扫描
- CI/CD集成
- 企业级管理
适用场景#
- 软件供应链安全
- 依赖项安全审计
- DevSecOps流程集成
- 漏洞风险管理
- 合规性检查
- 持续安全监控
入门级使用#
安装Snyk CLI#
使用npm安装#
# 安装Snyk CLI
npm install -g snyk
# 验证安装
snyk --version使用Homebrew安装#
# 安装Homebrew(如果未安装)
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
# 安装Snyk CLI
brew install snyk
# 验证安装
snyk --version使用Docker安装#
# 使用Docker运行
docker run --rm -v $(pwd):/project snyk/snyk:latest
# 或创建别名
alias snyk='docker run --rm -v $(pwd):/project snyk/snyk:latest'注册和认证#
注册Snyk账号#
# 注册Snyk账号
snyk auth
# 按提示完成注册和认证
# 或使用令牌认证
snyk auth <your-auth-token>配置组织#
# 设置默认组织
snyk config set org=your-org-name
# 查看当前配置
snyk config get
# 查看所有配置
snyk config基本扫描#
扫描Node.js项目#
# 扫描当前目录
snyk test
# 扫描特定目录
snyk test ./my-project
# 扫描package.json
snyk test package.json
# 扫描yarn.lock
snyk test yarn.lock扫描Python项目#
# 扫描requirements.txt
snyk test requirements.txt
# 扫描Pipfile
snyk test Pipfile
# 扫描setup.py
snyk test setup.py
# 扫描poetry.lock
snyk test poetry.lock扫描Java项目#
# 扫描Maven项目
snyk test --file=pom.xml
# 扫描Gradle项目
snyk test --file=build.gradle
# 扫描特定JAR文件
snyk test myapp.jar初级使用#
扫描不同类型的项目#
扫描.NET项目#
# 扫描.csproj文件
snyk test --file=MyProject.csproj
# 扫描packages.config
snyk test packages.config
# 扫描项目解决方案
snyk test MySolution.sln扫描Ruby项目#
# 扫描Gemfile
snyk test Gemfile
# 扫描Gemfile.lock
snyk test Gemfile.lock扫描Go项目#
# 扫描go.mod
snyk test go.mod
# 扫描go.sum
snyk test go.sum扫描PHP项目#
# 扫描composer.json
snyk test composer.json
# 扫描composer.lock
snyk test composer.lock监控项目#
启用持续监控#
# 监控当前项目
snyk monitor
# 监控特定目录
snyk monitor ./my-project
# 监控并设置标签
snyk monitor --tags=production,web-app
# 监控并设置项目名称
snyk monitor --project-name=my-awesome-project查看监控状态#
# 查看所有监控的项目
snyk projects
# 查看特定项目的详情
snyk test --json | jq .
# 查看项目统计
snyk test --json | jq '.vulnerabilities | length'中级使用#
漏洞修复#
自动修复漏洞#
# 自动修复所有漏洞
snyk wizard
# 交互式修复
snyk wizard
# 修复特定漏洞
snyk fix --severity=high
# 修复特定类型的漏洞
snyk fix --type=dev查看修复建议#
# 查看修复建议
snyk test --json | jq '.vulnerabilities[] | {id, title, severity, fixVersion}'
# 查看可修复的漏洞
snyk test --json | jq '.vulnerabilities[] | select(.fixVersion)'
# 查看不可修复的漏洞
snyk test --json | jq '.vulnerabilities[] | select(.fixVersion == null)'高级扫描选项#
按严重性过滤#
# 只显示高危漏洞
snyk test --severity-threshold=high
# 只显示中危及以上漏洞
snyk test --severity-threshold=medium
# 只显示特定严重性的漏洞
snyk test --severity=high按CVSS评分过滤#
# 只显示CVSS评分大于7的漏洞
snyk test --cvss-threshold=7
# 只显示CVSS评分大于9的漏洞
snyk test --cvss-threshold=9排除特定依赖#
# 排除特定依赖
snyk test --exclude=lodash
# 排除多个依赖
snyk test --exclude=lodash,express
# 使用配置文件排除
cat > .snyk << EOF
exclude:
- lodash
- express
- moment
EOF
snyk test报告生成#
生成JSON报告#
# 生成JSON报告
snyk test --json > report.json
# 美化JSON输出
snyk test --json | jq .
