Snyk JSON to HTML Report Generator

3.7.1 · active · verified Tue Apr 21

snyk-to-html is a Node.js utility designed to convert the JSON output from various Snyk CLI commands (e.g., `snyk test --json`, `snyk code test --json`, `snyk iac test --json`, `snyk container test --json`) into a human-readable, static HTML vulnerability report. The current stable version is 3.7.1, released in April 2026. The package sees a relatively active release cadence, often featuring bug fixes, security updates, and new features like adding support for exploit maturity, reachability signals, and risk scores. A key differentiator is its ability to accept custom Handlebars templates, allowing users to tailor the report's appearance and included data fields. It is primarily used as a CLI tool but also exposes a programmatic API for integration into automated workflows.

Common errors

```
snyk-to-html: command not found
```
cause The `snyk-to-html` executable is not in your system's PATH, usually because it wasn't installed globally or its global installation path isn't correctly configured.

fix Install the package globally: `npm install -g snyk-to-html` or ensure your PATH includes `$(npm config get prefix)/bin`.
```
Error: Handlebars: Input is not a string
```
cause The input provided to the templating engine, either directly or via the `convertToHtml` function, was not a valid string.

fix Ensure the Snyk JSON output is provided as a string. If using `convertToHtml`, `JSON.stringify()` the object before passing it.
```
TypeError: Cannot read properties of undefined (reading 'vulnerabilities')
```
cause The provided Snyk JSON input is malformed or not in the expected format, causing the report generator to fail when trying to access properties.

fix Verify that the input JSON is valid Snyk CLI output. You can use `snyk test --json > output.json` and then validate `output.json` before passing it to `snyk-to-html`.

Warnings

breaking Node.js 20 or higher is required. Older Node.js versions are not supported.
Fix: Upgrade your Node.js environment to version 20 or later using a tool like nvm or fnm.
breaking The package transitioned to an ESM-first architecture, meaning CommonJS `require()` statements may not work directly for programmatic imports without configuration.
Fix: Use ESM `import` syntax (`import { convertToHtml } from 'snyk-to-html';`) and ensure your project is configured for ESM (e.g., `"type": "module"` in `package.json`). For CommonJS, dynamic import (`import('snyk-to-html')`) might be required.
gotcha Custom Handlebars templates may require updates if new data fields (e.g., `exploitMaturity`, `reachability`, `riskScore`, `epssDetails`) are introduced or existing ones change their structure.
Fix: Review the `metadata` object structure in the documentation for each new major or minor version if you use custom templates. Use `{{#if metadata.fieldName}}` guards to prevent errors if fields are optional or absent.
breaking A Handlebars vulnerability (CVE-2026-33937O) was patched. Ensure you are on the latest patch version to mitigate potential security risks.
Fix: Update `snyk-to-html` to version 3.7.1 or newer (`npm update snyk-to-html`).

Install

npm install snyk-to-html npm
yarn add snyk-to-html yarn
pnpm add snyk-to-html pnpm

Imports

convertToHtml
wrong:
```
const convertToHtml = require('snyk-to-html').convertToHtml;
```
correct:
```
import { convertToHtml } from 'snyk-to-html';
```
This is the primary function for programmatic conversion. It's an ESM-first package requiring Node.js >=20.
SnykToHtmlOptions
```
import type { SnykToHtmlOptions } from 'snyk-to-html';
```
Type definition for the options object passed to `convertToHtml`.
CLI usage (global)
wrong:
```
node snyk-to-html -i input.json
```
correct:
```
snyk-to-html -i input.json -o report.html
```
The tool is primarily designed for global CLI use after `npm install -g snyk-to-html`. Direct execution via `node` requires specifying the full path to the executable or the main script.

Quickstart

Demonstrates programmatic conversion of Snyk JSON output into an HTML report using the `convertToHtml` function.

import { convertToHtml } from 'snyk-to-html';
import * as fs from 'fs';

const mockSnykJsonOutput = {
  "vulnerabilities": [
    {
      "id": "SNYK-JS-LODASH-590135",
      "title": "Prototype Pollution",
      "severity": "high",
      "description": "The 'merge' function in lodash is vulnerable to prototype pollution via the 'assignValue' function.",
      "packageManager": "npm",
      "packageName": "lodash",
      "version": "4.17.15",
      "fixedIn": ["4.17.21"],
      "exploitMaturity": "mature"
    }
  ],
  "vulnerabilities": [],
  "dependencyCount": 1,
  "org": "my-org",
  "policy": "Snyk Security Policy",
  "isPrivate": true,
  "summary": "No vulnerabilities found.",
  "uniqueCount": 0,
  "filesystemPolicy": false,
  "licensesPolicy": null
};

async function generateReport() {
  try {
    const htmlReport = await convertToHtml(JSON.stringify(mockSnykJsonOutput), {
      title: 'Snyk Security Report',
      // template: fs.readFileSync('./custom-template.hbs', 'utf8') // Optional: use a custom Handlebars template
    });
    fs.writeFileSync('snyk-report.html', htmlReport);
    console.log('HTML report generated: snyk-report.html');
  } catch (error) {
    console.error('Failed to generate report:', error);
  }
}

generateReport();

view raw JSON →