Preparing for implementation of the Enterprise plan

Before using this page, see Getting started with the Snyk: Enterprise plan for information about getting a team involved in using Snyk.
This page looks at a few planning steps and provides a walkthrough of some initial configuration options to complete before inviting more teams and scanning additional applications.
If you have been using Snyk on the Free or Team Plan and are looking for guidance on upgrading to the Enterprise plan, see Upgrading to Enterprise Plan

Considerations before launching Snyk to additional teams

There are several questions to consider before you launch Snyk to multiple teams in your Organization:
  • Where will you implement Snyk in your Software Development Life Cycle (SDLC)?
  • How will you structure your Snyk account?
  • How will you and your team log in to Snyk?
  • How will you define license and security policies?
  • How will you scan your applications?
  • How will you configure your first Organization?
After you answer these questions and configure your first Organization, you can configure additional Organizations and invite members.

Checklist for preparing to implement the Enterprise plan

Use this checklist to ensure you have prepared for your implementation.
  • Determine where to implement Snyk in your SDLC.
  • Determine how you will structure your Snyk account: your Snyk Organization structure and naming convention and Projects in Organizations.
  • Determine how you and your team will log in to Snyk.
  • Set up SSO if applicable.
  • Define license and security policies.
  • Develop your Project import strategy: how you will scan your applications.
  • Set up your first Organization. Note: There are many Settings to establish, including notification defaults for the Group and for the first Organization.
  • Invite members.
  • Begin importing Projects
  • Create additional Organizations.
  • Roll out Snyk to your teams.
    • Identify influential developers as security champions and early adopters.
    • Define your communications and training plan.
    • Define success metrics based on program maturity.

Where to implement Snyk in your SDLC

As you prepare for your teams to start adopting Snyk as part of a secure development workflow, you should decide where to use Snyk in your SDLC, and what you want to scan, for example, application code, open-source library dependencies, container registries, and so on.
You will also want to roll Snyk out in phases depending on how far you and your teams have progressed with developer security: awareness, visibility, preventing issues, fixing the backlog, optimizing) See the Ways to integrate Snyk at your company training course for more details.

How to structure your Snyk account

For Enterprise plans, the hierarchy for your Snyk account includes a Group at the highest level, Organizations within that Group, and Projects within those Organizations.
Snyk account hierarchy
Snyk account hierarchy
For very large implementations of Snyk, you may also choose to implement multiple Groups, for example, to align top levels with separate business units. Contact your Account Executive if you are interested in discussing this option.
Consider this hierarchy, as well as which members of your teams need access to specific Snyk Projects, when you decide how to align your Snyk Organizations with your internal structure. You will want to decide how to structure your account before inviting members or scanning a large number of applications.
To make these decisions, consider the following:
  • Which team members have access to specific repositories?
  • How do you want to apply policies to Snyk Projects for prioritizing and automating tests?
  • How do you want to report on scans?
For more help addressing these questions, see the free, self-paced training course Snyk account structure.

How your teams log in to Snyk

There are a few different ways that users can authenticate to log in to their Snyk accounts, such as with a GitHub or Google account.
Logging in to Snyk
Logging in to Snyk

Enable Single Sign-On (SSO) if applicable

You may want to set up SSO using your existing identity provider to streamline sign-ins and new user provisioning.
If you use SSO, after you set it up, you must remove any social login accounts from Snyk so that all user access to your Group is controlled through SSO.

Define license and security policies

The Policy manager allows you to define license and security policies at the Group level.
License policies define how your Organizations identify license compliance issues in your Open Source packages and change the severity of issues associated with use of those licenses.
Security policies define the way your Organizations handle specific issues or exploit maturity levels. A policy can programmatically increase an issue’s severity rating, decrease the severity rating, or ignore the issue.
See Security policies for more details.

How you will scan your applications

Snyk Projects are the components that Snyk tests, along with the related configuration and metadata. Each target you want to scan: repos, container images, Dockerfiles, configuration files, source code, may include more than one Project.
See the introduction to Snyk Projects for more details. Before you add Projects to Snyk, you wlll define a Project import strategy.
There are different ways to add Projects in Snyk, including using an integration, the Snyk CLI, or the Snyk API.
Make sure your Organizations in Snyk are configured appropriately. Determine how you want to configure your first Organization and complete all of the settings first. Then you can use that Organization as a template for configuring other Organizations so you can begin scanning applications.

Set up your first Organization

Configure your first Organization before you start scanning applications and inviting members, to ensure the best experience.
To save time, Snyk recommends setting up your first Organization fully so that this Organization can serve as a template when you create other Organizations using the Snyk Web UI or an API.
Follow these steps to ensure you have completed the configuration.

Set ignore permissions

Snyk allows you to ignore issues in a few different ways. An ignored issue is not deleted. It is only removed from the filtered list of open issues.
Before inviting additional team members to Snyk, determine who can ignore the vulnerabilities and license issues that Snyk identifies.
Go to Settings > General to specify the ignore permissions.
Snyk recommends that only Snyk Admins be allowed to ignore issues and that all ignores must have a reason specified.

