{"id":17474,"library":"snyk-delta","title":"Snyk Delta CLI","description":"snyk-delta is a command-line interface tool designed to identify and report only *newly introduced* security vulnerabilities, license issues, and code findings in Snyk projects. It functions by comparing a current Snyk scan snapshot against a predefined baseline snapshot, making it particularly useful for integration into CI/CD pipelines, pre-commit hooks, or local development workflows where only changes since a previous state are of interest. The tool is currently at version 1.13.2 and is in maintenance mode, meaning new features are not being actively developed, though bug fixes and security patches continue to be released. Key differentiators include its ability to filter out pre-existing issues, focus on dependency changes (added/removed direct and indirect dependencies), and provide specific exit codes for automated decision-making in build systems. It supports Snyk Open Source, Container, and Code (with specific feature requirements), but not IaC.","status":"maintenance","version":"1.13.2","language":"javascript","source_language":"en","source_url":"https://github.com/snyk-tech-services/snyk-delta","tags":["javascript","typescript"],"install":[{"cmd":"npm install snyk-delta","lang":"bash","label":"npm"},{"cmd":"yarn add snyk-delta","lang":"bash","label":"yarn"},{"cmd":"pnpm add snyk-delta","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"Primarily for programmatic execution of the CLI's main logic, though `snyk-delta` is most commonly run directly as a command-line utility.","wrong":"const run = require('snyk-delta').run;","symbol":"run","correct":"import { run } from 'snyk-delta';"},{"note":"Exports the core logic for comparing Open Source and Container vulnerability deltas. This function facilitates programmatic integration for custom analyses.","wrong":"import { ossDelta } from 'snyk-delta';","symbol":"getOssDelta","correct":"import { getOssDelta } from 'snyk-delta';"},{"note":"Provides the programmatic interface for comparing Snyk Code SARIF outputs to identify new code analysis findings. Requires 'Code Consistent Ignores' feature.","wrong":"const codeDelta = require('snyk-delta').codeDelta;","symbol":"getCodeDelta","correct":"import { getCodeDelta } from 'snyk-delta';"},{"note":"TypeScript type definition for the configuration options used by snyk-delta's core comparison functions, such as baseline organization and project details.","symbol":"SnykDeltaOptions","correct":"import type { SnykDeltaOptions } from 'snyk-delta';"}],"quickstart":{"code":"import { getCodeDelta } from 'snyk-delta';\nimport * as fs from 'fs';\nimport * as path from 'path';\n\nconst SNYK_TOKEN = process.env.SNYK_TOKEN ?? ''; // Ensure SNYK_TOKEN is set\nconst ORG_ID = process.env.SNYK_ORG_ID ?? 'YOUR_SNYK_ORG_ID'; // Replace with your Snyk Organization ID\n\nasync function compareSnykCodeResults() {\n  if (!SNYK_TOKEN || ORG_ID === 'YOUR_SNYK_ORG_ID') {\n    console.error('Error: Please set SNYK_TOKEN and SNYK_ORG_ID environment variables or replace placeholder.');\n    process.exit(1);\n  }\n\n  // Create dummy SARIF files for demonstration if they don't exist\n  const baselineSarifPath = path.join(__dirname, 'baseline.sarif.json');\n  const currentSarifPath = path.join(__dirname, 'current.sarif.json');\n\n  if (!fs.existsSync(baselineSarifPath)) {\n    fs.writeFileSync(baselineSarifPath, JSON.stringify({\"runs\": []}, null, 2));\n  }\n  if (!fs.existsSync(currentSarifPath)) {\n    // In a real scenario, this would be generated by `snyk code test --sarif > current.sarif.json`\n    fs.writeFileSync(currentSarifPath, JSON.stringify({\"runs\": []}, null, 2));\n  }\n\n  try {\n    const options = {\n      baselineOrg: ORG_ID,\n      // Optional: target a specific baseline project, otherwise `snyk-delta` attempts to find one\n      // baselineProject: 'your-baseline-project-uuid', \n      // Optional: recommended for Code Analysis projects\n      // projectName: 'owner/repo', \n      // targetReference: 'main', \n      // api: 'https://api.snyk.io/api/v1', // Snyk API endpoint, default value\n    };\n\n    console.log('Comparing Snyk Code results...');\n    const deltaReport = await getCodeDelta(baselineSarifPath, currentSarifPath, options, SNYK_TOKEN);\n\n    if (deltaReport.newFindings.length > 0) {\n      console.log(`\\nFound ${deltaReport.newFindings.length} new code findings:\\n`);\n      deltaReport.newFindings.forEach(finding => {\n        const location = finding.locations[0]?.physicalLocation;\n        const filePath = location?.artifactLocation?.uri || 'unknown file';\n        const lineNumber = location?.region?.startLine || 'unknown line';\n        console.log(`  - [${finding.ruleId}] ${finding.message.text} (${filePath}:${lineNumber})`);\n      });\n      process.exit(1); // Exit with 1 if new findings are present\n    } else {\n      console.log('\\nNo new code findings introduced. Exiting with 0.');\n      process.exit(0); // Exit with 0 if no new findings\n    }\n  } catch (error) {\n    console.error('An error occurred during delta comparison:', error);\n    process.exit(2); // Exit with 2 on error\n  }\n}\n\ncompareSnykCodeResults();","lang":"typescript","description":"Demonstrates programmatic usage of `getCodeDelta` to compare two local SARIF files, illustrating how to identify new Snyk Code findings and exit with appropriate status codes based on the comparison result. Requires `SNYK_TOKEN` and `SNYK_ORG_ID`."},"warnings":[{"fix":"Be aware that the tool's functionality will remain stable, but new capabilities aligning with future Snyk product developments may not be implemented directly within this tool.","message":"The `snyk-delta` repository is in maintenance mode. No new features are being developed; only bug and security fixes will be delivered. Contributions for small features are welcome, but breaking changes will not be accepted.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Ensure your Snyk account is at the Business or Enterprise tier. Refer to Snyk documentation for account plan details and feature parity.","message":"Use of `snyk-delta` requires a Snyk Business or Enterprise account due to its reliance on Snyk API access for baseline comparisons. Free or Developer accounts are not supported.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Set the `SNYK_TOKEN` environment variable in your environment (e.g., `export SNYK_TOKEN=your-token`) before running `snyk-delta`. Obtain a service account token for CI/CD environments for enhanced security and manageability.","message":"The `SNYK_TOKEN` environment variable must be set with a valid Snyk API token, preferably from a service account. Failure to do so will result in authentication errors during API calls.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Do not use `snyk-delta` for Snyk IaC projects. This tool is specifically designed for Open Source, Container, and Code findings. Consider alternative methods for delta comparison of IaC findings if available within the Snyk platform.","message":"Snyk IaC (Infrastructure as Code) scanning is explicitly not supported by `snyk-delta`. Attempting to use it for IaC will result in an error or incorrect behavior.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Verify and enable the 'Code Consistent Ignores' feature in your Snyk organization settings. Consult Snyk documentation for instructions on feature enablement and its impact on Snyk Code scans.","message":"For Snyk Code comparison, the 'Code Consistent Ignores' feature must be enabled in your Snyk organization. Without this feature, the Code delta functionality may not work as expected or produce unreliable results.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Set `SNYK_TOKEN` (e.g., `export SNYK_TOKEN=\"your_snyk_api_token\"`) in your shell or CI/CD environment before executing `snyk-delta`.","cause":"The required Snyk API token is missing from the environment variables, preventing authentication with the Snyk API.","error":"Error: SNYK_TOKEN environment variable not set. Please set the SNYK_TOKEN environment variable."},{"fix":"Double-check the Snyk Organization and Project IDs for accuracy. Ensure the provided `SNYK_TOKEN` has the required read permissions for the specified resources.","cause":"The specified `--baselineProject` or `--baselineOrg` ID does not match an existing Snyk project or organization, or the `SNYK_TOKEN` lacks the necessary permissions to access them.","error":"Error: Could not find project with ID <project-uuid> in organization <org-uuid>."},{"fix":"Enable 'Code Consistent Ignores' in your Snyk Organization settings. Refer to Snyk documentation or contact Snyk support for assistance in enabling this feature.","cause":"The Snyk organization where the project resides does not have the 'Code Consistent Ignores' feature enabled, which is a prerequisite for accurate Snyk Code delta comparisons.","error":"Error: Snyk Code comparison requires 'Code Consistent Ignores' feature enabled in your Snyk organization."},{"fix":"Refrain from using `snyk-delta` for IaC projects. This tool's functionality is limited to Open Source, Container, and Code vulnerability types.","cause":"The `snyk-delta` tool was executed with a Snyk Infrastructure as Code (IaC) project, a product type it explicitly does not support.","error":"Error: Unsupported Snyk product type for delta comparison: IaC."}],"ecosystem":"npm","meta_description":null}