# 提取漏洞信息
snyk test --json | jq '.vulnerabilities[]'生成HTML报告#
# 生成HTML报告
snyk test --json | snyk-to-html -o report.html
# 使用Snyk Web界面
snyk test --json > report.json
# 然后在Snyk Web界面中查看生成SARIF报告#
# 生成SARIF报告(用于GitHub)
snyk test --sarif-file-output=snyk.sarif
# 上传到GitHub
gh api repos/:owner/:repo/code-scanning/sarifs \
-X POST \
-f commit_sha=$(git rev-parse HEAD) \
-f ref=$(git rev-parse --abbrev-ref HEAD) \
-f sarif=@snyk.sarif中上级使用#
CI/CD集成#
GitHub Actions集成#
# .github/workflows/snyk.yml
name: Snyk Security Scan
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 0 * * 0' # 每周运行一次
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
- name: Upload result to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
if: always()
with:
sarif_file: snyk.sarifGitLab CI集成#
# .gitlab-ci.yml
stages:
- security
snyk-scan:
stage: security
image: node:latest
before_script:
- npm install -g snyk
- snyk auth $SNYK_TOKEN
script:
- snyk test --severity-threshold=high
allow_failure: true
artifacts:
paths:
- snyk.sarif
expire_in: 1 weekJenkins集成#
// Jenkinsfile
pipeline {
agent any
environment {
SNYK_TOKEN = credentials('snyk-token')
}
stages {
stage('Snyk Scan') {
steps {
script {
// 安装Snyk CLI
sh 'npm install -g snyk'
// 认证
sh 'snyk auth $SNYK_TOKEN'
// 运行扫描
sh 'snyk test --severity-threshold=high'
}
}
}
}
post {
always {
// 归档报告
archiveArtifacts artifacts: 'snyk.sarif', fingerprint: true
}
}
}容器安全#
扫描Docker镜像#
# 扫描本地Docker镜像
snyk container test myimage:latest
# 扫描远程Docker镜像
snyk container test nginx:latest
# 扫描并设置严重性阈值
snyk container test myimage:latest --severity-threshold=high
# 扫描并生成JSON报告
snyk container test myimage:latest --json > container-report.json监控Docker镜像#
# 监控Docker镜像
snyk container monitor myimage:latest
# 监控并设置标签
snyk container monitor myimage:latest --tags=production,web
# 监控并设置项目名称
snyk container monitor myimage:latest --project-name=my-container扫描Kubernetes清单#
# 扫描Kubernetes YAML文件
snyk iac test k8s/deployment.yaml
# 扫描Kubernetes目录
snyk iac test k8s/
# 扫描Helm图表
snyk iac test helm-chart/
# 扫描Terraform配置
snyk iac test main.tf许可证合规性#
检查许可证#
# 检查许可证合规性
snyk test --license-policy
# 检查特定许可证类型
snyk test --license-policy=GPL
# 查看许可证报告
snyk test --json | jq '.licenses[]'配置许可证策略#
# 创建许可证策略文件
cat > .snyk-licenses << EOF
# 许可证策略配置
allow:
- MIT
- Apache-2.0
- BSD-3-Clause
deny:
- GPL-3.0
- AGPL-3.0
- MPL-2.0
exceptions:
- package: some-gpl-package
license: GPL-3.0
reason: 临时使用,计划替换
EOF
# 使用许可证策略
snyk test --policy-path=.snyk-licenses高级使用#
自动化脚本#
批量扫描多个项目#
#!/bin/bash
# 批量扫描多个项目脚本
PROJECTS_DIR="/path/to/projects"
LOG_FILE="snyk-batch-scan.log"
# 记录日志
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}
# 扫描函数
scan_project() {
local project_path=$1
local project_name=$(basename "$project_path")
log "开始扫描项目: $project_name"
cd "$project_path"
# 运行扫描
snyk test --severity-threshold=high --json > "../snyk-reports/${project_name}.json" 2>&1
