Manage code vulnerabilities
Prerequisites for managing code vulnerabilities in Snyk Web UI
Before managing vulnerabilities with Snyk Code, ensure the following:
You have completed the Quickstart.
Your repositories contain code in a supported language and platform.
You have configured Snyk Code.
How Project testing works for Snyk Code
Each time a Project is tested, Snyk Code takes a snapshot of the repository in its current state and analyzes it to find vulnerabilities. All the files that contain source code that Snyk Code can analyze are aggregated in the Code analysis.
When you import a repository, Snyk creates a Target folder that contains different Snyk Projects based on the file types present in the repository. The name of the Target folder includes the repository name, the integrated Git repository account name and its icon, and the number of Snyk Projects created for the repository. See View your first Snyk Projects.
Snyk Code creates a single Project for all the imported files from a repository. This aggregates vulnerabilities detected in the repository code into one Project, presenting the data flow of a vulnerability issue across multiple files.
Automate importing multiple repositories using Snyk API v1 Import targets.
Code testing from import to retest
Here is an overview of the testing process in Snyk Code based on the testing phases.
| Phase | Description |
|---|---|
Performed when you import a repository. | |
Automatically performed when you schedule them. | |
Performed on demand when you select Retest now. |
Retesting code repository
If you want to check for the most recent vulnerabilities in your repository, you can do a manual test by clicking the Retest now option. This will trigger Snyk Code to take a fresh snapshot of your repository and analyze its source code files. The results will then be displayed on the Code Analysis page. Take into consideration that Snyk counts a manual test as a new test. See What counts as a test?
You can also use the Retest now option to apply the exclusion rules of the .snyk file to an imported repository. See Exclude directories and files from Project import.
Project filters
The Projects page on Snyk Web UI has a filter pane that categorizes Snyk Projects and shows the number of matching Projects for each criterion. See Project information.
Vulnerability issues
You can change the display of the issues on the Code analysis page using the following options:
Grouping by File or Vulnerability Type to identify problematic files with multiple issues or address prevalent vulnerability types.
Sorting from the Highest or the Lowest severity level.
Filtering discovered vulnerability issues according to different criteria shown in the following table.
| Vulnerability issue filter | Description |
|---|---|
Show issues with a certain severity level. Snyk Code uses only High, Medium, and Low severity levels, without Critical. | |
Show issues in a certain priority score range. | |
Status | Show Open issues or issues that were Ignored. |
Show issues that were discovered in code files that were written in a specific language. Only programming languages discovered in the analyzed repository are displayed in the Filter pane. | |
Show issues with a certain Vulnerability Type. See Snyk Code security rules. |
Scan for code vulnerabilities
To scan your repositories and manage code vulnerabilities, you can check the following actions.
View vulnerabilities in a repository
Log in to the Snyk Web UI and select your Group and Organization.
Navigate to the Projects and select the Target folder containing your repository's Projects.
Open Code analysis Project to see all vulnerability issues detected by Snyk Code.
To understand the results, see Breakdown of Code analysis.
Import additional repositories
If you have existing Projects in your Snyk account, you can add additional repositories for Snyk to test. See Import repository to Snyk.
Remove repositories from testing
You can remove the Code analysis Project or delete imported repositories if you no longer need to test them for vulnerabilities. See Remove imported repository.
Exclude directories and files
To exclude specific files and directories from being imported by Snyk Code, you need to create a .snyk YAML policy file in your repository. See Exclude directories and files from Project import.
You can specify directories to exclude from the import process using the Exclude dialog box when you import repositories through Git repository. However, this feature is only supported for open-source dependency scans (SCA).
Open repository external link
To access the repository on the integrated Git repository platform, navigate to the Code analysis Project and select the name of the repository.
View Project history
The result history is shown on the History page of the Code Analysis Project. This page displays the snapshots taken when a test was performed. You can review Snyk Code test results for all the testing phases. See Code testing from import to retest.
On the History page, only two distinct snapshots are displayed. A snapshot is deemed unique if either the repository or its associated vulnerability findings have altered since the last assessment, resulting in a snapshot that showcases these changes. If there have been no changes in the repository or the vulnerability results since the last test, the new snapshot will replicate the prior one. Consequently, this will be listed as an additional test run on the History page. This means while the page may present multiple test entries, only up to two will feature distinct results.
To view Project history:
Log in to the Snyk Web UI and select your Group and Organization.
Navigate to the Projects and select the Target folder containing your repository's Projects.
Open Code analysis Project and navigate to History.
Select a test from the list to view the Project historical snapshot.
(Optional) Select View most recent snapshot. This option is not available when the most recent snapshot is open.
Manage Project settings
Manage Project settings as follows:
Schedule recurring tests: Configure Test & Automated Pull Request Frequency.
Retrieve the Project ID: Retrieve the unique identifier for the Project.
Deactivate Project: Temporarily disable the Project without deleting any data.
Delete the Project: Permanently remove the Project and all associated data.
What's next?
Last updated
