Level 1: Configure Snyk AppRisk and setup integrations
Start onboarding AppRisk by identifying all inventory code-based assets and detecting which assets have security controls set up.
Access Snyk AppRisk
You can access Snyk AppRisk from the Snyk Web UI.
Access Snyk AppRisk from the Group level of your Snyk Group.
Ensure you have Group Admin access.
Access Group that has Snyk AppRisk enabled.
Setup integrations
After you ensure you can correctly access Snyk AppRisk, you can start to build your asset inventory by setting up the integrations.
Snyk scan information is automatically imported within two hours after enabling Snyk AppRisk.
You can access and configure the integrations from the Integrations view. Select the Integration Hub option to see the list of all available integrations. You can find more details about integration configuration in the Using the Integration Hub section.
The default display in the Integrations view includes the configured Snyk integrations. The status of each integration, Connected, or Not connected, depends on the specific content imported into Snyk.
The integrations view can be configured to apply to your needs, meaning that you can customize an existing integration or connect a new SCM integration.
After you click on the Integration Hub, a list of the available integrations is displayed. You can add one or multiple profiles, for each integration.
SCM integrations
Use the Snyk AppRisk Integrations Hub to configure your SCM integrations. Note that this is a distinct integration interface dedicated to Snyk AppRisk, separate from the Organization integrations interface.
In each Snyk Organization, administrators have the capability to provide tokens with limited access to the applications utilized by developers.
The scope of the token used in Snyk AppRisk is to provide an overview of the existing assets compared to what is imported into Snyk.
The supported SCM integrations are:
GitHub
GitLab
Azure DevOps (Azure Repos)
BitBucket
Navigate to the Connect an SCM integration page for more details about the supported SCM integrations.
Brokered SCM integration
When setting up a Snyk Broker, there are some questions you need to ask regarding either standing up a new broker or updating an existing Snyk broker connection:
Are you hitting any API Rate Limit issues?
Do you need to update the SCM token to a user that has access to all relevant SCM repositories?
Do you have more than 1000 repos?
If you answered Yes to any of the above questions, then you need to deploy a new Snyk Broker to accommodate the Snyk AppRisk SCM connection.
Snyk recommends creating a new Organization in Snyk specifically for the Snyk AppRisk Broker.
Navigate to the Snyk Broker - AppRisk page for more details about installing and configuring Snyk AppRisk using Snyk Broker.
Third-party integrations
To set up your third-party integrations, you can utilize the Snyk AppRisk Integrations Hub. It's important to mention that this is a distinct integration interface solely dedicated to Snyk AppRisk, separate from the Organization integrations interface. In each Snyk Organization, administrators can give out tokens that provide restricted access to the applications utilized by developers. With regards to Snyk AppRisk, the purpose of a token is to provide an overview of the current assets as compared to what is imported into Snyk.
In each Snyk Organization, administrators have the capability to provide tokens with limited access to the applications utilized by developers.
The scope of the token used in Snyk AppRisk is to provide an overview of the existing assets compared to what is imported into Snyk.
The supported third-party integrations are:
Veracode
Nightfall
Backstage file for SCM Integrations
Backstage is a service catalog that allows users to add metadata or annotations to their repositories, helping to organize and categorize the available resources for easier navigation and understanding. You can leverage your SCM integration to pull metadata associated with Backstage catalog files into Snyk AppRisk.
You can use the Backstage catalog file for GitHub, GitLab, Azure DevOps, BitBucket Cloud, and BitBucket on-prem SCM integrations.
Access the Backstage file for SCM Integrations docs for more details about how to use this feature.
Features
The Snyk AppRisk functionality is split across several menu options from the Group level.
Inventory view
The Inventory feature is structured in four sections, each focused on a specific area:
Code assets: provides a list of all your repository assets and package assets found in the repository. Navigate to the Inventory capabilities page for a detailed overview of all options available in the Code assets view and to the Filters capabilities page for more details about the filtering options and how to use them.
Organization teams: provides a list of the repository assets grouped by teams. Note that only SCM organizations with teams and repositories assigned to a team, appear on this layout.
Technology: provides a list of the repository assets grouped by technology, as detected and tagged by Snyk AppRisk.
Type: provides a list off all the discovered assets, grouped by their type.
If you are using Snyk AppRisk for the first time, Snyk recommends you to first use the Coverage filter to determine where you currently have Snyk implemented. Then, you can use the Coverage Gap filter to identify the assets that do not meet the coverage requirements set in a Set coverage control policy.
You can use the Coverage Gap filter to:
Find any asset that does not comply with the Set coverage control policy requirements:
Find any assets that do not meet the coverage requirements for Snyk Open Source or Snyk Code, or both of them simultaneously:
Tags
You can use tags to categorize the assets. You can use tags in multiple ways:
Automatic tags: Snyk AppRisk automatically tags repository assets with information about the used technologies (Python, Terraform, and so on) in the repository and repository latest updates. You can also use policies to tag repository and package assets. GitHub and GitLab topics can also be pulled from the repository and applied as Asset Tags in Snyk AppRisk.
BitBucket cannot automatically detect the language used in the source code from the repositories. In Snyk AppRisk you can see only the language tags that have been manually added for BitBucket. For more information, see the official documentation provided by BitBucket.
User-defined tags: you can set up custom tags through policies to categorize your assets beyond the system-generated tags. See the Create policies page for more details.
Dashboard
You can use the dashboard for a quick overview of your application and security controls. Use the default widgets and customize the displayed information as needed, or add new widgets that meet your needs. See the Dashboard for Snyk AppRisk page for more details.
Here are the available dashboard widgets:
SAST coverage: check which repositories are being covered or not by Snyk Code and Snyk Infrastructure as Code.
The SAST coverage widget uses an OR statement, meaning that a repository is covered for SAST if it is also covered for Snyk Code OR Snyk Infrastructure as Code.
SCA coverage: check which repositories are being covered or not Snyk Open Source and Snyk Container. You are able to edit the widget if you want to see either Snyk Open Source coverage or Snyk Container coverage.
The SCA coverage widget uses an OR statement, meaning that a repository is covered for SCA if it is also covered for Snyk Open Source OR Snyk Container.
Repository breakdown by source: check which repositories Snyk AppRisk discovered using the SCM integrations (Azure DevOps(Azure Repos), Gitlab, GitHub, BitBucket). The Others categories are repositories that Snyk discovered but did not correlate back to a SCM repository.
Technology breakdown: check the top technology (language) tags of the repositories that Snyk discovered.
Asset breakdown by type: check if the asset is a repository or a package.
Repository activity: check if the repository is active, inactive, or dormant.
Last updated