if [ $? -eq 0 ]; then
log "项目 $project_name 扫描成功"
else
log "项目 $project_name 扫描失败"
fi
cd - > /dev/null
}
# 创建报告目录
mkdir -p snyk-reports
# 扫描所有项目
for project in "$PROJECTS_DIR"/*/; do
scan_project "$project"
done
log "批量扫描完成"定期扫描脚本#
#!/bin/bash
# 定期扫描脚本
PROJECT_DIR="/path/to/project"
REPORTS_DIR="./snyk-reports"
LOG_FILE="snyk-scheduled-scan.log"
# 记录日志
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}
# 创建报告目录
mkdir -p "$REPORTS_DIR"
# 更新Snyk数据库
log "更新Snyk数据库"
snyk monitor
# 运行扫描
log "开始扫描项目"
snyk test --severity-threshold=high --json > "$REPORTS_DIR/scan-$(date +%Y%m%d-%H%M%S).json"
# 分析结果
if [ $? -eq 0 ]; then
log "扫描成功完成"
# 检查是否有高危漏洞
HIGH_COUNT=$(jq '[.vulnerabilities[] | select(.severity == "high")] | length' "$REPORTS_DIR"/scan-*.json | tail -1)
if [ "$HIGH_COUNT" -gt 0 ]; then
log "发现 $HIGH_COUNT 个高危漏洞"
# 发送通知
# send_notification "发现高危漏洞"
fi
else
log "扫描失败"
fi
log "扫描流程结束"高级分析#
漏洞趋势分析#
#!/usr/bin/env python3
import json
import os
from datetime import datetime
import matplotlib.pyplot as plt
def analyze_vulnerability_trend(reports_dir):
"""分析漏洞趋势"""
trend_data = []
# 读取所有报告
for filename in sorted(os.listdir(reports_dir)):
if filename.endswith('.json'):
filepath = os.path.join(reports_dir, filename)
with open(filepath) as f:
data = json.load(f)
# 提取时间戳
timestamp = datetime.strptime(filename, 'scan-%Y%m%d-%H%M%S.json')
# 统计漏洞
vulns = data.get('vulnerabilities', [])
trend_data.append({
'timestamp': timestamp,
'total': len(vulns),
'high': len([v for v in vulns if v['severity'] == 'high']),
'medium': len([v for v in vulns if v['severity'] == 'medium']),
'low': len([v for v in vulns if v['severity'] == 'low'])
})
return trend_data
def plot_trend(trend_data):
"""绘制趋势图"""
timestamps = [d['timestamp'] for d in trend_data]
high = [d['high'] for d in trend_data]
medium = [d['medium'] for d in trend_data]
low = [d['low'] for d in trend_data]
plt.figure(figsize=(12, 6))
plt.plot(timestamps, high, label='High', color='red')
plt.plot(timestamps, medium, label='Medium', color='orange')
plt.plot(timestamps, low, label='Low', color='green')
plt.xlabel('Time')
plt.ylabel('Vulnerability Count')
plt.title('Vulnerability Trend')
plt.legend()
plt.xticks(rotation=45)
plt.tight_layout()
plt.savefig('vulnerability-trend.png', dpi=300)
plt.close()
# 使用示例
trend_data = analyze_vulnerability_trend('./snyk-reports')
plot_trend(trend_data)依赖关系分析#
#!/usr/bin/env python3
import json
import networkx as nx
import matplotlib.pyplot as plt
def build_dependency_graph(snyk_report):
"""构建依赖关系图"""
G = nx.DiGraph()
# 添加根节点
root_package = snyk_report.get('packageManager', 'unknown')
G.add_node(root_package)
# 添加依赖项
for dep in snyk_report.get('dependencies', []):
dep_name = dep.get('name', 'unknown')
G.add_node(dep_name)
G.add_edge(root_package, dep_name)
