Create automatic fix PRs for backlog issues and known vulnerabilities

  • Snyk supports backlog issues for GitHub, GitHub Enterprise, and Bitbucket Cloud integrations.

  • The Automatic fix PRs feature is supported for the following integrations: BitBucket Server, BitBucket Cloud, BitBucket Connect, GitHub, GitHub Enterprise, GitLab, and Azure.

  • The Automatic fix PR settings may vary depending on the integration.

  • The fix strategy feature for getting dependency-oriented fixes is in beta.

When Snyk creates automatic PRs for vulnerabilities, the following rules are applied:

  • If you select Retest now for the Project, a scan is run manually, and the 24-hour window is marked as having had a scan run. No automatic PR is created until the next automated scan runs.

  • One pull request is created per Project with a priority score of 700 and above.

  • Pull requests are created based on the Test & Automated Pull Request Frequency settings.

    • To update the Test & Automated Pull Request Frequency, navigate to Projects and select your Open Source Project.

    • Navigate to Settings and select an option from the pulldown list.

To determine when your last 24-hour window began, check the Project issue card for Snapshot taken by recurring test.

For specific scan results, you can also check your inbox for an email titled [snyk] Vulnerability alert.

Configure Automatic fix PRs at the integration level

Follow these steps to configure Automatic fix PRs on a specific Git repository you have already integrated with Snyk, such as GitHub.

Enabling Automatic fix PRs can result in larger version jumps.

The configuration settings apply to all Projects in that Organization. You can also extend the configuration to Projects with custom settings.

  1. Open Snyk Web UI and navigate to Settings > Integrations.

  2. Select a Git repository integration (SCM). For this example, GitHub is configured.

  3. Under Automatic fix PRs, enable Known vulnerabilities (backlog). This retrieves vulnerabilities from the Project's backlog, which have been previously declared.

  1. Select the Fix Strategy for your Backlog PRs.

  • By default, the fix strategy will be a single PR at the vulnerability level. Snyk opens one PR each day for issues in your backlog, fixing the top vulnerability it finds.

  • You can check Fix all vulnerabilities for the same dependency in a single PR. This selects the vulnerability with the highest priority and a fix to resolve it, as well as fixes for other vulnerabilities in the same dependency.

  1. Click Save.

  2. (Optional) Select Save changes and apply to all overridden Projects to extend the current configuration to Projects with custom settings. Use this option to apply the same configuration to all Projects. Selecting this option updates all of the individual Project settings for Automatic fix PRs. For Projects that previously had their own settings for automatic fix full requests, selecting this option overrides the Project setting with the global setting.

Configure Automatic fix PRs at the Project level

You can configure Automatic fix PRs to work only for specific Projects rather than having Projects inherit the settings from the global integration.

  1. Navigate to Projects and expand the target containing your Open Source Project.

  2. Navigate to Settings and select an integration, for example, GitHub.

  3. In the Automatic fix pull requests section:

    • Select Customize for only this project

    • Enable Known vulnerabilities (backlog)

  4. Select the Fix Strategy for your Backlog PRs as described in the Fix strategy step of configuring for integrations.

  5. Click Save changes.

Last updated

More information

Snyk privacy policy

© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.