Jenkins plugin integration with Snyk

Snyk offers a native plugin for Jenkins that is based on the Snyk CLI, to test and monitor Projects for vulnerabilities in your pipelines.

The Snyk Jenkins plugin supports Snyk Open Source. If you plan to include Snyk Code, Snyk Container, and Snyk IaC scans in your pipeline, use the generic Snyk CLI.

For more information, see the Snyk Jenkins Plugin repository.

Follow the steps in each section of this document to use the Snyk Jenkins plugin:

  1. Install the Snyk Security Jenkins Plugin.

  2. Configure a Snyk installation.

  3. Configure a Snyk API token credential.

  4. Add Snyk Security to your project.

  5. Run a build and view your Snyk report.

1. Install the Snyk Security Jenkins Plugin

  • From your Jenkins dashboard, go to Manage Jenkins > Manage Plugins and select the Available tab.

  • Search for Snyk Security.

  • Install the plugin.

2. Configure a Snyk installation

  • Go to Manage Jenkins > Global Tool Configuration.

  • Add a Snyk Installation.

  • Configure the Installation.

  • Remember the Name for use when configuring the build step.

Automatic installations

The plugin can download the latest version of Snyk's binaries and keep them up-to-date for you.

Manual installations

  • Download the following binaries. Choose the binary suitable for your agent's operating system:

  • Place the binaries in a single directory on your agent.

    • Do not change the filename of the binaries.

    • Make sure you have the correct permissions to execute the binaries.

  • Provide the absolute path to the directory under Installation directory.

Custom API endpoints

By default, Snyk uses the endpoint. It is possible to configure Snyk to use a different endpoint by changing the SNYK_API environment variable:

  • Go to Manage Jenkins > Configure System.

  • Under Global Properties check the Environment variables option.

  • Click Add.

  • Set the name to SNYK_API and the value to the custom endpoint.

For more information see Configure Snyk CLI to connect to Snyk API.

3. Configure a Snyk API token credential

  • Get your Snyk API Token.

  • Go to Manage Jenkins > Manage Credentials.

  • Choose a Store.

  • Choose a Domain.

  • Go to Add Credentials.

  • Select Snyk API Token.

  • Configure the Credentials.

  • Remember the ID for use when configuring the build step.

4. Add Snyk Security to your Project

This step depends on whether you are using Freestyle Projects or Pipeline Projects.

Freestyle Projects

  • Select a Project.

  • Go to Configure.

  • Under Build, select Add build step and Invoke Snyk Security Task.

  • Configure as needed. Click the ? icons for more information about each option.

Pipeline Projects

Use the snykSecurity step as part of your pipeline script. You can use the Snippet Generator to generate the code from a web form and copy it into your pipeline. Refer to the following example.

pipeline {
  agent any

  stages {
    stage('Build') {
      steps {
        echo 'Building...'
    stage('Test') {
      steps {
        echo 'Testing...'
          snykInstallation: '<Your Snyk Installation Name>',
          snykTokenId: '<Your Snyk API Token ID>',
          // place other parameters here
    stage('Deploy') {
      steps {
        echo 'Deploying...'

You can pass the following parameters to yoursnykSecurity step.

snykInstallation (required)

Snyk Installation Name, as configured in step 2. Configure a Snyk installation.

snykTokenId (optional, default: _none_)

Snyk API Token Credential ID., as configured in step 3. Configure a Snyk API token credential.

If you prefer to provide the Snyk API token another way, such using alternative credential bindings, you must provide a SNYK_TOKEN build environment variable.

failOnIssues (optional, default: true)

Whether the step should fail if issues and vulnerabilities are found.

failOnError (optional, default: true)

Whether the step should fail if Snyk fails to scan the project due to an error. Errors include scenarios like: failing to download Snyk's binaries, improper Jenkins setup, bad configuration, and server errors.

monitorProjectOnBuild (optional, default: _none_)

Whether to monitor the project on every build by taking a snapshot of its current dependencies on Selecting this option will keep you notified about newly disclosed vulnerabilities and remediation options in the project.

organization (optional, default: _automatic_)

The Snyk Organization in which this project should be tested and monitored. See --org in the Snyk CLI commands and options summary for default behavior.

projectName (optional, default: _automatic_)

A custom name for the Snyk project created for this Jenkins project on every build. See --project-name in the CLI commands and options summary for default behavior.

targetFile (optional, default: _automatic_)

The path to the manifest file to be used by Snyk. See --file in the CLI commands and options summary for default behavior

severity (optional, default: _automatic_)

The minimum severity to detect. Can be one of the following: low, medium, high, critical. See --severity-threshold in the CLI commands and options summary for default behavior.

additionalArguments (optional, default: _none_)

See the CLI commands and options summary for information on additional CLI options.

5. View your Snyk Security Report

  • Complete a new build of your project.

  • Go to the build's page.

  • Select Snyk Security Report in the sidebar to see the results.

If there are any errors you may not see the report. Refer to the Troubleshooting section that follows.


Increase Logging

To see more information on your steps, you can increase logging and re-run your steps.

Failed Installations

By default, Snyk Installations download Snyk's binaries over the network from If this fails there may be a network or proxy issue. If you cannot fix the issue, you can do a manual installation instead. See step 2. Configure a Snyk installation.

Last updated

More information

Snyk privacy policy

© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.