SupportAPI docsProduct updatesSign up for free
Search…
Snyk User Documentation
Introducing Snyk
Implementing Snyk in your teams
Getting started
Snyk Web UI
Snyk CLI
Snyk API
Snyk for IDEs
Snyk Apps
Snyk Integrations
SNYK PRODUCTS
Snyk Open Source
Snyk Code
Snyk Container
Snyk Infrastructure as Code
USING SNYK
Snyk Broker
User and group management
Fixing and prioritizing issues
Starting to fix vulnerabilities
Snyk Priority Score
Why can't I open a Pull Request/Merge Request for issues found by Snyk?
How Snyk finds out about new vulnerabilities
What languages do we support Fix Pull Requests or Merge Requests?
How to fix your vulnerabilities
Upgrading package versions to fix vulnerabilities
Snyk patches to fix vulnerabilities
Introduction to ignoring issues
Merge advice
Issue management
Policies
Security policies
Prioritizing issues
Triaging issues
Reports
Snyk Tools
SNYK INFO
Disclosing vulnerabilities
How Snyk handles your data
Snyk Partner workshops
Powered By GitBook
Snyk Priority Score
What is the Snyk Priority Score?
Snyk created a Priority Score to make the prioritization of issues as quick and easy as possible, ensuring the highest-risk issues have the highest score.
Snyk's security group found a significant correlation between trending vulnerabilities and exploits or proof of concept's that can be found in the wild. Social trends are calculated and shown for all issues, vulnerabilities and licenses and range from 0 to 1,000 (0 is considered low risk and 1,000 is considered critical). This gives users a high degree of granularity that reflects the many considerations taken into account. The granularity avoids having too many issues ending up with the same score so users can determine priority at a glance with a high degree of accuracy.
Snyk does not use the CVSS score alone to determine priority: Snyk’s Priority Score is a comprehensive scoring system that processes multiple factors, including the CVSS score, the availability of a fix, known exploits, how new the vulnerability is, and whether it is reachable or not. See How it works section for details.

How it works

For each issue, Snyk processes and weighs several factors in a proprietary algorithm, to produce the score for that issue.
Snyk continually refines our prioritization algorithm to include new factors, and updates weighting of factors, to always provide the most accurate and up-to-date representation of priority given the latest information.
Currently, these factors include:
  • ​Severity levels: calculated using CVSS framework v3.1 scores for that issue.
  • ​Exploit Maturity: determined by Snyk’s industry-leading security team using manual and automated methods to track which vulnerabilities are exploitable, and to what extent.
  • ​Reachability: by looking at the code paths called within a project, Snyk identifies which vulnerabilities are reachable from the code.
  • ​Fixability (availability of a fix): without a safer version to upgrade to, or a Snyk patch available, developers must either fix the code themselves or use an alternative package. So vulnerabilities with fixes are given higher priorities.
  • Time: new vulnerabilities are likely to be an increased risk, so increasing priority score.
  • ​Social Trends: Snyk monitors mentions of known vulnerabilities in Twitter, calculating the trend of tweets and reactions.
  • Malicious Packages: Snyk will prioritize vulnerabilities originating from malicious packages.

Priority calculation for Kubernetes

Kubernetes configs images imported from the Kubernetes integration have a number of additional contributing factors for priority score calculation. See Snyk Priority Score and Kubernetes.

Priority calculation for Snyk Code

A number of specific factors contribute to priority calculation for Snyk Code, including:
  • Severity levels
  • Number of vulnerability occurrences
  • Rule tags: decrease if beta tags are found
  • Open community projects: if this vulnerability is fixed widely
  • Hot files: if the vuln is in the source file, or inside a code flow
  • Fixability: If we have fix examples available for this issue
See Snyk Code documentation for more details.

View scores in projects

Scores can be seen on each issue in the projects view, with all issues now sorted by the Priority Score, to show you the most pressing issues first.
Issues can be filtered on the left.

View scores in the Reports

The Issues tab in the reports includes the Priority Score as it's own sortable column. By default the table is already sorted by the score, to show you the most pressing issues first.
Issues can also be filtered by the score.

View scores in the Snyk API

Various issue-related API calls now include the scores in the response, and support filtering by the score.
Read more about the relevant API calls:

Settings

There are no settings related to the Priority Score. They have no active impact, so are just extra metadata, so they cannot be disabled or hidden.
Previous
Starting to fix vulnerabilities
Next
Why can't I open a Pull Request/Merge Request for issues found by Snyk?
Last modified 8d ago
Export as PDF
Copy link
Edit on GitHub
Contents
How it works
Priority calculation for Kubernetes
Priority calculation for Snyk Code
View scores in projects
View scores in the Reports
View scores in the Snyk API
Settings