Choose rollout integrations
SDLC integration points
Snyk offers many integrations to work seamlessly with Snyk in every stage of the SDLC.
Many businesses roll out automated solutions first, and then slowly introduce tools to enable the developers. In addition, gating features are gradually turned on over a period of time, to minimize disruption.
As using multiple integrations can result in duplicate reporting of issues, you do not initially need to implement more than one integration type. For example, you can start by importing everything with Git repositories, then later use the CI/CD view for fine-grained detail. You can remove the source control integration if both views are not desired.
Integration types
The following are typical early integrations.
Source Code Management (SCM) integrations
Integrations with popular version control platforms like GitHub, GitLab, Azure Repos, and Bitbucket seamlessly integrate Snyk security checks into the code review process. This ensures that potential vulnerabilities are identified and addressed before code is merged into the main branch. Important features include:
Daily testing and monitoring of a specified branch, typically the development branch
(optional) Pull Request/Merge Request checks against any branch of the repository
(optional) Automated dependency upgrades and automated security fix upgrades through pull requests
The advantages of SCM integrations are:
Visibility into repository security posture
Automatic Scan on code change
Immediate feedback on issues for the developer
Onboarding repositories can be configured through the UI or API/API Import Tool
Support for Cloud and Private Code Repositories on the Snyk Enterprise plan
See Snyk SCM integrations for more details.
If you have an on-premise Git repository, you must consider deploying Snyk Broker for Snyk to communicate with your repositories.
Enterprise customers can enable and manage Snyk Broker using the API.
Paid services can be engaged to assist in Snyk Broker deployments.
Continuous Integration/Continuous Deployment (CI/CD) pipeline integrations
Integrating Snyk into CI/CD pipelines, such as Jenkins, Travis CI, or CircleCI, automates security checks during the build and deployment process. This ensures that vulnerabilities are detected early in the software development lifecycle and prevents their propagation into production. Typical features include:
(Optional) Ability to passively monitor results during build and view results in Snyk
(Optional) Ability to test and potentially break the build if results are found based on criteria you specified
The advantages of CI/CD integrations are:
Assess local code vulnerabilities
Full control over testing: which tests to run and where in the build script
Automation by CI/CD if desired
See Snyk CI/CD integrations for more details.
IDE Integrations
Integrated Development Environment (IDE) integrations like Visual Studio Code, IntelliJ IDEA, and Eclipse allow developers to access Snyk security features directly within their coding environment. This enables real-time scanning and issue remediation as developers write code.
See Snyk IDE plugins and extensions for more details.
Considerations for import strategies
CLI (automated with CI/CD)
Has to be configured for each application within CI/CD
Can select what to test and when: which package managers, where in the process, which language to analyze
May need development effort for integration
Requires configuration per application.
CLI (run locally by user)
Can be used to perform testing locally while the developer is working on an application, very configurable per scan type.
Local use case
Not meant for visibility or automation. Can require buildable code or dependencies to be installed, for example, Gradle without lockfile, Scala
API
Typically for advanced use cases.
Integration into CI/CD workflows or custom tooling.
Automated integration into CI/CD pipelines
Requires API familiarity, access through the Enterprise plan.
Git code repository integration
Used for onboarding and daily monitoring: rapid vulnerability assessment across application portfolio
Continuous monitoring of repositories, even when you are not working on it
Centralized visibility for teams
Monitors specified branch
Code does not need to be built
Can be initiated theough the UI, however larger portfolios should use API to initiate onboarding of repositories with the Api Import Tool
Some languages/package managers have better resolution through use of the CLI: Gradle without lockfile, Scala
Pull request (PR)/merge request (MR) scanning
Immediate feedback on introduced issues on the PR/MR against any branch on repository
Configurable rules for pass/fail
Additional considerations for integrations
Infrastructure as Code integration
For Snyk Infrastructure as Code, it is common that your Terraform or YAML configuration files are held in your SCM, but they may be in a separate area or repository. Thus, consider whether there are other areas you need to import. You may also want to integrate with Terraform Cloud if applicable, to enable Snyk tests as part of your terraform run processes.
For complex environments, modules, and highly templated implementations, using the CLI on your Terraform Plan file may provide the best results.
Container registry (CR) integrations
Snyk also integrates with various container registries to enable you to import and monitor your containers for vulnerabilities. Snyk tests the containers you have imported for any known security vulnerabilities found, at a frequency you control.
Kubernetes
Snyk can be configured to monitor workloads deployed to Kubernetes. See Overview of Kubernetes integration for more information on how to configure the controller.
Last updated