# 添加子依赖
for subdep in dep.get('dependencies', []):
subdep_name = subdep.get('name', 'unknown')
G.add_node(subdep_name)
G.add_edge(dep_name, subdep_name)
return G
def visualize_graph(G, output_file='dependency-graph.png'):
"""可视化依赖关系图"""
plt.figure(figsize=(12, 8))
pos = nx.spring_layout(G)
nx.draw(G, pos, with_labels=True, node_size=3000,
node_color='lightblue', font_size=8)
plt.savefig(output_file, dpi=300, bbox_inches='tight')
plt.close()
# 使用示例
with open('snyk-report.json') as f:
report = json.load(f)
G = build_dependency_graph(report)
visualize_graph(G, 'dependency-graph.png')大师级使用#
企业级部署#
集中式管理#
#!/bin/bash
# 企业级Snyk管理脚本
ORGANIZATION="your-org-name"
PROJECTS_DIR="/path/to/projects"
CENTRAL_DB="/path/to/central-db"
LOG_FILE="/var/log/snyk-management.log"
# 记录日志
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}
# 扫描并上传到中央数据库
scan_and_upload() {
local project_path=$1
local project_name=$(basename "$project_path")
log "扫描项目: $project_name"
cd "$project_path"
# 运行扫描
snyk test --org="$ORGANIZATION" --json > "$CENTRAL_DB/${project_name}.json"
# 监控项目
snyk monitor --org="$ORGANIZATION" --project-name="$project_name"
cd - > /dev/null
log "项目 $project_name 扫描并监控完成"
}
# 扫描所有项目
for project in "$PROJECTS_DIR"/*/; do
scan_and_upload "$project"
done
log "所有项目扫描完成"自动化修复流程#
#!/usr/bin/env python3
import subprocess
import json
import sys
def run_snyk_test():
"""运行Snyk测试"""
result = subprocess.run(
['snyk', 'test', '--json'],
capture_output=True,
text=True
)
if result.returncode != 0:
print(f"Snyk测试失败: {result.stderr}")
return None
return json.loads(result.stdout)
def fix_vulnerabilities(report):
"""修复漏洞"""
vulnerabilities = report.get('vulnerabilities', [])
fixable = [v for v in vulnerabilities if v.get('fixVersion')]
print(f"发现 {len(vulnerabilities)} 个漏洞")
print(f"可修复: {len(fixable)} 个")
if not fixable:
print("没有可修复的漏洞")
return
# 运行修复
print("开始修复漏洞...")
result = subprocess.run(
['snyk', 'fix'],
capture_output=True,
text=True
)
if result.returncode == 0:
print("漏洞修复成功")
print(result.stdout)
else:
print(f"漏洞修复失败: {result.stderr}")
# 主流程
report = run_snyk_test()
if report:
fix_vulnerabilities(report)高级集成#
与Jira集成#
#!/usr/bin/env python3
import json
from jira import JIRA
def create_jira_issue(vulnerability, project_key):
"""创建Jira问题"""
jira = JIRA(server='https://your-jira-instance.com',
basic_auth=('username', 'password'))
issue_dict = {
'project': {'key': project_key},
'summary': f"Security Vulnerability: {vulnerability['title']}",
'description': f"""
Vulnerability ID: {vulnerability['id']}
Severity: {vulnerability['severity']}
CVSS Score: {vulnerability.get('cvssScore', 'N/A')}
Description:
{vulnerability.get('description', 'N/A')}
Fix Version:
{vulnerability.get('fixVersion', 'N/A')}
References:
{', '.join(vulnerability.get('references', []))}
""",
'issuetype': {'name': 'Bug'},
'priority': {'name': 'High'}
}
