Manage code vulnerabilities
Prerequisites for managing code vulnerabilities in Snyk Web UI
Before managing vulnerabilities with Snyk Code, ensure the following:
You have completed the Quickstart.
Your repositories contain code in a supported language and platform.
You have configured Snyk Code.
How Project testing for Snyk Code works
Each time a Project is tested, Snyk Code takes a snapshot of the repository in its current state and analyzes it to find vulnerabilities. All the files that contain source code that Snyk Code can analyze are aggregated in the Code analysis.
When you import a repository, Snyk creates a Target folder that contains different Snyk Projects based on the file types present in the repository. The name of the Target folder includes the repository name, the integrated Git repository account name and its icon, and the number of Snyk Projects created for the repository. See View your first Snyk Projects.
Snyk Code creates a single Project for all the imported files from a repository. This aggregates vulnerabilities detected in the repository code into one Project, presenting the data flow of a vulnerability issue across multiple files.
Automate importing multiple repositories using the API endpoint Import targets.
Code testing from import to retest
The following provides an overview of the testing process in Snyk Code based on the testing phases.
Phase | Description |
---|---|
Performed when you import a repository. | |
Automatically performed when you schedule them. | |
Performed on demand when you select Retest now. |
Retesting code repository
If you want to check for the most recent vulnerabilities in your repository, you can do a manual test by selecting the Retest now option. This will trigger Snyk Code to take a fresh snapshot of your repository and analyze its source code files. The results will then be displayed on the Code Analysis page. Take into consideration that Snyk counts a manual test as a new test. See What counts as a test?
You can also use the Retest now option to apply the exclusion rules of the .snyk
file to an imported repository. See Exclude directories and files from Project import.
Project filters
The Projects page on Snyk Web UI has a filter pane that categorizes Snyk Projects and shows the number of matching Projects for each criterion. See Project information.
The Grouping by File or Vulnerability Type feature offers the following additional options:
Grouping by File: This option helps identify specific files that contain multiple vulnerabilities, enabling you to focus on problematic files that may need more rigorous review or refactoring.
Grouping by Vulnerability Type: This option categorizes vulnerabilities by their type, such as SQL Injection or Cross-Site Scripting (XSS), assisting in addressing the most prevalent types of vulnerabilities within your codebase.
Refer to the respective sections in the Snyk User Documentation for detailed examples and usage scenarios.
Vulnerability issues
You can change the display of the issues on the Code analysis page using the following options:
Group by File or Vulnerability Type
Identify problematic files with multiple issues or address frequent vulnerability types. Use these filtering options to determine where vulnerabilities are likely to cluster together.
Sort by Severity level
Sort vulnerability issues by displaying those with the highest severity levels first, followed by those with lower severity levels.
Filter vulnerabilities by criteria
Filter discovered vulnerability issues according to different criteria shown in the following table.
Vulnerability issue filter | Description |
---|---|
Show issues with a certain severity level. Snyk Code uses only High, Medium, and Low severity levels, without Critical. | |
Show issues in a certain priority score range. | |
Status | Show Open issues or issues that were Ignored. |
Show issues that were discovered in code files that were written in a specific language. Only programming languages discovered in the analyzed repository are displayed in the Filter pane. | |
Show issues with a certain Vulnerability Type. See Snyk Code security rules. |
Scan for code vulnerabilities
To scan your repositories and manage code vulnerabilities, you can check the following actions.
View vulnerabilities in a repository
Log in to the Snyk Web UI and select your Group and Organization.
Navigate to the Projects and select the Target folder containing your repository's Projects.
Open Code analysis Project to see all vulnerability issues detected by Snyk Code.
To understand the results, see Breakdown of Code analysis.
Import additional repositories
If you have existing Projects in your Snyk account, you can add additional repositories for Snyk to test. See Import repository to Snyk.
Remove repositories from testing
You can remove the Code analysis Project or delete imported repositories if you no longer need to test them for vulnerabilities. See Remove imported repository.
Exclude directories and files
To exclude specific files and directories from being imported by Snyk Code, you need to create a .snyk
YAML policy file in your repository. See Exclude directories and files from Project import.
You can specify directories to exclude from the import process using the Exclude dialog box when you import repositories through Git repository. However, this feature is only supported for open-source dependency scans (SCA).
Open repository external link
To access the repository on the integrated Git repository platform, navigate to the Code analysis Project and select the name of the repository.
View Project history
The result history is shown on the History page of the Code Analysis Project. This page displays the snapshots taken when a test was performed. You can review Snyk Code test results for all the testing phases. See Code testing from import to retest.
On the History page, only two distinct snapshots are displayed. A snapshot is deemed unique if either the repository or its associated vulnerability findings have altered since the last assessment, resulting in a snapshot that showcases these changes. If there have been no changes in the repository or the vulnerability results since the last test, the new snapshot will replicate the prior one. Consequently, this will be listed as an additional test run on the History page. This means while the page may present multiple test entries, only up to two will feature distinct results.
To view Project history:
Log in to the Snyk Web UI and select your Group and Organization.
Navigate to the Projects and select the Target folder containing your repository's Projects.
Open Code analysis Project and navigate to History.
Select a test from the list to view the Project historical snapshot.
(Optional) Select View most recent snapshot. This option is not available when the most recent snapshot is open.
Manage Project settings
Manage Project settings as follows:
Schedule recurring tests: Configure Test & Automated Pull Request Frequency.
Retrieve the Project ID: Retrieve the unique identifier for the Project.
Deactivate Project: Temporarily disable the Project without deleting any data.
Delete the Project: Permanently remove the Project and all associated data.
What's next?
Last updated