When deciding to use a Snyk integration, compare the advantages of source control management (SCM) integrations and CI/CD integrations. See SCM (Git) and CI/CD integration deployment intro.
Typical stages in adopting CI/CD Integration
Developer teams typically adopt Snyk in the following stages:
Expose vulnerabilities (
Use Snyk as a gatekeeper (
Continuous monitoring (
Stage 1: Expose vulnerabilities (
A typical approach is using Snyk results to expose vulnerabilities during the development process. This increases visibility of vulnerabilities among members of your team.
When you first implement Snyk in your pipeline, using only the
snyk monitor command is recommended. If you use one of the Snyk CI plugins, it is recommended that you configure the plugin to not fail the build.
This is because all projects have vulnerabilities, and after you set Snyk to fail the build, every build fails because of Snyk. This may cause problems with your team being quickly overwhelmed with failure messages.
snyk monitor to expose results provides information without disrupting processes.
For information about
snyk monitor, see the
monitor command help.
Stage 2: Use Snyk as a gatekeeper (
Using Snyk as a gatekeeper prevents the introduction of new vulnerabilities (sometimes known as "stopping the bleeding").
After your teams understand the vulnerabilities in their applications, and develop a process for fixing them early in the development cycle, you can configure Snyk to fail your builds, to prevent introducing vulnerabilities into your applications.
snyk test to your build or enable the fail functionality to make Snyk fail your builds, providing the results output to the console. Your developers or DevOps teams can use the results to decide whether to stop or continue the build.
For information about
snyk test, see the
test command help.
Stage 3: Continuous monitoring (
snyk test and
snyk test and
After you configure Snyk to fail the build when vulnerabilities are detected, you can configure Snyk to send a snapshot of your project's successful builds to Snyk for ongoing monitoring.
To do this, configure your pipeline to run
snyk monitor if your
snyk test returns a successful exit code.
CI/CD deployment methods
All of these methods provide the same results, as they all rely on the same Snyk engine. Thus the same arguments or options apply regardless of the deployment method you select.
There are various ways to configure Snyk within your pipeline. Choose a method depending on your environment and preference. You can expect all methods to lead to a successful run.
Use Snyk native plugins
Snyk native plugins are available for most common CI/CD tools. Using these plugins is the easiest way to set up and get started. The plugins include the most common parameters and options in the user interface (UI).
Deploy Snyk CLI using the npm method
Follow steps similar to those for installing the CLI locally. You must be able to run an npm command in the pipeline script. This method has the advantage of completely aligning with the CLI experience so you can easily troubleshoot and configure.
Deploy Snyk CLI binary version
The advantage of the binary setup is that it has no dependency with the local environment. For example, it is useful if you cannot run an npm command in your pipeline.
CLI binaries are available on the CLI GitHub repository.
Snyk has Linux, Windows, and other versions.
Deploy a Snyk container
You may also deploy Snyk in your pipeline using one of the Snyk images in Dockerhub.
Examples of Snyk CI/CD Integrations
This repo shows some examples of binary and npm integrations for various CI/CD tools: CI/CD examples.