Azure Pipelines integration

Overview

Snyk enables security across the Microsoft Azure ecosystem, including for Azure Pipelines, automatically finding and fixing application and container vulnerabilities.
Ready-to-use tasks for Azure Pipelines can be quickly inserted directly from the Azure interface, enabling you to customize and automate your pipelines with no extra coding. Among the tasks included is the Snyk task.
You can include the Snyk task in your pipeline to test for security vulnerabilities and licensing issues as part of your routine work; in this way, you can test and monitor your application dependencies and container images for security vulnerabilities. Once tested, you can review and work with results directly from the Azure Pipelines output, as well as from the Snyk interface.
Snyk support
Our Snyk Security Scan task is available for all languages supported by Snyk and Azure DevOps.

How it works

After the Snyk Security Scan task is added to a pipeline, then each time the pipeline runs, the Snyk task will do the following:

Test

  1. 1.
    Tests the application dependencies or container images for vulnerabilities and licensing issues and lists them.
  2. 2.
    If Snyk finds vulnerabilities or license issues, it does one of the following (based on your configuration):
    • Fails the pipeline
    • Lets the pipeline continue

Monitor

After the snyk test is complete, you have the option of doing snyk monitor. snyk monitor will save a snapshot of the project dependencies in your snyk.io account, where you can see the dependency tree with all of the issues and be alerted if and when new issues are found in the dependencies.

Install the Snyk extension for your Azure pipelines

To start using our task as part of your pipeline build, first install the extension into your Azure DevOps instance per organization, from the Visual Studio Marketplace.
Prerequisites:
  • Create a Snyk account at https://snyk.io/
  • Ensure you are an owner of or an administrator for this account.
Steps:
  1. 1.
    Access your Snyk account.
  2. 2.
    For free plans, go to your General Account Settings and find, copy and save your personal API authentication token on the side.
  3. 3.
    For paid plans, navigate to the organization you’d like to integrate with, then go to Settings to create a new service account token. Copy and save it on the side.
  4. 4.
    Access your Azure DevOps account and navigate to Extensions -> Browse marketplace.
  5. 5.
    Search for the Snyk Security Scan extension, click Get it free.
  6. 6.
    Create a new Service Connection in your project via Project Settings —> Pipelines —> Service Connections
  7. 7.
    Select "Snyk Authentication" service connection:
  8. 8.
    In the Snyk Authentication service connection form, enter the Server URL and the Snyk API Token along with a Service connection name:
  9. 9.
    Click on Save, ensuring the new service connection appears in your list of service connections.

Add the Snyk Security Task to your pipelines

Prerequisites
  • Ensure you have a pipeline within the repository for the code you’d like to test.
  • If you created a pipeline with the Azure Repos wizard, this file is called azure-pipelines.yml.
  • If this repository has multiple service connections, check with your Snyk admin which to use for your pipeline.
  • If you want to add your Dockerfile for additional base image data when testing your container, ensure the image has first been built.
Requirements
This extension requires that Node.js and npm be installed on the build agent. These are available by default on all Microsoft-hosted build agents. However, if you are using a self-hosted build agent, you may need to explicitly activate Node.js and npm and ensure they are in your PATH. This can be done using the NodeTool task from Microsoft prior to the SnykSecurityScan task in your pipeline.
Steps:
  1. 1.
    Add the Snyk Security Scan task when you create your pipeline or while editing an existing one. See the Azure Pipelines documentation
  2. 2.
    From Azure, access the pipeline that you’d like to scan for vulnerabilities, open it for editing and check that the Build step is included just before the point at which you’d like to insert the Snyk task (this is not required but is considered best practice for consistency across projects).
  3. 3.
    Open the assistant, search for the Snyk Security Scan task and click it. The configuration panel opens on top of the assistant.
  4. 4.
    Complete the fields in the configuration. Find full details about the parameters in the GitHub repo or in this section below: Snyk Security Scan task parameters and values. Note: If the Fail build if Snyk finds issue option is checked, then if the build fails, the pipeline job will be failed by the Snyk task. If you remove the checkmark from the Fail build if Snyk finds issue option, the Snyk task tests for vulnerabilities, but does not cause the pipeline job to fail. When testing a container image, you can specify the path to the Dockerfile with the dockerfilePath property in order to receive additional information about issues in your base image. To add your Dockerfile for additional base image data when testing your container, ensure the image has first been built.
  5. 5.
    Place your cursor inside the pipeline, ensuring you place it before a deployment step, such as npm publish or docker push. Note: You can have multiple instances of the Snyk Security Scan task within your pipeline. This might be useful, for example, if you have multiple project manifest files you want to test or if you want to test both the application and the container images.
  6. 6.
    From the configuration panel, click Add. The task is inserted into your pipeline where your cursor was placed, appearing similar to the following:
    2
    inputs:
    3
    testType: 'app'
    4
    monitorWhen: 'always'
    5
    failOnIssues: true
    Copied!
  7. 7.
    Once included in your pipeline, the task runs each time the pipeline runs, and the results appear in the Azure Pipelines output view:
If the Snyk task fails the build, an error message appears in the results indicating that the build failed due to snyk test.

