Artifactory Gatekeeper Plugin

Feature availability This feature is available only with Enterprise plans. For more information, see plans and pricing.

With the Snyk plugin for Artifactory, you can scan your artifacts for open-source vulnerabilities and license issues.

After the plugin is installed, it runs in the background and can do the following automatically:

Add vulnerability and license issue counts from Snyk as properties in an artifact
Block developers from downloading packages with vulnerability and license issues according to a configured threshold

By scanning artifacts as part of your workflow and then displaying those test results directly from the Artifactory UI, the Snyk Artifactory Gatekeeper Plugin enables you to track and identify issues that are risks to your application security more quickly and to avoid using those artifacts in your Projects.

This page refers to the Artifactory Plugin, an independent piece of software that is installed on the Artifactory machine and serves as a gatekeeper, blocking vulnerable packages from being downloaded from the Artifactory instance.

This plugin is separate from the Artifactory Registry for Maven, a Snyk integration that allows configuring SCM scans to use custom package registries.

Package managers supported by the Artifactory Plugin

npm
Maven (.jar files)
Gradle (.jar files)
sbt (.jar files)
pip (PyPi)
CocoaPods
Ruby Gems
Nuget

Prerequisites for the Artifactory plugin

Snyk Enterprise Account
Artifactory Version 7.4.3 and higher

Data exchanged between Artifactory and Snyk

Artifactory transmits the package name and version to the test endpoint at the Snyk API instance. In the header, the authorization token is transmitted.

If the Artifactory installation is configured to use a proxy, Snyk will automatically use it too. Potentially, there could be an issue if the proxy is an authenticated or Kerberos proxy, but a standard, unauthenticated, forwarding proxy should work if the Artifactory installation and its underlying JVM are configured correctly with a proxy.

Snyk calls https://api.snyk.io/v1/test for the right packager manager with the right name and version.

Installation of the Artifactory Plugin

Log in to your Snyk account.
Select Settings > General to locate, copy, and save the following:
1. Service account token or Organization API token
2. The Organization ID for any one of your organizations
Navigate to the Snyk Artifactory plugin repo in GitHub and then to Releases.
From the most current release, expand the Assets section to download the artifactory-snyk-security-plugin-<version>.zip archive.
Extract the archive. It should have the following structure: plugins (directory) followed by
- snykSecurityPlugin.groovy — plugin
- snykSecurityPlugin.properties — plugin configuration
- lib (directory)
  - artifactory-snyk-security-core.jar - plugin library
  - snykSecurityPlugin.version - plugin version
Open snykSecurityPlugin.properties in a text editor.
1. Set the API Token and Organization ID from the earlier steps as snyk.api.token and snyk.api.organization respectively.
2. Configure the rest of the properties as needed or leave them as defaults. See the section Plugin configuration.
3. For a full list of properties, view the properties file on GitHub.
Place all the files under $JFROG_HOME/artifactory/etc/artifactory/plugins.
Restart your Artifactory server. Note that Refresh now or Reload is not sufficient. Artifactory must be restarted.
Log in to your Artifactory instance and navigate to the System Logs to check that Snyk has been installed successfully.

How the Artifactory plugin works

Whenever a download is requested from an Artifactory remote repository, whether from a package manager or a URL, Snyk automatically scans the artifact for vulnerabilities and license issues. The issues found by Snyk are persisted as artifact properties. Access to the package is later controlled according to these properties, and in line with severity thresholds set in the plugin config.

Depending on the configuration, the plugin can periodically re-scan packages to keep the issue metadata up to date.

The plugin only works with remote repositories. It does not scan locally stored artifacts, but instead queries the Snyk API with the meta-information about the artifacts. Therefore, only published artifacts of the proxied remote repository can be examined by the Snyk Artifactory plugin.

To view details about the download status, open the System Logs.

If a scan finds issues, based on your configuration, the download request can be blocked with an HTTP status code "403 Forbidden".

You can find the results of a scan under the artifact properties, where you can decide to ignore the issues and allow downloads. To find the artifact, use the Artifactory search bar or navigate the tree view.

Plugin configuration

Plugin configuration is loaded from this file: $JFROG_HOME/artifactory/etc/artifactory/plugins/snykSecurityPlugin.properties. For changes in this file to take effect, Artifactory must be restarted.

Parameter

Default value

Description

snyk.api.token

Service account token or Organization API token

snyk.api.organization

The Organization ID for any one of your Snyk organizations

snyk.api.url

https://api.snyk.io/v1/

Snyk API base URL

snyk.scanner.test.continuously

false

Decides whether the plugin should periodically refresh vulnerability data from Snyk or filter access according to results obtained while the package was first requested. Without the continuous mode, new vulnerabilities aren't reported for a package that has already been allowed through the gatekeeper.

snyk.scanner.frequency.hours

168

Scan result expiry (continuous mode only). When the most recent scan was made within this time frame, filtering respects the previous result. Beyond that time, a new Snyk Test request is made. When this property is set to 0, the plugin triggers a test each time an artifact is accessed.

snyk.scanner.vulnerability.threshold

low

Global threshold for vulnerability issues. Accepted values: "low", "medium", "high", "critical", "none"

snyk.scanner.license.threshold

low

Global threshold for vulnerability issues. Accepted values: "low", "medium", "high", "critical", "none"

For a full list of properties, view the properties file on GitHub.

Artifact properties

These are the properties set by the plugin on scanned artifacts. Artifact access is allowed or forbidden depending on the values of these properties.

Property

Description

snyk.test.timestamp

Date and time when the artifact wast last scanned by Snyk.

snyk.issue.url

This is the URL to the Snyk database and explanation of the vulnerability, including specific details about vulnerable versions, available upgrades, and Snyk patches.

snyk.issue.vulnerabilities

Regardless of the thresholds configured, this row displays vulnerability summary scan results.

snyk.issue.vulnerabilities.forceDownload

When true, allows downloads for this artifact even when there are vulnerabilities.

snyk.issue.vulnerabilities.forceDownload.info

Use this field to provide additional information about why the forceDownload is enabled.

snyk.issue.licenses

Regardless of the thresholds configured, this row displays license summary scan results.

snyk.issue.licenses.forceDownload

When true, allows downloads for this artifact even when there are license issues.

snyk.issue.licenses.forceDownload.info

Use this field to provide additional information about why the forceDownload is enabled.

Troubleshooting for the Artifactory Gatekeeper Plugin

You can enable debug logs by modifying your ${ARTIFACTORY_HOME}/var/etc/artifactory/logback.xmlfile and adding the following line:

<logger name="io.snyk" level="debug"/>

Artifactory automatically picks up the new configuration. If this does not happen, restart Artifactory.

PreviousGatekeeper plugins NextNexus Repository Manager Gatekeeper Plugin

Last updated 1 month ago

Was this helpful?