Using Snyk AppRisk
Prerequisites
Before you get started, ensure that you meet the following prerequisites:
You are a Snyk Enterprise customer.
Your account is entitled with access for Snyk AppRisk Essentials or Snyk AppRisk Pro.
You are a Group Administrator for the Group associated with Snyk AppRisk, or you are assigned a Group level role with permissions to View Group and Edit AppRisk.
The Group associated with Snyk AppRisk includes organizations that have onboarded Snyk application security products.
You have the necessary permissions and authority to onboard cloud-based SCM tools (Azure DevOps, GitHub, GitLab, and so on) to Snyk AppRisk for repository asset discovery.
When you integrate a Git code repository with Snyk AppRisk, you should use a secondary token with a broad, complete view of the code repository, not only of what you imported into Snyk. Use a secondary token to have a counterview of everything onboarded using Snyk. Using the secondary token reduces the likelihood of introducing a blindspot from a limited token at the Organization level configuration. The first import, synchronization, can take up to 24 hours to complete.
The following video is an overview of what Snyk AppRisk can offer:
Permissions
You can access Snyk AppRisk with one of the Group level roles permissions described below. To access the permissions, navigate to View groups, then select the Snyk AppRisk permissions option.
View AppRisk - Grants you a read-only access to AppRisk.
Edit AppRisk - Grants you edit access to AppRisk, for example, edit policies, edit asset classification, and add the integration.
A Group Administrator has the Edit AppRisk permission assigned by default, and a Group Viewer has the View AppRisk permission assigned by default.
For more information on default user roles and permissions, see Default user roles.
Login and Authentication
Login and authenticate to Snyk using existing mechanisms (SSO, Google SAML, and so on).
Accessing Snyk AppRisk
Ensure you are at the Group level to access the Snyk AppRisk options. From the Group level you have a centralized security management that enhances security and simplifies security procedures for projects.
The following video presents an overview of the Snyk AppRisk interfaces:
Here are the Snyk AppRisk features available from the Snyk Web UI:
Dashboard - offers you widgets that display an overview of your application and security controls.
Inventory - helps you get better context and clarity over your asset inventory.
Issues - the insights presented on the issues page provide a centralized view of all the issues identified by Snyk with additional asset context.
Policies - allows you to automate the process of adding business context and receiving notifications.
SCM integrations and third-party integrations - provides information about all active integrations, and allows you to set up new ones.
Analytics - enables you to review and explore your AppSec program status and results from a top-down approach.
Key Concepts
Asset: meaningful, real-world components in an application’s SDLC, where meaningful means either carries a risk or aggregates risk of other components (for example, repositories that contain packages) and real-world means that the concept exists outside of Snyk, for example, repository (which is a generally applicable term).
Controls: The security controls associated with the asset. Navigate to the Coverage controls section to see all available statuses for security controls.
Coverage: An assessment of whether applicable assets are scanned and tested by security tools (like Snyk Open Source, for instance), as it relates to an application security program. A type of policy that allows you to specify what controls should be applied and, optionally, how often it needs to be run.
Tags: A way to categorize assets. Helps you recognize or handle assets differently according to mutual properties. Assets can be filtered by their tags in the inventory or when creating policy rules. A tag can be automatically assigned to an asset, or the asset can be tagged by a policy you created. GitHub and GitLab topics are treated as asset tags and you can use them for creating policies.
Class: A way to assign business context to assets and categorize an asset based on the business criticality. Assets can be assigned Classes A, B, C, or D, where Class A (assets that are business critical, deal with sensitive data, subject to compliance, and so on) is the most important and Class D (test apps, sandbox environments, and so on) the least important. Assets are assigned Class C by default. A class can be used in policies as well as defined in a policy.
Policy: A way to automate actions in certain conditions, like classifying and tagging assets with business context. You can also use a policy to configure actions like sending a message or setting the coverage gap control using a Policy builder UI.
Scanning methods
You can initiate a scan from the Web UI, the CLI, the API, or with PR Checks. See Start scanning for more details.
If you initiate your scans using the CLI, you might encounter one of the following situations:
If you have a
.gitfolder available in the directory that the CLI is scanning, then thegit remoteurlis picked up automatically for Snyk Open Source, Snyk Container, and Snyk IaC.
Snyk Code does not automatically pick up the git remoteurl, even if the .git folder is available in the directory scanned by the CLI.
If you do not have a
.gitfolder available in the directory that the CLI is scanning, you can use different test or monitor commands to achieve the same result:snyk monitor, for Snyk Open Sourcesnyk iac test- also requires the--reportcommandsnyk container monitor- momentarily, no options are available.snyk code test- momentarily, no options are available.
The Asset Dashboard menu option is available only for Snyk AppRisk Essentials users.
If you are using Snyk AppRisk Pro, navigate to the Application Analytics page.
Last updated