Configure Pull Request Checks

Release status

PR Checks for Snyk Code are in Closed Beta and available only for Enterprise plan users. If you want to set it up in your Organization, contact your Snyk account team. For more information, see Plans and Pricing.

Prerequisites for automated PR Checks

To check for open-source and licensing issues and code security, ensure that you have established the following:

You have the Group Admin role so you have access to all integration settings. See Member roles.
You have set up a Git repository integration. For help, see the Snyk Learn course Source code manager configuration.
Import a Project to have a working Git repository.
For code security (Snyk Code), meet all of the above conditions and then contact your Snyk representative to enable the feature for you.

PR Checks rely on webhooks from the SCM. Integration scope must include the ability to create webhooks.

A PR Check is counted as a test within your Organization's test count, including automatic checks of new commits in an open pull request. See What counts as a test. The number of tests allowed is determined by the pricing plans.

Types of Snyk scans supported

You can analyze the changed code with PR Checks as follows:

(Closed Beta) Snyk Code: Source code changes result in a vulnerability that exceeds a specified threshold. A full scan of the repository is done to determine if there are new vulnerabilities.
Snyk Open Source: Snyk analyzes dependency manifest or supported files for known security vulnerabilities that meet a threshold, such as exceeding severity, or checks to determine whether a fix is available.
Open Source license check: Snyk validates package licenses against the configured policy for license policy violations.

PR Checks also support all programming languages and frameworks supported by the Snyk Code and Open Source engines. For more information, see programming language support for Snyk Code and Open Source.

How configuration of PR Checks works

You can configure PR Checks either at the Integration level for your Snyk Organization or for specific Snyk Projects in an Organization.

In your Organization, you can have multiple repository integrations, but the feature works only for those integrations that have PR Checks configured.
At the Project level, the settings are inherited from the integration by default, but you can configure custom settings.

Configure PR Checks at the integration level

Configure PR Checks for a specific Git repository you have already integrated with Snyk, such as a GitHub repository.

The configuration settings apply to all Projects in that Organization. You can also extend the configuration to Projects with custom settings.

In the Snyk Web UI, navigate to Settings > Integrations and select your connected source code manager to open the settings configuration.
To check for code issues, configure and save the following changes:

Code Analysis: Enable this option to fail the PR on new vulnerabilities detected in your Git repository. If the severity is higher than your threshold, the PR is not merged into the main branch.
Fail conditions: Select the severity threshold at which the PR fails. For example, if you select Medium, the PR fails on issues found at this level or higher, while it is merged for Low severity issues.

If you cannot see the Code Analysis section, ensure that your user has the Group Admin role assigned and that the feature is enabled for Snyk Code. See the Prerequisites.

To check for open-source and licensing issues, configure and save the following changes:

Open Source Security & Licenses: Enable this option to fail the PR when open-source and licensing issues found in the proposed changes exceed your specified severity threshold. If the severity is higher than your threshold, the PR is not merged into the main branch.
Fail conditions: Select one of the following PR failure conditions based on the security issues distribution.
- Only fail when the PR is adding a dependency with issues: Set this condition to fail PR when there is at least one dependency with security issues.
- Fail if the repo has any issues: Set this condition to fail a PR for any security issues found in the Git repository.
Only fail for high or critical severity issues: Select additional failure conditions based on the severity threshold.
Only fail when the issues found have a fix available: Set this condition on for the PR check to fail when the PR introduces new vulnerabilities that are fixable by Snyk. PR checks don't fail on newly introduced vulnerabilities if Snyk is unable to fix them.

When switched on, this will cause the PR check to fail when the PR introduces new vulnerabilities that are fixable by Snyk. PR checks will not fail on newly introduced vulnerabilities if Snyk is unable to fix them.

Either click Save to save the changes, select the Save dropdown and click Apply changes to all overridden Projects to extend the current configuration to Projects with custom settings. For more information, see Configure PR Checks at the Project level.

Configure PR Checks at the Project level

You can configure PR Checks to work only for specific Projects:

Navigate to Projects and expand the target containing your Project.
Click a Project name to open it. Based on the Project type, you can choose the following:

package.json to check for open-source and licensing issues.
Code analysis to check for security issues in your code.

Navigate to Settings.
On the left side, select your integration. For this example, GitHub has been integrated with Snyk.
Configure Project settings based on your Project type:

Configure for open source and licensing issues (click to expand)

In Snyk test for pull request select Custom to configure the settings.
Enable the option to fail the PR when open-source and licensing issues found in the proposed changes exceed your specified severity threshold.
Configure the following settings:

Fail conditions: Select one of the following PR failure conditions based on the security issues distribution.
- Only fail when the PR is adding a dependency with issues: Set this condition when there is at least one dependency with security issues.
- Fail if the repo has any issues: Set this condition for any security issues found in the Git repository.
Only fail for high or critical severity issues: Select additional failure conditions based on the severity threshold.
Only fail when the issues found have a fix available: Set this condition on or more if the issues found have a dependency or package with a version in which the issue is fixed.

Update Snyk pull request settings to save changes.

Configure for code analysis (click to expand)

In Snyk Code for pull request select Custom to configure the settings.
Enable this option to fail the PR when the security issues found in the proposed changes exceed your specified severity threshold.
Configure the following settings:

Minimal severity to fail PR check: Select the severity threshold at which the PR fails. For example, if you select Medium, the PR fails on issues found at this level or above, while it is merged for Low severity issues.

Update Snyk pull request settings to save changes.

PreviousPull Request Checks NextAnalyze PR Checks results

Last updated 21 days ago