Snyk Language Server (Snyk-LS) - Enhanced Analysis Engine

Supported Capabilities

The language server adheres strictly to the Language Server Protocol and seamlessly integrates Snyk Open Source intelligence, Snyk Infrastructure as Code scanning, and Snyk Code static analysis. For OSS and IaC, it leverages the Snyk Command Line Interface (CLI) as its primary data source; for Snyk Code, it establishes a direct connection to the dedicated Snyk Code API endpoint.

Currently, the language server facilitates the following operational procedures:

Provision diagnostics to the client immediately upon document opening, provided the file resides within the monitored folder scope.
Initiate a full folder-level security assessment upon service commencement and transmit subsequent findings.
Trigger a comprehensive workspace-wide evaluation across all configured folders via a dedicated command.
Persist diagnostic results in a local cache until a document save event or a new workspace scan is manually initiated.
Refresh caches when a file is saved, compelling a re-evaluation and retrieval of the latest diagnostic set.
Offer precise positional calculation to accurately map and highlight Snyk Open Source findings within the editor view.
Furnish richly formatted hover information containing comprehensive diagnostic specifics and actionable resolution links.
Relay progress updates to the client interface concerning ongoing asynchronous analysis tasks.
Dispatch necessary notifications and log messages back to the connected client application.
Handle authentication requirements using either OAuth2 credentials or API tokens, potentially launching a web interface if required.
Automatically transfer the authentication URL to the system clipboard if web-based authentication fails to launch.
Execute automated retrieval and placement of the Snyk CLI executable if it is absent or misconfigured relative to XDG_DATA_HOME standards.
Permit granular control over which security product modules are activated based on client-provided configuration settings.
Report any scanning failures encountered back to the Language Server Client as actionable diagnostics.
Render specialized Code Lenses to enable direct navigation through Snyk Code data flow paths directly from the editor pane.
Support Code Actions to invoke editor-specific commands, such as launching a browser, applying quick fixes, or accessing relevant Snyk Learn tutorials pertaining to the detected issue.

Implemented Operations

Language Server Protocol Compliance

Requests

initialize
exit
textDocument/codeAction
textDocument/codeLens
textDocument/didClose
textDocument/didSave
textDocument/hover
textDocument/inlineValue
shutdown
workspace/didChangeWorkspaceFolders
workspace/didChangeConfiguration
workspace/executeCommand
window/workDoneProgress/create (server -> client direction)
window/showMessageRequest
window/showDocument

Notifications

$/progress
$/cancelRequest
textDocument/publishDiagnostics
parameters: types.PublishDiagnosticsParams
example: Snyk Open Source payload structure (omitted for brevity)
example: Snyk Code payload structure (omitted for brevity)
window/logMessage
window/showMessage

Custom Extensions to Language Server Protocol (Server to Client)

SDKs Callback: Mechanism to retrieve configured SDK paths from the client side.
method: workspace/snyk.sdks
parameters: types.WorkspaceFolder
example: JSON array of SDK objects (e.g., Java, Python, Go installations).
Folder Configuration Broadcast: Notification detailing specific settings per workspace folder.
method: $/snyk.folderConfigs
parameters: types.FolderConfigsParam
example: Configuration specifying base branch and local branches for delta analysis.
Aliased Diagnostic Publication: Alternative notification endpoint for diagnostics.
method: $/snyk.publishDiagnostics316
parameters: types.PublishDiagnosticsParams (Alias for standard publishDiagnostics)
MCP Server Address Broadcast: Informs the client of the server's internal listening address for MCP communication (POST requests to /messages and SSE subscriptions on /sse).
method: $/snyk.mcpServerURL
parameters: types.McpServerURLParams
example: {"url": "https://127.0.0.1:7595"}
Authentication Status Update: Confirms successful authentication and provides credentials.
method: $/snyk.hasAuthenticated
parameters: types.AuthenticationParams
example: Includes token and associated API URL.
CLI Availability Confirmation: Reports the located or downloaded path of the Snyk CLI executable.
method: $/snyk.isAvailableCli
parameters: types.SnykIsAvailableCli
Trusted Folder Registry: Notifies the client of folders explicitly granted trust for analysis execution.
method: $/snyk.addTrustedFolders
parameters: types.SnykTrustedFoldersParams
Scan Status Reporting: Provides real-time updates on ongoing or completed security scans.
method: $/snyk.scan
parameters: types.ScanParams
Examples show status updates (success, error, inProgress) per product (code, oss, iac).
Summary View Update: Delivers aggregated HTML content for display in a dedicated summary panel.
method: $/snyk.scanSummary
parameters: types.ScanSummary