Configure Git repository integrations

Snyk includes a number of automated processes for Snyk Open Source when integrated with a source code manager (SCM) on a Git repository. These automated processes are a great way to develop the maturity of your developer security program. However, these automated processes can introduce frustration for developers if introduced too early in your journey. Make sure your settings align with your phase of adoption.
You may decide to disable snyk test for pull requests and other automated processes until your teams are ready.
Use the following steps to disable these automated processes for the Organization until you are ready to implement them. Note that all of these settings may not be displayed, depending on the specific Integration you are configuring.
  1. 1.
    Open the Organization in the Snyk UI.
  2. 2.
    Select Integrations from the left navigation pane.
  3. 3.
    Select the cog icon adjacent to integration you want to configure, for example, GitHub.
  4. 4.
    In the Snyk test for pull requests section, disable the following:
    1. 1.
      Open Source Security & Licenses
    2. 2.
      Code Analysis
    3. 3.
      Automatic fix pull requests, both New vulnerabilities and Known vulnerabilities (backlog)
    4. 4.
      Automatically Update Dockerfile base images
    5. 5.
      Automatic dependency upgrade pull requests
    6. 6.
      Pull request assignees for private repos
See the Source Code Manager Configurations training course for details on how to match these integration settings with your security maturity phase, to begin enabling the settings when your teams are ready.
See also Snyk Integrations for more details.
If you are using an on-premise source control manager, you must also configure and deploy the Snyk Broker.

Set up Jira integration

Integrate your Organization with Jira to assist with logging tickets and addressing backlogged security issues. For details, see Jira integration.

Set up Slack integration

Integrate your Organization with a Slack channel to notify your teams of issues. For details, see Slack integration.

Define language settings

Based on the nuances of the tech stack you are using, you will want to set your language preferences. For more detail on the nuances of using Snyk in specific circumstances, see the Guide specific to your language.

Integrate private registries

If you are using private registries, you will want to set up those integrations. See Private registry integrations.

Enable Snyk Code

When you create a new Organization, Snyk Code (SAST) scanning is disabled by default. Snyk recommends enabling this product before you import your first Projects to Snyk.
  1. 1.
    Select the Settings > Snyk Code option.
  2. 2.
    Click the toggle to enable Snyk Code; then click Save changes.
If you imported Projects prior to enabling, you must re-import them.
See Getting started with Snyk Code for more details.

Enable Infrastructure as Code

Snyk Infrastructure as Code enables your developers to scan their configuration files for misconfigurations. Enable Infrastructure as Code scans as follows:
  1. 1.
    Open the Organization in the Snyk UI.
  2. 2.
    Select Settings from the left navigation pane.
  3. 3.
    Select Infrastructure as Code.
  4. 4.
    Select Enabled under Detect configuration files, and save the changes.
If you imported Projects prior to enabling, you must re-import them.
For more information, see Snyk Infrastructure as Code.

Configure notifications

Snyk sends teams different types of alerts based on settings defined for the Group and for the Organization. Snyk highly recommends defining the default settings for the Group and the first Organization with most notifications disabled by default, before you create additional Organizations and start scanning applications.
If you want alerts to be sent by default for Projects imported into the Organization, you can have Snyk send notifications for either vulnerabilities or license issues, or for both. You can also limit the notifications to only High and Critical severity issues. The following video demonstrates how to set notification defaults.
Organization notification video
Encourage individuals to set up their own notification preferences, if they want to customize how they receive alerts for specific Projects.
Personal notification video

Invite members

When your Organization is configured, you are ready to invite others to use Snyk. There are two ways in the Snyk UI to invite members. You can invite by entering their email addresses, or add existing Group members to this Organization. Both are demonstrated in the following video.
Invite members video

Create additional Organizations

After you configure your first Organization, you can use it as a template for creating additional Organizations.
To create a new Organization:
  1. 1.
    Open the Organization switcher in the navigation panel and select Create new Organization.
  2. 2.
    Provide the name of the new Organization. See Manage Snyk organizations for more details.
After you have created an Organization that you plan to use as a template, complete the setup to configure all of the settings in the way you want them for another Organization. To use an existing Organization as a template, select the Organization from the list.
The following settings will be copied from the selected Organization to the new Organization.
  • Source control integrations (GitHub, GitLab, BitBucket)
  • Container registry integrations (ACR, Docker Hub, ECR, GCR)
  • Container orchestrator integrations (Kubernetes)
  • PaaS and Serverless integrations (Heroku, AWS Lambda)
  • Notification integrations (Slack, Jira)
  • Policies
  • Ignore settings
  • Language settings
  • Snyk Code settings
  • Infrastructure as Code settings
The new Organization will not use the settings from the copied Organization for the following:
  • Service accounts
  • Members
  • Projects
  • Notification preferences
You can then customize any of the Organization settings that you configured for the first Organization for the new Organization.

Roll out Snyk to your teams

When you roll out Snyk to your teams, you will:
  • Identify influential developers as security champions and early adopters.
  • Define your communications and training plan.
  • Define success metrics based on program maturity.
The Launch Snyk to your teams course in Snyk Training provides strategies, communication templates, and checklists for rolling out Snyk to a wider audience.