Artifactory Gatekeeper Plugin
Feature availability This feature is available with Enterprise plans. See pricing plans for more details.
With the Snyk plugin for Artifactory, you can scan your artifacts for open-source vulnerabilities and license issues.
After the plugin is installed, it runs in the background and can do the following automatically:
Add vulnerability and license issue counts from Snyk as properties in an artifact
Block developers from downloading packages with vulnerability and license issues according to a configured threshold
By scanning artifacts as part of your workflow and then displaying those test results directly from the Artifactory UI, the Snyk Artifactory Gatekeeper Plugin enables you to track and identify issues that are risks to your application security more quickly and to avoid using those artifacts in your Projects.
Note This page refers to the Artifactory Plugin, an independent piece of software that is installed on the Artifactory machine and serves as a gatekeeper, blocking vulnerable packages from being downloaded from the Artifactory instance.
This plugin is separate from the Artifactory Registry for Maven, a Snyk integration that allows configuring SCM scans to use custom package registries.
Package managers supported by the Artifactory Plugin
npm
Maven (.jar files)
Gradle (.jar files)
sbt (.jar files)
pip (PyPi)
Prerequisites for the Artifactory plugin
Snyk Enterprise Account
Artifactory Version 7.4.3 and higher
Data exchanged between Artifactory and Snyk
Artifactory transmits the package name and version to the test endpoint at the Snyk API instance. In the header, the authorization token is transmitted.
If the Artifactory installation is configured to use a proxy, Snyk will automatically use it too. Potentially, there could be an issue if the proxy is an authenticated or Kerberos proxy, but a standard, unauthenticated, forwarding proxy should work if the Artifactory installation and its underlying JVM are configured correctly with a proxy.
Snyk calls https://api.snyk.io/v1/test
for the right packager manager with the right name and version.
Installation of the Artifactory Plugin
Log in to your Snyk account.
Select Settings > General to locate, copy, and save the following:
Service account token or Organization API token
The Organization ID for any one of your organizations
Navigate to the Snyk Artifactory plugin repo in GitHub and then to the Releases.
From the most current release, expand the Assets section to download the artifactory-snyk-security-plugin-<version>.zip archive.
Extract the archive. It should have the following structure:
plugins (directory)
followed bysnykSecurityPlugin.groovy — plugin
snykSecurityPlugin.properties — plugin configuration
lib (directory)
artifactory-snyk-security-core.jar - plugin library
snykSecurityPlugin.version - plugin version
Open
snykSecurityPlugin.properties
in a text editor.Set the API Token and Organization ID from the earlier steps as
snyk.api.token
andsnyk.api.organization
respectively.Configure the rest of the properties as needed or leave them as defaults. See the section Artifact properties.
For a full list of properties, view the properties file on GitHub.
Place all the files under
$JFROG_HOME/artifactory/var/etc/artifactory/plugins
.Restart your Artifactory server. Note: Refresh now or Reload is not sufficient. Artifactory must be restarted.
Log in to your Artifactory instance and navigate to the System Logs to check that Snyk has been installed successfully.
How the Artifactory plugin works
Whenever a download is requested from an Artifactory remote repository, whether from a package manager or a URL, Snyk automatically scans the artifact for vulnerabilities and license issues.
The plugin only works with remote repositories. It does not scan locally stored artifacts, but instead queries the Snyk API with the meta-information about the artifacts. Therefore, only published artifacts of the proxied remote repository can be examined by the Snyk Artifactory plugin.
To view details about the download status, open the System Logs.
If a scan finds issues, based on your configuration, the download request can be blocked with an HTTP status code "403 Forbidden".
You can find the results of a scan under the artifact properties, where you can decide to ignore the issues and allow downloads. To find the artifact, use the Artifactory Search Bar or navigate the tree view.
Artifact properties
Troubleshooting for the Artifactory Gatekeeper Plugin
You can enable debug logs by modifying your ${ARTIFACTORY_HOME}/var/etc/artifactory/logback.xml
file and adding the following line:
Artifactory automatically picks up the new configuration. If this does not happen, restart Artifactory.
Last updated