Commands

NavigateToRangeCommand: Instructs the client to focus the editor on a specific file location.
command: snyk.navigateToRange
arguments: File path and LSP Range object.
WorkspaceScanCommand: Initiates a full scan across the entire current workspace.
command: snyk.workspace.scan
arguments: None.
WorkspaceFolderScanCommand: Initiates analysis for a specified workspace directory.
command: snyk.workspaceFolder.scan
arguments: Folder path string.
OpenBrowserCommand: Launches the specified URL in the system's default web browser.
command: snyk.openBrowser
arguments: URL string.
LoginCommand: Triggers the initiation of the Snyk authentication sequence.
command: snyk.login
arguments: None.
CopyAuthLinkCommand: Transfers the necessary authentication URL to the clipboard.
command: snyk.copyAuthLink
arguments: None.
LogoutCommand: Executes the user logout procedure.
command: snyk.logout
arguments: None.
TrustWorkspaceFoldersCommand: Verifies and prompts for user confirmation regarding folder trust necessary for execution.
command: snyk.trustWorkspaceFolders
arguments: None.
OpenLearnLesson: Directs the user to a relevant Snyk Learn tutorial page.
command: snyk.openLearnLesson
arguments: Detailed metadata about the issue (rule, ecosystem, CWEs, CVEs, issue type enumeration).
GetLearnSession: Fetches the structured JSON data for a specific Snyk Learn lesson.
command: snyk.getLearnLesson
arguments: Same detailed issue metadata as OpenLearnLesson.
result: Lesson JSON object.
SettingsSastEnabled: Queries the backend to confirm the operational status of Snyk Code (SAST).
command: snyk.getSettingsSastEnabled
arguments: None.
returns: Boolean status and potential user advisory message.
GetActiveUser: Retrieves details of the currently authenticated user and their organizational affiliations.
command: snyk.getActiveUser
arguments: None.
returns: User object including organizations and groups.
Code Fix Command: Applies the remediation suggested by the first available autofix option for a given finding.
command: snyk.code.fix
arguments: codeActionId, file path, and location range.
returns: Error status if application fails.
Code Fix Diffs: Retrieves the source code differences (the 'diff') associated with autofix suggestions.
command: snyk.code.fixDiffs
arguments: Issue UUID.
returns: An array of suggestion objects containing file-specific unified diff strings.
Code Fix Apply Edit Command: Executes an autofix action using a specific fix identifier, returning an LSP WorkspaceEdit object.
command: snyk.code.fixApplyEdit
arguments: fixId string.
returns: A WorkspaceEdit object compliant with LSP specification.
Feature Flag Status Command: Queries the current enablement status of a specified feature flag.
command: snyk.getFeatureFlagStatus
arguments: Feature flag identifier string.
returns: Status object {ok: boolean, userMessage: string?}.
Clear Cache: Manages clearing local storage, either in-memory, persisted, or both.
command: snyk.clearCache
arguments: Target folder URI and cache type (persisted or inMemory).
Generate Issue Description: Computes and returns the issue description formatted as HTML content.
command: snyk.generateIssueDescription
arguments: Issue ID string.

Acquisition

Download Binaries

Release artifacts, including compiled executables for Windows, macOS, and Linux, are stored within the release pipeline. To obtain them, navigate to the latest release tag here, select the desired build artifact ZIP file.

The current production binary can be fetched using this shell script. Note that the underlying protocol version, defined in .goreleaser.yaml, influences the download URL and may change to enforce synchronization between the plugin and the language server.

Compilation From Source

Prerequisites: Ensure go version 1.20 or later is installed, and GOPATH and GOROOT environment variables are set correctly.
Navigate to the repository's root directory.
Execute go get ./... to fetch all necessary dependencies.
Execute make build && make install to compile and install the snyk-ls executable.

