Snyk Azure Repositories (TFS) integration
Feature availability Integration with Azure Repos Cloud is available with all Snyk pricing plans. Integration with Azure DevOps Server 2020 and above, also known as TFS, is available for Snyk Enterprise plan customers. For details, see Plans and pricing.
Snyk supports only Git. Snyk does not currently support integration with Team Foundation Version Control (TFVC).
Snyk integrates with your Microsoft Azure Repository to let you import Projects and monitor the source code for your repositories. Snyk tests the Projects you have imported for known security vulnerabilities in the dependencies, testing at a frequency you control.
Snyk Azure Repository integration lets you:
Continuously perform security scanning across all the integrated repositories
Detect vulnerabilities in your open-source components
Provide automated fixes and upgrades
How Azure Repository integration works
The process to connect Snyk with your Azure repositories includes the following steps:
Generate a unique Azure DevOps personal access token (PAT) for Snyk, based on a username and password combination, and configured with the specific permissions Snyk needs to access your Azure repositories. For more information, see Configure your Azure Repository integration.
Select the Projects and repositories you want to associate with Snyk for testing and monitoring. You can also enter custom file locations for any manifest files that are not located in the root folders of your repositories.
Snyk then does the following:
Evaluates the items you selected and imports the ones that have the relevant manifest files in their root folder and all the subfolders at any level.
Communicates directly with your repository for each test it runs using the permissions you associated with your PAT, to determine exactly which code is currently pushed by the Snyk application and which dependencies are being used. Each dependency is tested against the Snyk vulnerability database to see if it contains any known vulnerabilities.
Notifies you by email or a dedicated Slack channel if vulnerabilities are found according to the preferences you configured, so that you can take immediate action to fix the issues.
Configure your Azure Repository integration
Prerequisites for Azure Repository integration
Only a Snyk admin user can configure the integration within the UI. Collaborator users cannot perform this task.
To enable integration between Azure Repository and Snyk:
Set up your Azure Repos account and your Snyk account.
You must have an Azure project.
If you do not have a project yet, create one in Azure DevOps or set one up in an on-premise Azure DevOps instance.
Create a Personal Access Token (PAT). You must be a member of the Project Administrators Group so that the PAT has the
edit subscriptions permissionsrequired to enable webhooks.
Integrate with your Azure Repository
Generate and copy a unique PAT to use for Snyk. For more information, see the Azure DevOps documentation.
When you are prompted in Azure, enable the following permissions for Snyk access:
Expiry: to avoid breaking the integration, Snyk recommends that you choose a token expiration date that is far in the future.
Scopes: Custom defined
Code:
Read & write.
Integrate using the Snyk Web UI
Log in to your Snyk account and navigate to Integrations.
Pay special attention to the instructions given on the Account Credentials page. Depending on your plan, you may need to enter just the Azure DevOps Organization, or you may need to enter the entire URL.
Set your organization: Enter the slug for your Organization only. For example, enter
your-azure-devops-orgSet your host: enter the entire url. For example, enter
https://dev.azure.com/your-azure-devops-orgAlternatively, you may enter a custom url that is publicly reachable
Click Save, and then enter the PAT that you generated.
Click Save. Snyk tests the connection values and the page reloads, displaying the Azure Repos integration information. A message to confirm that the details were updated appears at the top of the screen.
If the connection to Azure fails, a notification appears under the Azure Repos card title.
Add Projects to Snyk for Azure Repos
Snyk tests and monitors Azure Repos by evaluating root folders and custom file locations for the languages that Snyk supports.
To add a default Project:
In Snyk, navigate to Projects > Add projects.
Choose the relevant repository or tool from which to import your projects. The available repositories for the integration you chose are displayed in a new window.
Select the repositories that you want Snyk to monitor for security and license issues.
To import all the repos for a specific Organization, check the Organization.
Click Add selected repositories. Snyk scans the entire file tree for dependency files and imports them to Snyk as Projects.
Adding custom file locations and excluding folders
Add a custom file location
Use this procedure to add an Azure Repository dependency from a non-default path.
In Snyk, navigate to Projects > Add projects > Azure repos > Settings.
Open the Add custom file location (optional) list and select a repository... to configure a custom path.
In the text field, enter the
relative path for the manifest file location.
The relative path field is case-sensitive.
Exclude folders from import
The optional Exclude folders field is case-sensitive. The pattern you enter is applied to all the Azure repositories.
Confirming the repository import
After repositories are imported, a confirmation appears in green at the top of the screen. The selected files are marked with a unique icon and named by Organization and repository. You can filter to view only those Projects, as shown in the example that follows:
The Azure Repository integration works like the other Snyk Git integrations. To continue to monitor, fix, and manage your Projects, see the Projects documentation.
Last updated