new_issue = jira.create_issue(fields=issue_dict)
return new_issue.key
def create_jira_issues(snyk_report, project_key):
"""为所有漏洞创建Jira问题"""
vulnerabilities = snyk_report.get('vulnerabilities', [])
for vuln in vulnerabilities:
if vuln['severity'] in ['high', 'critical']:
issue_key = create_jira_issue(vuln, project_key)
print(f"Created Jira issue: {issue_key}")
# 使用示例
with open('snyk-report.json') as f:
report = json.load(f)
create_jira_issues(report, 'SEC')与Slack集成#
#!/usr/bin/env python3
import json
import requests
from datetime import datetime
def send_slack_notification(webhook_url, message):
"""发送Slack通知"""
payload = {
'text': message,
'username': 'Snyk Bot',
'icon_emoji': ':shield:'
}
response = requests.post(webhook_url, json=payload)
return response.status_code == 200
def create_slack_message(snyk_report):
"""创建Slack消息"""
vulnerabilities = snyk_report.get('vulnerabilities', [])
high_count = len([v for v in vulnerabilities if v['severity'] == 'high'])
medium_count = len([v for v in vulnerabilities if v['severity'] == 'medium'])
message = f"""
🛡️ *Snyk Security Scan Report*
*Scan Time:* {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}
*Vulnerability Summary:*
• High: {high_count}
• Medium: {medium_count}
• Low: {len(vulnerabilities) - high_count - medium_count}
*Total Vulnerabilities:* {len(vulnerabilities)}
<https://app.snyk.io/org/your-org/project/your-project|View in Snyk>
"""
return message
# 使用示例
with open('snyk-report.json') as f:
report = json.load(f)
message = create_slack_message(report)
webhook_url = 'https://hooks.slack.com/services/YOUR/WEBHOOK/URL'
send_slack_notification(webhook_url, message)实战案例#
案例1: 企业级依赖项安全监控#
场景描述#
建立企业级的依赖项安全监控系统,统一管理所有项目的依赖项安全。
实施步骤#
#!/bin/bash
# 企业级依赖项安全监控脚本
ORGANIZATION="your-org-name"
PROJECTS_DIR="/path/to/projects"
REPORTS_DIR="/path/to/reports"
LOG_FILE="/var/log/snyk-monitoring.log"
# 记录日志
log() {
echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
}
# 扫描项目
scan_project() {
local project_path=$1
local project_name=$(basename "$project_path")
local report_dir="$REPORTS_DIR/$project_name"
log "开始扫描项目: $project_name"
mkdir -p "$report_dir"
cd "$project_path"
# 运行扫描
snyk test --org="$ORGANIZATION" \
--severity-threshold=high \
--json > "$report_dir/snyk-report.json"
# 监控项目
snyk monitor --org="$ORGANIZATION" \
--project-name="$project_name" \
--tags=production,web
cd - > /dev/null
log "项目 $project_name 扫描完成"
}
# 生成企业报告
generate_enterprise_report() {
log "生成企业报告"
cat > "$REPORTS_DIR/enterprise-report.html" << EOF
<!DOCTYPE html>
<html>
<head>
<title>企业依赖项安全报告</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
h1 { color: #333; }
h2 { color: #666; }
table { border-collapse: collapse; width: 100%; }
th, td { border: 1px solid #ddd; padding: 8px; text-align: left; }
th { background-color: #f2f2f2; }
.high { color: red; }
