PR Checks for Snyk Open Source
Snyk completes a live test before and after on the branch with the pull request. This means the build only fails if a vulnerability is detected.
Introduced Vulnerability | Main Branch Vulnerability | PR Check Result |
|---|---|---|
Yes | Yes | Fail ❌ |
Yes | No | Fail ❌ |
No | Yes | Pass ✅ |
No | No | Pass ✅ |
Any (overridden) | Pass ✅ |
Testing PRs for vulnerability introduction falls in the CI/CD pipeline.
There are two main troubleshooting situations to diagnose for Snyk's PR checks.
- 1.
- 2.Failed when it should have passed: Check security check output.
When SAST issues are found in your PR, Snyk Code provides you with additional details on each detected issue and offers you fix examples to assist you in developing secure code. By clicking the discovered issues or the link next to them in your SCM, you can open the Snyk Web UI, and view the full details of each discovered vulnerability in your PR:
If you want to pass PRs that automatically failed due to vulnerabilities that were found in them, Snyk Code also enables you to mark failed PRs as successful via the Snyk Web UI. Once you click the Mark as successful in SCM button on the Web UI, your failed PRs are considered as successful in the SCM, and can be merged into the target branch:
The Automatic PR Checks feature is applied only to repositories imported to Snyk from the integrated SCM. However, after the initial import, any new file or folder added to the imported repositories is included in the automatic PR Checks. The Automatic PR Checks feature can be enabled for your integrated SCM on the level of an entire Organization or on the level of a specific Project.
Every PR check is considered as a “test” in the test count of the related Organization. New commits to on open PR branch are also checked automatically, and therefore these commit checks are also counted as “tests”.
The workflow of using the PR Checks feature is the same as it is for Snyk Code:
Last modified 1mo ago