CI/CD adoption and deployment
When deciding to use a Snyk integration, compare the advantages of source control management (SCM) integrations and CI/CD integrations. See SCM (Git) and CI/CD integration deployment intro.
Developer teams typically adopt Snyk in the following stages:
- 1.
- 2.
- 3.
A typical approach is using Snyk results to expose vulnerabilities during the development process. This increases visibility of vulnerabilities among members of your team.
When you first implement Snyk in your pipeline, using only the
snyk monitor command is recommended. If you use one of the Snyk CI plugins, it is recommended that you configure the plugin to not fail the build.This is because all projects have vulnerabilities, and after you set Snyk to fail the build, every build fails because of Snyk. This may cause problems with your team being quickly overwhelmed with failure messages.
Using
snyk monitor to expose results provides information without disrupting processes.Using Snyk as a gatekeeper prevents the introduction of new vulnerabilities (sometimes known as "stopping the bleeding").
After your teams understand the vulnerabilities in their applications, and develop a process for fixing them early in the development cycle, you can configure Snyk to fail your builds, to prevent introducing vulnerabilities into your applications.
Add
snyk test to your build or enable the fail functionality to make Snyk fail your builds, providing the results output to the console. Your developers or DevOps teams can use the results to decide whether to stop or continue the build.After you configure Snyk to fail the build when vulnerabilities are detected, you can configure Snyk to send a snapshot of your project's successful builds to Snyk for ongoing monitoring.
To do this, configure your pipeline to run
snyk monitor if your snyk test returns a successful exit code.All of these methods provide the same results, as they all rely on the same Snyk engine. Thus the same arguments or options apply regardless of the deployment method you select.
There are various ways to configure Snyk within your pipeline. Choose a method depending on your environment and preference. You can expect all methods to lead to a successful run.
Snyk native plugins are available for most common CI/CD tools. Using these plugins is the easiest way to set up and get started. The plugins include the most common parameters and options in the user interface (UI).
Follow steps similar to those for installing the CLI locally. You must be able to run an npm command in the pipeline script. This method has the advantage of completely aligning with the CLI experience so you can easily troubleshoot and configure.
The advantage of the binary setup is that it has no dependency with the local environment. For example, it is useful if you cannot run an npm command in your pipeline.
Snyk has Linux, Windows, and other versions.
This repo shows some examples of binary and npm integrations for various CI/CD tools: CI/CD examples.
Last modified 2mo ago