Workspaces for SCM integrations
Workspaces significantly improves the accuracy and reliability of Snyk’s SCM integration results, especially for large-scale enterprise environments. This capability also supports additional functionality and improvements we have planned in the future. For these reasons, Snyk strongly recommends enabling this option by default at your Group level.
The importance of Workspaces: Improved reliability and accuracy
Snyk believes Workspaces is a significant step forward in providing you with the most reliable and accurate vulnerability detection possible.
How Workspaces supports more reliable results
Traditionally, Snyk has accessed repository contents using SCM APIs, which impose primary and secondary rate limits, and content limits. For example, the GitHub.com APIs are rate-limited to allow only a certain number of requests per hour, and there is a limit on the number of tree entries that can be retrieved from the Git database.
When repository contents are retrieved over these APIs, these limitations inhibit Snyk’s providing a complete analysis in a number of ways, especially across a very large number of repositories, or for repositories containing more than 100,000 files, sometimes referred to as monorepos.
Through Workspaces, these limitations are removed.
How Workspaces supports more accurate results
The accuracy of results is improved in a number of ways through cloning. Since Snyk can access a complete view of a source code repository at a specific commit SHA, including repositories containing more than 100,000 files, the analysis is also more complete through cloning.
Snyk data ingestion
When Workspaces is enabled, Snyk will ingest, through configured SCM integrations, a temporary and shallow clone of repository contents at a given commit and all commit metadata (including the commit message, authors, and timestamp).
For more information on Snyk data processing and safeguards concerning Git repo cloning, see Cache retention period related to vulnerability source data and Safeguards Snyk puts in place to ensure data is secure.
Git protocols used by Workspaces
Repositories are cloned using HTTPS. SSH-based clones are currently unavailable.
Snyk Broker interactions
Brokered connections are supported when Git operations are allowed through Broker.
This will override restrictions from accept.json. For more information, see Clone capability with Broker for Docker.
Manage Workspaces
The Workspaces feature is managed through the Integrations settings page on the Group or Organization level. To do so, you must be a Snyk Group Admin or Snyk Organization Admin.
When enabled at the Group level, all Organizations within that Group will have Workspaces enabled.
The Workspaces feature can be enabled for individual organizations within a Group, even if disabled at the Group level.
While you can choose to disable the Workspaces feature, it is important to understand doing so will hinder Snyk’s ability to scan repositories in two specific ways:
Frequency of scanning: With Workspaces disabled, Snyk will analyze repository content through SCM APIs, which typically impose primary and secondary rate limits, and content limits. For example, the GitHub.com APIs are rate-limited to allow only a certain number of requests per hour, which hinders Snyk’s ability to analyze a large number of repositories in any one hour.
Completeness of scanning: With the Workspaces feature disabled, Snyk will analyze repo content through SCM APIs, which typically limit the number of tree entries that can be retrieved from the Git database, potentially leading to missed vulnerabilities. This impacts analysis of repositories containing a large number of files, sometimes referred to as monorepos.
Last updated