Artifactory Gatekeeper Plugin
Feature availability This feature is available only with Enterprise plans. For more information, see plans and pricing.
With the Snyk plugin for Artifactory, you can scan your artifacts for open-source vulnerabilities and license issues.
After the plugin is installed, it runs in the background and can do the following automatically:
Add vulnerability and license issue counts from Snyk as properties in an artifact
Block developers from downloading packages with vulnerability and license issues according to a configured threshold
By scanning artifacts as part of your workflow and then displaying those test results directly from the Artifactory UI, the Snyk Artifactory Gatekeeper Plugin enables you to track and identify issues that are risks to your application security more quickly and to avoid using those artifacts in your Projects.
This page refers to the Artifactory Plugin, an independent piece of software that is installed on the Artifactory machine and serves as a gatekeeper, blocking vulnerable packages from being downloaded from the Artifactory instance.
This plugin is separate from the Artifactory Registry for Maven, a Snyk integration that allows configuring SCM scans to use custom package registries.
Package managers supported by the Artifactory Plugin
npm
Maven (.jar files)
Gradle (.jar files)
sbt (.jar files)
pip (PyPi)
CocoaPods
Ruby Gems
Nuget
Prerequisites for the Artifactory plugin
Snyk Enterprise Account
Artifactory Version 7.4.3 and higher
Data exchanged between Artifactory and Snyk
Artifactory transmits the package name and version to the test endpoint at the Snyk API instance. In the header, the authorization token is transmitted.
If the Artifactory installation is configured to use a proxy, Snyk will automatically use it too. Potentially, there could be an issue if the proxy is an authenticated or Kerberos proxy, but a standard, unauthenticated, forwarding proxy should work if the Artifactory installation and its underlying JVM are configured correctly with a proxy.
Snyk calls https://api.snyk.io/v1/test for the right packager manager with the right name and version.
Installation of the Artifactory Plugin
Log in to your Snyk account.
Select Settings > General to locate, copy, and save the following:
Service account token or Organization API token
The Organization ID for any one of your organizations
Navigate to the Snyk Artifactory plugin repo in GitHub and then to the Releases.
From the most current release, expand the Assets section to download the artifactory-snyk-security-plugin-<version>.zip archive.
Extract the archive. It should have the following structure:
plugins (directory)followed bysnykSecurityPlugin.groovy — pluginsnykSecurityPlugin.properties — plugin configurationlib (directory)artifactory-snyk-security-core.jar - plugin librarysnykSecurityPlugin.version - plugin version
Open
snykSecurityPlugin.propertiesin a text editor.Set the API Token and Organization ID from the earlier steps as
snyk.api.tokenandsnyk.api.organizationrespectively.Configure the rest of the properties as needed or leave them as defaults. See the section Plugin configuration.
For a full list of properties, view the properties file on GitHub.
Place all the files under
$JFROG_HOME/artifactory/etc/artifactory/plugins.Restart your Artifactory server. Note: Refresh now or Reload is not sufficient. Artifactory must be restarted.
Log in to your Artifactory instance and navigate to the System Logs to check that Snyk has been installed successfully.
How the Artifactory plugin works
Whenever a download is requested from an Artifactory remote repository, whether from a package manager or a URL, Snyk automatically scans the artifact for vulnerabilities and license issues. The issues found by Snyk are persisted as artifact properties. Access to the package is later controlled according to these properties, and in line with severity thresholds set in the plugin config.
Depending on the configuration, the plugin can periodically re-scan packages to keep the issue metadata up to date.
The plugin only works with remote repositories. It does not scan locally stored artifacts, but instead queries the Snyk API with the meta-information about the artifacts. Therefore, only published artifacts of the proxied remote repository can be examined by the Snyk Artifactory plugin.
To view details about the download status, open the System Logs.
If a scan finds issues, based on your configuration, the download request can be blocked with an HTTP status code "403 Forbidden".
You can find the results of a scan under the artifact properties, where you can decide to ignore the issues and allow downloads. To find the artifact, use the Artifactory Search Bar or navigate the tree view.
Plugin configuration
Plugin configuration is loaded from this file: $JFROG_HOME/artifactory/etc/artifactory/plugins/snykSecurityPlugin.properties. For changes in this file to take effect, Artifactory must be restarted.
Parameter
Default value
Description
snyk.api.token
Service account token or Organization API token
snyk.api.organization
The Organization ID for any one of your Snyk organizations
snyk.api.url
https://api.snyk.io/v1/
Snyk API base URL
snyk.scanner.test.continuously
false
Decides whether the plugin should periodically refresh vulnerability data from Snyk or filter access according to results obtained while the package was first requested. Without the continuous mode, new vulnerabilities aren't reported for a package that has already been allowed through the gatekeeper.
snyk.scanner.frequency.hours
168
Scan result expiry (continuous mode only). When the most recent scan was made within this time frame, filtering respects the previous result. Beyond that time, a new Snyk Test request is made. When this property is set to 0, the plugin triggers a test each time an artifact is accessed.
snyk.scanner.vulnerability.threshold
low
Global threshold for vulnerability issues. Accepted values: "low", "medium", "high", "critical", "none"
snyk.scanner.license.threshold
low
Global threshold for vulnerability issues. Accepted values: "low", "medium", "high", "critical", "none"
For a full list of properties, view the properties file on GitHub.
Artifact properties
These are the properties set by the plugin on scanned artifacts. Artifact access is allowed or forbidden depending on the values of these properties.
Property
Description
snyk.test.timestamp
Date and time when the artifact wast last scanned by Snyk.
snyk.issue.url
This is the URL to the Snyk database and explanation of the vulnerability, including specific details about vulnerable versions, available upgrades, and Snyk patches.
snyk.issue.vulnerabilities
Regardless of the thresholds configured, this row displays vulnerability summary scan results.
snyk.issue.vulnerabilities.forceDownload
When true, allows downloads for this artifact even when there are vulnerabilities.
snyk.issue.vulnerabilities.forceDownload.info
Use this field to provide additional information about why the forceDownload is enabled.
snyk.issue.licenses
Regardless of the thresholds configured, this row displays license summary scan results.
snyk.issue.licenses.forceDownload
When true, allows downloads for this artifact even when there are license issues.
snyk.issue.licenses.forceDownload.info
Use this field to provide additional information about why the forceDownload is enabled.
Troubleshooting for the Artifactory Gatekeeper Plugin
You can enable debug logs by modifying your ${ARTIFACTORY_HOME}/var/etc/artifactory/logback.xmlfile and adding the following line:
Artifactory automatically picks up the new configuration. If this does not happen, restart Artifactory.
Last updated