Snyk Security Scan task parameters and values

This section describes the Snyk task parameters for Azure Pipelines integration, their parallel configuration fields (from the configuration panel in Azure Pipelines) and their valid values:
Configuration field (Parameter)
Description
Required
Default
Type
Snyk API token service (ConnectionEndpoint)
The Azure DevOps service connection endpoint where your Snyk API token is defined. Your admin defines this within your Azure DevOps project settings, assigning it with a unique string in order to differentiate between different connections.
The configuration panel displays all available Snyk service connections from a dropdown list like the following:
If multiple Snyk service connections are available from the dropdown list, ask your administrator which to use for the pipeline you’re working with.
Yes
none
String / Azure Service Connection Endpoint of type SnykAuth / Snyk Authentication
What do you want to test?(testType)
Determines which dynamic fields to display as described in the rest of this table.
Yes
"application"
string: "app" or "container"
Container Image Name(dockerImageName)
The name of the container image to test.
This dynamic field appears when What do you want to test is set to Container Imager
Set to Yes if container image test.
Yes
none
string
Path to Dockerfile(dockerfilePath)
The path to the Dockerfile corresponding to the dockerImageName
This dynamic field appears when What do you want to test is set to Container Imager
Set to Yes if container image test.
Yes
none
string
Custom path to manifest file to test(targetFile)
Applicable to application type tests only. The path to the manifest file to be used by Snyk. Should only be provided if non-standard.
This dynamic field appears when What do you want to test is set to Application
No
none
string
Testing severity threshold(severityThreshold)
The severity-threshold to use when testing. By default, issues of all severity types will be found.
Note: if not cofigured, the default severity is set to Low.
No
"low"
string: "low" or "medium" or "high"
When to run Snyk Monitor(monitorWhen)
When to run snyk monitor to capture the dependency tree of the application / container image and monitor it within Snyk.
Yes
"always"
string: "always", "onIssuesFound", or "never"
Fail build if Snyk finds issues
(failOnIssues)
This specifies if pipeline jobs should be failed or continued based on issues found by Snyk.
Yes
true
boolean
Project name in Snyk(projectName)
A custom name for the Snyk project to be created on snyk.io
No
none
string
Organization name (or ID) in Snyk
(organization)
Name of the Snyk organization name, under which this project should be tested and monitored
No
none
string
Test (Working) Directory(testDirectory)
Alternate working directory. For example, if you want to test a manifest file in a directory other than the root of your repo, you would put in a relative path to that directory.
No
none
string
Additional command-line args for Snyk CLI (advanced)
(additionalArguments)
Additional Snyk CLI arguments to be passed in. See CLI reference for details.
Tip: add --all-projects as good practice (for example, for .NET), if no project has been found.
No
none
string
Example of a Snyk task to test a node.js (npm) based application
This section displays examples of Snyk Security Scan task configurations and [parameters when testing a Node.js (npm) application.
The configuration panel appears as follows:
Click add and it is added to your pipeline as follows:
Simple Application Testing Example
2
inputs:
3
serviceConnectionEndpoint: 'snykToken'
4
testType: 'app'
5
monitorWhen: 'always'
6
failOnIssues: true
Copied!
Example of a Snyk task for a container image pipeline
The following is an example of the Snyk Security Scan task within the script for a container image pipeline.
When populated with the most common settings, the configuration panel in Azure appears similar to the following:
Following is an example of the same configuration once you've added it to your pipeline.
Simple Container Image Testing Example
2
inputs:
3
serviceConnectionEndpoint: 'snykToken'
4
testType: 'container'
5
dockerImageName: 'goof'
6
dockerfilePath: 'Dockerfile'
7
monitorWhen: 'always'
8
failOnIssues: true
Copied!
Last modified 7d ago