.medium { color: orange; }
.low { color: green; }
</style>
</head>
<body>
<h1>企业依赖项安全报告</h1>
<p>生成时间: $(date)</p>
<h2>项目概览</h2>
<table>
<tr>
<th>项目名称</th>
<th>依赖项数量</th>
<th>High</th>
<th>Medium</th>
<th>Low</th>
</tr>
EOF
# 添加项目数据
for project_report in "$REPORTS_DIR"/*/snyk-report.json; do
project_name=$(basename $(dirname "$project_report"))
if [ -f "$project_report" ]; then
total=$(jq '.dependencies | length' "$project_report")
high=$(jq '[.vulnerabilities[] | select(.severity == "high")] | length' "$project_report")
medium=$(jq '[.vulnerabilities[] | select(.severity == "medium")] | length' "$project_report")
low=$(jq '[.vulnerabilities[] | select(.severity == "low")] | length' "$project_report")
cat >> "$REPORTS_DIR/enterprise-report.html" << EOF
<tr>
<td>$project_name</td>
<td>$total</td>
<td class="high">$high</td>
<td class="medium">$medium</td>
<td class="low">$low</td>
</tr>
EOF
fi
done
cat >> "$REPORTS_DIR/enterprise-report.html" << EOF
</table>
</body>
</html>
EOF
log "企业报告生成完成"
}
# 主流程
log "开始企业级依赖项安全监控"
# 扫描所有项目
for project in "$PROJECTS_DIR"/*/; do
scan_project "$project"
done
# 生成企业报告
generate_enterprise_report
log "监控流程完成"案例2: CI/CD安全门禁#
场景描述#
在CI/CD流程中设置安全门禁,确保只有通过安全检查的代码才能部署。
实施步骤#
#!/bin/bash
# CI/CD安全门禁脚本
set -e # 遇到错误立即退出
PROJECT_DIR="${1:-.}"
MAX_HIGH=0
MAX_MEDIUM=5
MAX_LOW=10
echo "=== CI/CD安全门禁检查 ==="
echo "项目目录: $PROJECT_DIR"
echo "安全阈值:"
echo " High: $MAX_HIGH"
echo " Medium: $MAX_MEDIUM"
echo " Low: $MAX_LOW"
echo ""
# 运行Snyk扫描
echo "运行Snyk扫描..."
snyk test --severity-threshold=high --json > snyk-report.json
# 分析结果
echo "分析扫描结果..."
HIGH_COUNT=$(jq '[.vulnerabilities[] | select(.severity == "high")] | length' snyk-report.json)
MEDIUM_COUNT=$(jq '[.vulnerabilities[] | select(.severity == "medium")] | length' snyk-report.json)
LOW_COUNT=$(jq '[.vulnerabilities[] | select(.severity == "low")] | length' snyk-report.json)
echo "漏洞统计:"
echo " High: $HIGH_COUNT"
echo " Medium: $MEDIUM_COUNT"
echo " Low: $LOW_COUNT"
echo ""
# 检查阈值
FAIL=0
if [ "$HIGH_COUNT" -gt "$MAX_HIGH" ]; then
echo "❌ 失败: High漏洞数量 ($HIGH_COUNT) 超过阈值 ($MAX_HIGH)"
FAIL=1
fi
if [ "$MEDIUM_COUNT" -gt "$MAX_MEDIUM" ]; then
echo "⚠️ 警告: Medium漏洞数量 ($MEDIUM_COUNT) 超过阈值 ($MAX_MEDIUM)"
# 可以选择继续或失败
# FAIL=1
fi
if [ "$LOW_COUNT" -gt "$MAX_LOW" ]; then
echo "⚠️ 警告: Low漏洞数量 ($LOW_COUNT) 超过阈值 ($MAX_LOW)"
fi
if [ "$FAIL" -eq 1 ]; then
echo ""
echo "安全门禁检查失败!"
echo "请修复漏洞后重新提交。"
exit 1
else
echo ""
echo "✅ 安全门禁检查通过!"
exit 0
fi总结#
Snyk是一款功能强大的软件供应链安全平台,为现代DevSecOps流程提供了全面的支持。
核心优势#
- 实时监控: 持续监控依赖项安全
- 自动化修复: 提供自动化修复建议
- 全面覆盖: 支持多种包管理器和语言
- 易于集成: 无缝集成到CI/CD流程
- 企业级功能: 提供企业级管理和报告
应用场景#
- 软件供应链安全
- DevSecOps流程集成
- 依赖项安全审计
- 漏洞风险管理
- 合规性检查
最佳实践#
- 持续监控: 启用持续监控,及时发现新漏洞
- CI/CD集成: 将扫描集成到构建流程
- 阈值管理: 设置合理的安全阈值
- 定期更新: 定期更新依赖项和Snyk数据库
- 自动化修复: 利用自动化修复功能提高效率
注意事项#
- 需要注册Snyk账号
- 免费版有扫描次数限制
- 某些功能需要付费订阅
- 需要定期更新Snyk CLI
- 注意API调用限制