Operational Configuration

Snyk LS Command Line Directives

-c <FILE>: Specifies an external configuration file to be loaded prior to any other settings.
-f <FILE>: Redirects logging output to a specified file instead of standard output.
-l <LOGLEVEL>: Sets the verbosity level (trace, debug, info, warn, error, fatal). Default is info. This can be overridden by setting the SNYK_DEBUG_LEVEL environment variable (e.g., export SNYK_DEBUG_LEVEL=debug).
-licenses: Displays the software licenses utilized by the Language Server when run stand-alone, or when running inside the Snyk CLI.
-o <FORMAT>: Defines the format for issue reporting (md for Markdown or html).
-v: Outputs the current Language Server version number.

Configuration Parameters

LSP Initialization Payloads

During the initial Initialize message exchange, we process custom settings within initializationOptions?: LSPAny;:

5 { "activateSnykOpenSource": "true", // OSS analysis activation (default: true) "activateSnykCode": "false", // Snyk Code enabling (default: false, deprecated in favor of granular settings) "activateSnykIac": "true", // IaC analysis activation (default: true) "insecure": "false", // Permits use of custom Certificate Authorities (CAs) "endpoint": "https://api.eu.snyk.io", // Custom Snyk API endpoint for non-standard deployments "organization": "a string", // Organization context identifier "path": "/usr/local/bin", // Directories prepended to the system PATH for CLI resolution "cliPath": "/a/patch/snyk-cli", // Explicit location of the Snyk CLI or download target "token": "secret-token", // Snyk access token or result from auth flow "integrationName": "ECLIPSE", // Identifier for the hosting IDE/Editor "integrationVersion": "1.0.0", // Version of the hosting IDE/Editor "automaticAuthentication": "true", // Auto-initiate authentication upon scan start (default: true) "deviceId": "a UUID", // Unique identifier for this LS instance (telemetry use) "filterSeverity": { "critical": true, "high": true, "medium": true, "low": true, }, // Optional severity filters applied to results "issueViewOptions": { "openIssues": true, "ignoredIssues": false, }, // Optional filters for issue visibility "sendErrorReports": "true", // Consent to send operational error telemetry to Snyk (default: true) "manageBinariesAutomatically": "true", // Automatic download and upkeep of CLI/LS binaries "enableTrustedFoldersFeature": "true", // Enable prompts for folder trust (default: true) "activateSnykCodeSecurity": "false", // Enable Snyk Code Security findings reporting "activateSnykCodeQuality": "false", // Enable Snyk Code Quality findings reporting (Beta) "scanningMode": "auto", // Scan trigger mode: "auto" (background) or "manual" (on-demand) "authenticationMethod": "oauth", // Preferred auth mechanism: "token" or "oauth". Default is token. "snykCodeApi": "https://deeproxy.snyk.io", // Endpoint for Snyk Code analysis. "enableSnykLearnCodeActions": "true", // Display Snyk Learn integration in Code Actions menu "enableSnykOSSQuickFixCodeActions": "true", // Enable quick-fix actions for applicable OSS vulnerabilities "enableSnykOpenBrowserActions": "false", // Display actions that open external web links "enableDeltaFindings": "false", // Only report findings that are new relative to the configured base branch "requiredProtocolVersion": "14", // Minimum required LSP protocol version for the client "hoverVerbosity": "1", // Detail level for hover tooltips (0=off, 1=desc only, 2=details, 3=complete/default) "outputFormat": "md", // Format for rich text output: plain, md (default), or html "additionalParams": "--all-projects", // Extra flags passed to the Snyk Open Source CLI invocation "additionalEnv": "MAVEN_OPTS=-Djava.awt.headless=true;FOO=BAR", // Semicolon-separated environment variables for CLI execution "trustedFolders": [ "/a/trusted/path", "/another/trusted/path" ], // Pre-approved directories for scanning "folderConfigs": [{ "baseBranch": "main", "folderPath": "a/b/c", "additionalParameters": "--file=pom.xml" }], // Folder-specific CLI parameters }

Setting activateSnykCode implicitly configures both activateSnykCodeSecurity and activateSnykCodeQuality. To enable only one specific Code analysis type, activateSnykCode must be omitted from the initialization parameters.

