Choose rollout integrations
SDLC integration points
Snyk offers many integrations that seamlessly integrate into every stage of SDLC.
Many businesses typically roll out automated solutions first, then slowly introduce tools to enable the developers. In addition, gating features are gradually turned on over a period of time to minimize disruption.
As using multiple integrations can result in duplicate reporting of issues, you do not initially need to implement more than one integration type. For example, you can start by importing everything with Git repositories, then later use the CI/CD view for fine-grained detail (potentially removing the source control integration if both views are not desired).
Integration types
Below are typical early integrations.
Source Code Management (SCM) integrations
Integrations with popular version control platforms like GitHub, GitLab, Azure Repos, and Bitbucket seamlessly integrate Snyk security checks into the code review process. This ensures that potential vulnerabilities are identified and addressed before the code is merged into the main branch. Important features include:
Daily testing/monitoring of a specified branch (typically "development" branch),
(optional) Pull Request/Merge Request checks against any branch of the repository.
(optional) Automated dependency upgrades and automated security fix upgrades using pull requests.
Advantages:
Visibility into repository security posture
Automatic Scan on code change
Immediate feedback on issues for the developer
Onboarding of repositories can be configured using the UI
Supports Cloud Repositories on the Team plan
For more details, see Git repositories (SCMs).
If you have a non-cloud facing/or your own instance of a git SCM:
Consider deploying a Snyk Broker for Snyk to communicate with your repositories, which would also require a Snyk Enterprise Plan.
Enterprise customers can enable and manage Snyk Broker via API.
Paid services can be engaged to assist in broker deployments.
Continuous Integration/Continuous Deployment (CI/CD) pipeline integrations
Integrating Snyk into CI/CD pipelines, such as Jenkins, Travis CI, or CircleCI, automates security checks during the build and deployment process. This ensures that vulnerabilities are detected early in the software development lifecycle and prevents their propagation into production. Typical features include:
(Optional) Ability to passively monitor results during build and view results in Snyk
(Optional) Ability to test and potentially break the build based on criteria you specified
Integration can be achieved with specific Marketplace plugins or more generally, with the CLI as part of your pipeline script.
Advantages:
Assess local code vulnerabilities
Full control over testing (which tests to run, where in the build script)
Can automate via CI/CD
For more details, see Snyk CI/CD integrations.
Integrated Development Environment (IDE) integrations
IDE integrations like Visual Studio Code, IntelliJ IDEA, and Eclipse allow developers to access Snyk's security features directly within their coding environment. This enables real-time scanning and issue remediation as developers write code at the earliest possible stages.
For more details, see Use Snyk in your IDE.
Considerations for import strategies
CLI (automated CI/CD)
Must be configured for each application within CI/CD.
Can select what to test and when (i.e. which package managers, where in the process, which language to analyze.
May need development effort for integration.
It requires configuration per application.
CLI (Run locally by user)
User can use CLI to perform testing locally while working on an application, very configurable per scan type.
Local use case
Not meant for visibility or automation. Can require buildable code or dependencies to be installed (For example Gradle without Lockfile, Scala).
Git Code Repository Integration
Onboarding and daily monitoring: rapid vulnerability assessment across application portfolio.
Continuous monitoring of repositories (even when you are not working on it).
Centralized visibility for teams.
Monitors specified branch
Code does not need to be built.
Can be initiated via UI
Some languages/package managers have better resolution utilizing the CLI (Gradle without lockfile, Scala).
Pull request (PR)/merge request (MR) scanning
Immediate feedback on introduced issues on the PR/MR against any branch on repository.
Configurable rules for pass/fail
Additional considerations
Infrastructure as Code
For Snyk Infrastructure as Code, it is common that your Terraform or yaml configuration files are held in your SCM, but they may be in a separate area or repository. As a result, consider if there are other areas you need to import. You may also want to integrate with Terraform Cloud (if applicable) to enable Snyk tests as part of your "Terraform run" processes.
For complex environments, modules, and highly templated implementations, utilizing the CLI on your Terraform Plan file may provide the best results.
CR (Container Registries)
Snyk also integrates with various Container Registries to enable you to import and monitor your containers for vulnerabilities. Snyk tests the containers you have imported for any known security vulnerabilities found at a frequency you control.
Last updated