Azure Repositories (TFS)
When you want to add new integrations to your Snyk account you need to first decide the level type at which you want to install the integration.
Group level - Add integrations to your Snyk application that will be available for your Snyk AppRisk Essentials or Snyk AppRisk Pro.
Organization level - Add integrations for your Snyk application that will be available for all Snyk products, except Snyk AppRisk.
If you want to set up integrations for Snyk AppRisk, use the Integrations menu at the Group level.
Organization level - Snyk integrations
Feature availability Integration with Azure DevOps Server 2020 and above, also known as TFS, is available only with Enterprise plans. For more information, see plans and pricing.
Snyk supports only Git. Snyk does not currently support integration with Team Foundation Version Control (TFVC).
Prerequisites for Azure Repositories (TFS) integration
Snyk Organization Admin user role.
An Azure project. If you do not have a project yet, create one in Azure DevOps or set one up in an on-premise Azure DevOps instance.
The required Personal Access Token (PAT) access scopes. For details on the permissions required, see Azure Repositories (TFS) permission requirements.
Azure Repositories (TFS) integration features
Snyk integrates with your Microsoft Azure Repository to let you import Projects and monitor the source code for your repositories. Snyk tests the Projects you have imported for known security vulnerabilities in the dependencies, testing at a frequency you control.
The Azure Repository integration lets you:
Continuously perform security scanning across all the integrated repositories
Detect vulnerabilities in your open-source components
Provide automated fixes and upgrades
After the integration is configured, Snyk does the following:
Evaluates the items you selected and imports the ones that have the relevant manifest files in their root folder and all the subfolders at any level.
Communicates directly with your repository for each test it runs using the permissions you associated with your PAT, to determine exactly which code is currently pushed by the Snyk application and which dependencies are being used. Each dependency is tested against the Snyk vulnerability database to see if it contains any known vulnerabilities.
Notifies you by email or a dedicated Slack channel if vulnerabilities are found according to the preferences you configured, so that you can take immediate action to fix the issues.
How to set up the Azure Repositories (TFS) integration
The process to connect Snyk with your Azure repositories includes the following steps:
Generate a unique Azure DevOps personal access token (PAT) for Snyk, based on a username and password combination, and configured with the specific permissions Snyk needs to access your Azure repositories. For more information, see Configure a Personal Access Token (PAT).
Select the Projects and repositories you want to associate with Snyk for testing and monitoring. You can also enter custom file locations for any manifest files that are not located in the root folders of your repositories.
Configure a Personal Access Token (PAT)
Generate and copy a unique PAT to use for Snyk. For more information on the PAT access scope requirements to enable in Azure, see Azure Repositories (TFS) permission requirements.
Integrate using the Snyk Web UI
Log in to your Snyk account and navigate to Integrations.
On the Azure Repos tile, click the settings icon to open Organization Settings > Integrations > Azure Repos > Account credentials.
Pay special attention to the instructions given on the Account Credentials page. Depending on your plan, you may need to enter just the Azure DevOps Organization, or you may need to enter the entire URL.
Set your organization: Enter the slug for your Organization only. For example, enter
your-azure-devops-org
Set your host: enter the entire url. For example, enter
https://dev.azure.com/your-azure-devops-org
Alternatively, you may enter a custom url that is publicly reachable
Click Save, and then enter the PAT that you generated.
Click Save. Snyk tests the connection values and the page reloads, displaying the Azure Repos integration information. A message to confirm that the details were updated appears at the top of the screen.
If the connection to Azure fails, a notification will appear under the Azure Repos card title.
Add Projects to Snyk for Azure Repos
Snyk tests and monitors Azure Repos by evaluating root folders and custom file locations for the languages that Snyk supports.
To add a default Project:
In Snyk, navigate to Projects > Add projects.
Choose the relevant repository or tool from which to import your projects. The available repositories for the integration you chose are displayed in a new window.
Select the repositories that you want Snyk to monitor for security and license issues.
To import all the repos for a specific Organization, check the Organization.
Click Add selected repositories. Snyk scans the entire file tree for dependency files and imports them to Snyk as Projects.
Adding custom file locations and excluding folders
Add a custom file location
Use this procedure to add an Azure Repository dependency from a non-default path.
In Snyk, navigate to Projects > Add projects > Azure repos > Settings.
Open the Add custom file location (optional) list and select a repository... to configure a custom path.
In the text field, enter the
relative path for the manifest file location
.
The relative path field is case-sensitive.
Exclude folders from import
The optional Exclude folders field is case-sensitive. The pattern you enter is applied to all the Azure repositories.
Confirming the repository import
After repositories are imported, a confirmation appears in green at the top of the screen. The selected files are marked with a unique icon and named by Organization and repository. You can filter to view only those Projects by selecting the Azure Repos filter option.
The Azure Repository integration works like the other Snyk SCM integrations. To continue to monitor, fix, and manage your Projects, see the Projects documentation.
Group level - Snyk AppRisk integrations
The Integrations page shows all active integrations, including data from your existing Snyk Organizations that is automatically synced and provides access to the Integration Hub.
Azure DevOps setup guide
Pulled entities
Repository - the pulled entity retrieved by Snyk AppRisk.
Integrate using Snyk AppRisk
Profile name (
mandatory
): Input your integration profile name.Organizations (
mandatory
): Input the names of all the relevant Azure DevOps organizations.Access Token (
mandatory
): Create your Azure DevOps PAT from your Azure DevOps settings.Access Token (
mandatory
): Create and add your Access token by following the instructions from the Generate a Personal access token from your Azure DevOps settings section.API URL (
mandatory
): The API URL, for example,https://dev.azure.com/
. You can use a custom URL that is publicly accessible.
Broker Token (
mandatory
): Create and add your Broker token if you use Snyk broker for AppRisk.Generate your Broker token by following the instructions from the Obtain your Broker token for Snyk Broker page.
Copy and paste the Broker token on the integration setup menu from the Integration Hub.
Add Backstage Catalog (
optional
): If you want to add your Backstage catalog, follow the instructions from the Backstage file for SCM Integrations page.
The following PAT token permissions requirements are for Snyk AppRisk integrations. For SCM integration, see the Azure Respositories (TFS) permissions requirements on the Snyk SCM integrations pages.
Generate a Personal access token from your Azure DevOps settings
Open Azure DevOps and click the Settings menu for your profile.
Click Personal access tokens and then New token.
Select the following scopes:
Permissions
Code - read
Project and Team - read
Analytics - read
Member Entitlement Management - read
Organization - Select All accessible organizations or a specific organization.
Set the expiration to 12 months.
Copy the generated personal access token and share it through a secured vault.
API version
You can use the Azure DevOps REST API v6 repository to access information about the API.
Last updated