Workspace Security Trust

During analysis, Snyk may execute external utilities (e.g., package managers) based on code contents. Executing such code within untrusted contexts poses a security risk. Consequently, the Snyk Language Server prompts the user for explicit folder trust before running assessments on such directories. Default trust policy is active. Upon granting trust, the Language Server broadcasts the update via the $/snyk.addTrustedFolders notification, allowing the client to persistently store this decision.

Trust prompts are suppressed if enableTrustedFoldersFeature is set to false in initialization options. An initial set of trusted paths can be provided via the trustedFolders array in initializationOptions.

Environment Variables

Snyk LS and the Snyk CLI require specific environment variables for networking and language toolchain discovery:

Proxy settings: HTTP_PROXY, HTTPS_PROXY, and NO_PROXY.
Java context: JAVA_HOME for JVM-based project analysis.
Execution path: PATH for locating tools like Maven or Python interpreters.

Automatic Environment Setup

If the execution environment is not pre-configured (e.g., not run via a sourced shell), Snyk LS attempts to load variables from the following files, respecting the listed order for precedence (later files do not overwrite earlier ones):

bash given config file via -c flag /.snyk.env $HOME/.snyk.env

Lines matching the VARIABLENAME=VARIABLEVALUE format are injected if the variable is not already set. This follows the dotenv convention; explicit export commands on the same line are ignored.

The PATH variable is aggregated from all sources, and the current working directory (.) is automatically added.

Additionally, on Linux/macOS, the following directories are added to the PATH:

/bin, $HOME/bin, /usr/local/bin, and $JAVA_HOME/bin.

If JAVA_HOME is unset, the server searches common system locations (/usr/lib, /usr/java, /opt, /Library, $HOME/.sdkman, C:\Program Files, C:\Program Files (x86)) for a Java executable, setting JAVA_HOME to its parent's parent directory upon discovery. Similar searches are performed for maven.

Snyk CLI Location

The managed Snyk CLI is located by scanning the XDG Data Home path and the general PATH for OS-specific executables (e.g., snyk-linux). The first discovered path is used for all CLI-dependent operations.

Global Variable Configuration

For system-wide availability, variables should be set in /etc/environment (Linux) or /etc/launchd.conf (macOS). The LS reads these locations automatically. On Windows, configuration via user/system UI is recommended. Example for ~/.profile:

bash SNYK_TOKEN= DEEPROXY_API_URL=https://deeproxy.snyk.io/

Ensure export is on a separate line if using bash/sh syntax

export SNYK_TOKEN export DEEPROXY_API_URL

Snyk Authentication Procedure

The authentication sequence initiates automatically unless explicitly disabled. The flow proceeds as follows:

If the configured endpoint is snykgov.io or authenticationMethod is set to oauth, OAuth2 flow begins, opening a browser window.
Otherwise, the server attempts token retrieval via the Snyk CLI's existing authentication state.
If the CLI is unauthenticated, a browser window is opened for user sign-in.
If web browser interaction fails, the authentication URL can be manually copied using the snyk.copyAuthLink command (requires xsel or xclip on Linux/Unix).

Upon successful web authentication, the Snyk Language Server securely captures the credentials for subsequent API interactions.

Execute Tests

bash go test ./...

If Pact testing dependencies are unavailable, extend your PATH environment variable, for example:

PATH=$PATH:$PWD/.bin/pact/bin make test

Expected output verifying successful integration tests (against live APIs/CLI):

text ? github.com/snyk/snyk-ls [no test files] ok github.com/snyk/snyk-ls/code 24.201s ok github.com/snyk/snyk-ls/diagnostics 26.590s ok github.com/snyk/snyk-ls/iac 25.780s ? github.com/snyk/snyk-ls/lsp [no test files] ok github.com/snyk/snyk-ls/oss 22.427s ok github.com/snyk/snyk-ls/server 48.558s ok github.com/snyk/snyk-ls/util 9.562s

Local Github Action Simulation

You can validate GitHub Actions workflows locally using act.

Prerequisites for act

bash brew install act

Install Docker provider dependency (if needed)

brew install --cask virtualbox brew install minikube minikube start eval $(minikube docker-env) # Establishes Docker context for act

Running act Simulations

Provide necessary secrets for the workflow execution:

bash act --secret SNYK_TOKEN=$SNYK_TOKEN --secret DEEPROXY_API_URL=$DEEPROXY_API_URL

snyk-language-server

Author

snyk

Quick Info

Actions

Tags