Snyk pipe parameters and values (Bitbucket Cloud)

Configure the Snyk pipe

Configure the following Snyk pipe as part of a pipeline YAML file in order to include vulnerability scanning as part of your CI/CD workflow:

- pipe: snyk/snyk-scan:1.0.0
  variables:
    // variables go here

Snyk pipe variables

For information on how these variables are used, see the Snyk pipe examples.

Variable

Description

SNYK_TOKEN (required)

Enter the Snyk API token, which you can retrieve from your Snyk Account settings.

Snyk recommends that you encrypt the token. You can add it as a predefined variable in a separate part of the Bitbucket pipes directory:

From the build directory, navigate to Add a new Repository value, name the parameter SNYK_TOKEN, and enter your Snyk API token as the value.
From the pipeline YAML file that you are building, enter $SNYK_TOKEN as the value for the SNYK_TOKEN parameter in the Snyk pipe.

See the for more information about predefined variables.

LANGUAGE (required)

Configure the package manager of the app, for example, Node, Maven, Ruby, Composer, or Docker).

See for a full list of possible tags.

Note: When you are using LANGUAGE with SNYK_BASE_IMAGE, this field refers to your base image tag.

IMAGE_NAME (conditionally required)

For Docker LANGUAGE only, configure the image name for which to perform a Docker scan. Required if LANGUAGE=docker

SNYK_BASE_IMAGE

Supply your own custom image if you do not wish to use .

Default: snyk/snyk. Note: LANGUAGE will refer to your base image tag; ensure the tag is valid

CODE_INSIGHTS_RESULTS

Create a with Snyk test results. Default: false.

SNYK_TEST_JSON_INPUT

Use if you want to create only a Code Insights report from previously generated snyk test --json output.

DONT_BREAK_BUILD

Do not fail the build if vulnerabilities are found.

Default: false. The build will fail when vulnerabilities are found.

MONITOR

Records a snapshot of the Project for the Snyk UI and then continues monitoring the Project after the build is run. See in the glossary.

If the test succeeds, this records a snapshot of the dependencies in the and allows you to see the state of your deployed code, have it monitored, and receive alerts when new vulnerabilities are found in the code.

Default: false. The Project is not monitored after the initial scan.

SEVERITY_THRESHOLD

Reports issues equal to or higher than the configured level. Possible values: low, med, high, critical

Default: low. All vulnerabilities are reported.

ORGANIZATION

Configures the Organization from your Snyk account with which to associate the repository.

Default: none. The in your Snyk account is used.

PROJECT_FOLDER

The folder in which the Project resides.

Default: ./ .

TARGET_FILE

The target manifest file, for example package.json, equivalent to --file= in the CLI.

For Docker, enter the Dockerfile as the value.

Default: none.

EXTRA_ARGS

Extra arguments to be passed to the Snyk CLI. Use the parameters and arguments as described in the .

Default: none.

DEBUG

Turn on extra debug information.

Default: false

SNYK_API

Specify the Snyk API endpoint, for example, https://api.eu.snyk.io Default: https://api.snyk.io

PreviousHow to add a Snyk pipe NextMigrating to Bitbucket Pipelines v1.0.0

Last updated 2 months ago

Was this helpful?