Updated 30 March 2026

Maximizing the Snyk Free Plan

200 tests per month for private repos. Unlimited for open source. With the right strategy, Free can work for solo developers and small teams with 1 to 3 private repos. Here is how to make every test count.

200

Private tests/month

Unlimited

Open source tests

1

User account

What Counts as a Test

Every scan of a manifest file counts as one test. Understanding this is critical for staying within 200 tests/month:

What counts

  • Each package.json, requirements.txt, pom.xml scan = 1 test
  • Each Dockerfile scan = 1 test
  • Each Terraform file scan = 1 test
  • Each Kubernetes manifest scan = 1 test
  • Snyk CLI test command = 1 test per manifest
  • CI/CD scan per PR per manifest = 1 test
  • Scheduled re-test of monitored project = 1 test

What does not count

  • Tests on public/open-source repositories
  • Viewing existing scan results (no new scan)
  • Browsing the Snyk vulnerability database
  • Using Snyk Advisor (package health checker)
  • Reading fix recommendations for existing issues

Strategy 1: Scan on Merge Only

Instead of scanning every PR (which multiplies test count by your PR volume), configure Snyk to scan only when code is merged to the main branch. This reduces test count by 80% or more for active repositories.

Example: 3 repos, 3 manifests each

Scan every PR (5 PRs/day):

3 repos x 3 manifests x 5 PRs x 22 days = 990 tests/month

Exceeds Free limit in ~4 days

Scan on merge only (5 merges/day):

3 repos x 3 manifests x 5 merges x 22 days = 990 tests/month

Same math, but merges are fewer than PRs. If 2 merges/day: 396 tests. Still over limit.

For 3+ active repos, even merge-only scanning exceeds the Free limit. Free realistically works for 1 to 2 repos with moderate activity.

Strategy 2: Weekly Scheduled Scans

Instead of continuous CI/CD scanning, run Snyk on a weekly schedule. New vulnerabilities are published daily, but the risk of missing one for a few days is manageable for most non-critical applications.

Weekly scan math:

5 repos x 3 manifests x 4 weeks = 60 tests/month

Well within 200 test limit

This strategy works for up to 15 repos with 3 manifests each (180 tests/month). Add a buffer for occasional manual scans.

Strategy 3: Targeted CLI Testing

Use the Snyk CLI for manual, targeted scans rather than automatic scanning. Run snyk test only when you add new dependencies or before a release. This gives you full control over test consumption.

CLI workflow:

  • Run snyk test after adding/updating dependencies
  • Run snyk container test before pushing Docker images
  • Run snyk iac test before applying Terraform changes
  • Skip scanning on routine code changes that do not touch dependencies

A developer adding dependencies 2 to 3 times per week across 3 repos consumes roughly 30 to 40 tests/month. Plenty of room within the Free limit.

Open Source: Unlimited and Free

For open-source maintainers, Snyk Free is the best security scanning tool available at any price. There is no test limit, no feature restriction, and no catch. You get:

  • Unlimited dependency vulnerability scanning for all public repos
  • Automated fix pull requests when vulnerabilities have patches available
  • Badge for your README showing security status
  • Container scanning for public Docker images
  • IaC scanning for public Terraform/Kubernetes repos
  • Integration with GitHub, GitLab, and Bitbucket for automatic PR scanning

If you maintain open-source projects and do not use Snyk, you are leaving free security scanning on the table. Setup takes under 5 minutes: connect your GitHub account and Snyk automatically scans all public repos.

When to Upgrade to Team

The Free plan stops being practical when any of these are true:

You have more than 3 active private repositories

Test consumption scales linearly with repo count. 5+ repos with CI/CD scanning will exceed 200 tests within the first week.

You need to add team members

Free is limited to 1 user. If multiple developers need access to scan results and fix recommendations, you need Team.

You need Jira integration

Tracking vulnerability remediation in Jira requires the Team plan. On Free, you manage findings manually.

You need automated fix PRs

Snyk's automatic fix pull requests (upgrading vulnerable dependencies) require Team. On Free, you apply fixes manually.

You need license compliance

Checking third-party dependency licenses (GPL, MIT, Apache) for legal compliance requires Team.

All Plansvs SonarQubevs Checkmarx