Snyk SBT Plugin

3.1.0 verified Sat Apr 25 auth: no javascript

A plugin for the Snyk CLI that provides dependency metadata for sbt (Scala Build Tool) projects. It scans build.sbt files to identify known vulnerabilities in dependencies. Current stable version is 3.1.0, released August 2025. The plugin supports Node 20 on Windows, Linux, and macOS, and works with sbt 0.13.x through 1.7.x (with or without sbt-dependency-graph plugin for older versions). Key differentiator: integrates Snyk's vulnerability scanning into Scala/SBT projects with automatic dependency tree extraction. v3.0.0 introduced breaking changes including dropping shell:true and updated shescape for argument escaping.

Common errors

error Error: spawn sbt ENOENT ↓

cause sbt is not installed or not in PATH.

fix

Install sbt and ensure it is available in the system PATH.

error Cannot find module 'snyk-sbt-plugin' ↓

cause CJS require used for ESM-only package.

fix

Use ES module import: import { inspect } from 'snyk-sbt-plugin'

error Error: No supported sbt project detected ↓

cause Project does not contain a build.sbt file.

fix

Ensure the project path contains a build.sbt file.

Warnings

breaking Dropping shell:true and bumping shescape after author fix in v3.0.0 ↓

fix Update any scripts that relied on shell:true being set; the plugin no longer uses shell execution for child processes.

gotcha Older sbt versions (<=1.2) require sbt-dependency-graph plugin or coursier to be installed ↓

fix Install sbt-dependency-graph plugin or coursier following Snyk support documentation.

deprecated Plugin uses Node.js APIs; may not work with newer Node versions without updates ↓

fix Ensure you are using Node 20 as specified in supported OS table; future versions may require updates.

Install

npm install snyk-sbt-plugin

yarn add snyk-sbt-plugin

pnpm add snyk-sbt-plugin

Imports

snykSbtPlugin

wrong

const snykSbtPlugin = require('snyk-sbt-plugin')

correct

import { snykSbtPlugin } from 'snyk-sbt-plugin'

ESM-only since v3; CJS require yields undefined.

inspect

wrong

import inspect from 'snyk-sbt-plugin'

correct

import { inspect } from 'snyk-sbt-plugin'

Named export, not default.

Types

wrong

import { SbtPluginResult } from 'snyk-sbt-plugin' (not a runtime value)

correct

import type { SbtPluginResult } from 'snyk-sbt-plugin'

Use type-only import for TypeScript types to avoid bundling.

Quickstart

Scans an SBT project for vulnerabilities using the inspect function, logging dependency tree and vulnerability count.

import { inspect } from 'snyk-sbt-plugin';
import { promises as fs } from 'fs';

async function scanSbtProject(projectPath: string) {
  try {
    const result = await inspect(projectPath, 'sbt', { dev: false });
    console.log('Scanned dependencies:', result.package.dependencies);
    console.log('Vulnerabilities:', result.vulnerabilities?.length ?? 0);
  } catch (error) {
    console.error('Scan failed:', error);
  }
}

scanSbtProject('/path/to/sbt/project');