Choose rollout integrations

SDLC integration points

Snyk offers many integrations to work seamlessly with Snyk in every stage of the SDLC.

Many businesses roll out automated solutions first, and then slowly introduce tools to enable the developers. In addition, gating features are gradually turned on over a period of time, to minimize disruption.

As using multiple integrations can result in duplicate reporting of issues, you do not initially need to implement more than one integration type. For example, you can start by importing everything with Git repositories, then later use the CI/CD view for fine-grained detail. You can remove the source control integration if both views are not desired.

Integration types

The following are typical early integrations.

Source Code Management (SCM) integrations

Integrations with popular version control platforms like GitHub, GitLab, Azure Repos, and Bitbucket seamlessly integrate Snyk security checks into the code review process. This ensures that potential vulnerabilities are identified and addressed before code is merged into the main branch. Important features include:

Daily testing and monitoring of a specified branch, typically the development branch
(optional) Pull Request/Merge Request checks against any branch of the repository
(optional) Automated dependency upgrades and automated security fix upgrades through pull requests

The advantages of SCM integrations are:

Visibility into repository security posture
Automatic Scan on code change
Immediate feedback on issues for the developer
Onboarding repositories can be configured through the UI or API/API Import Tool
Support for Cloud and Private Code Repositories on the Snyk Enterprise plan

See Git repositories (SCMs) for more details.

If you have an on-premise Git repository, you must consider deploying Snyk Broker for Snyk to communicate with your repositories.

Enterprise customers can enable and manage Snyk Broker using the API.

Paid services can be engaged to assist in Snyk Broker deployments.

Continuous Integration/Continuous Deployment (CI/CD) pipeline integrations

Integrating Snyk into CI/CD pipelines, such as Jenkins, Travis CI, or CircleCI, automates security checks during the build and deployment process. This ensures that vulnerabilities are detected early in the software development lifecycle and prevents their propagation into production. Typical features include:

(Optional) Ability to passively monitor results during build and view results in Snyk
(Optional) Ability to test and potentially break the build if results are found based on criteria you specified

The advantages of CI/CD integrations are:

Assess local code vulnerabilities
Full control over testing: which tests to run and where in the build script
Automation by CI/CD if desired

See Snyk CI/CD integrations for more details.

IDE Integrations

Integrated Development Environment (IDE) integrations like Visual Studio Code, IntelliJ IDEA, and Eclipse allow developers to access Snyk security features directly within their coding environment. This enables real-time scanning and issue remediation as developers write code.

See Use Snyk in your IDE for more details.

Considerations for import strategies

Project Import Strategy	Considerations	Advantages	Disadvantages
CLI (automated with CI/CD)	Has to be configured for each application within CI/CD	Can select what to test and when: which package managers, where in the process, which language to analyze May need development effort for integration	Requires configuration per application.
CLI (run locally by user)	Can be used to perform testing locally while the developer is working on an application, very configurable per scan type.	Local use case	Not meant for visibility or automation. Can require buildable code or dependencies to be installed, for example, Gradle without lockfile, Scala
API	Typically for advanced use cases. Integration into CI/CD workflows or custom tooling.	Automated integration into CI/CD pipelines	Requires API familiarity, access through the Enterprise plan.
Git Code Repository Integration	Used for onboarding and daily monitoring: rapid vulnerability assessment across application portfolio	Continuous monitoring of repositories, even when you are not working on it Centralized visibility for teams Monitors specified branch Code does not need to be built	Can be initiated theough the UI, however larger portfolios should use API to initiate onboarding of repositories with the Api Import Tool Some languages/package managers have better resolution through use of the CLI: Gradle without lockfile, Scala
	Pull request (PR)/merge request (MR) scanning	Immediate feedback on introduced issues on the PR/MR against any branch on repository	Configurable rules for pass/fail

Project Import Strategy

Considerations

Advantages

Disadvantages

CLI (automated with CI/CD)

Has to be configured for each application within CI/CD

Can select what to test and when: which package managers, where in the process, which language to analyze
May need development effort for integration

Requires configuration per application.

CLI (run locally by user)

Can be used to perform testing locally while the developer is working on an application, very configurable per scan type.

Local use case

Not meant for visibility or automation. Can require buildable code or dependencies to be installed, for example, Gradle without lockfile, Scala

API

Typically for advanced use cases.
Integration into CI/CD workflows or custom tooling.

Automated integration into CI/CD pipelines

Requires API familiarity, access through the Enterprise plan.

Git Code Repository Integration

Used for onboarding and daily monitoring: rapid vulnerability assessment across application portfolio

Continuous monitoring of repositories, even when you are not working on it
Centralized visibility for teams
Monitors specified branch
Code does not need to be built

Can be initiated theough the UI, however larger portfolios should use API to initiate onboarding of repositories with the Api Import Tool
Some languages/package managers have better resolution through use of the CLI: Gradle without lockfile, Scala

Pull request (PR)/merge request (MR) scanning

Immediate feedback on introduced issues on the PR/MR against any branch on repository

Configurable rules for pass/fail

Additional considerations for integrations

Infrastructure as Code integration

For Snyk Infrastructure as Code, it is common that your Terraform or yaml configuration files are held in your SCM, but they may be in a separate area or repository. Thus, consider whether there are other areas you need to import. You may also want to integrate with Terraform Cloud if applicable, to enable Snyk tests as part of your terraform run processes.

For complex environments, modules, and highly templated implementations, using the CLI on your Terraform Plan file may provide the best results.

CR (Container Registries) integrations

Snyk also integrates with various Container Registries to enable you to import and monitor your containers for vulnerabilities. Snyk tests the containers you have imported for any known security vulnerabilities found, at a frequency you control.

Kubernetes

Snyk can be configured to monitor workloads deployed to Kubernetes. See Overview of the Kubernetes integration for more information on how to configure the controller.

PreviousPlan for success NextCreate rollout plan

Last updated 2 months ago