Snyk supports backlog issues for GitHub, GitHub Enterprise, and Bitbucket Cloud integrations.
The Automatic fix PRs feature is supported for the following integrations: BitBucket Server, BitBucket Cloud, BitBucket Connect, GitHub, GitHub Enterprise, GitLab, and Azure.
The Autofix PR settings may vary depending on the integration.
The fix strategy feature for getting dependency-oriented fixes is in beta. Snyk wants to hear your feedback.
The following rules are applied to automatic PR creation for vulnerabilities:
If you select Retest now for the Project, a scan is run manually, and the 24-hour window is marked as having had a scan run. No automatic PR is created until the next automated scan runs.
One pull request is created per Project with a priority score of 700 and above.
Pull requests are created based on the Test & Automated Pull Request Frequency settings.
To update the Test & Automated Pull Request Frequency, navigate to Projects and select your Open Source Project.
Navigate to Settings and select an option from the pulldown list.
To determine when your last 24-hour window began, check the Project issue card for Snapshot taken by recurring test.
For specific scan results, you can also check your inbox for an email titled [snyk] Vulnerability alert.
Configure Automatic fix PRs at the integration level
Follow these steps to configure Automatic fix PRs on a specific Git repository you have already integrated with Snyk, such as GitHub.
Enabling Automatic fix PRs can result in larger version jumps.
The configuration settings apply to all Projects in that Organization. You can also extend the configuration to Projects with custom settings.
Select a Git repository integration (SCM). For this example, GitHub is configured.
Under Automatic fix PRs enable Known vulnerabilities (backlog). Known vulnerabilities retrieve vulnerabilities from the Project's backlog. These are the previously declared vulnerabilities.
Select the Fix Strategy for your Backlog PRs.
By default, the fix strategy will be a single PR at the vulnerability level. Snyk opens one PR each day for issues in your backlog, fixing the top vulnerability it finds.
You can check Fix all vulnerabilities for the same dependency in a single PR. This selects the vulnerability with the highest priority and a fix to resolve it, as well as fixes for other vulnerabilities in the same dependency.
(Optional) Select Save changes and apply to all overridden Projects to extend the current configuration to Projects with custom settings. Use this option to apply the same configuration to all Projects. Selecting this option updates all of the individual Project settings for Automatic fix PRs. For Projects that previously had their own settings for automatic fix full requests, selecting this option overrides the Project setting with the global setting.
Configure Automatic fix PRs at the Project level
You can configure Automatic fix PRs to work only for specific Projects rather than having Projects inherit the settings from the global integration.
Navigate to Projects and expand the target containing your Open Source Project.
Navigate to Settings and select an integration, for example, GitHub.
In the Automatic fix pull requests section:
Select Customize for only this project
Enable Known vulnerabilities (backlog)
Select the Fix Strategy for your Backlog PRs as described in the Fix strategy step of configuring for integrations.