SupportSnyk LearnAPI referenceProduct updatesSign up for free
Edit

Manage team work using Reports

Introduction

Recap You have seen how to view your Snyk Projects, understand Snyk scan results, fix vulnerabilities, and integrate fix work into your development workflow.

This section describes how to monitor fix work, using Snyk Reports.

View reports

Feature availability Reports are available with Enterprise plans. See pricing plans for more details.

Click Reports to access the vulnerability information for all Snyk Projects in your Organization:

An overview of Snyk Project vulnerabilities in Reports
An overview of Snyk Project vulnerabilities in Reports

By default, results are shown for the last 90 days: use the Show report for: list in the top right to change the duration.

Reports Security issues

The Security Issues section shows the number of vulnerabilities, their type, and how many of them Snyk identifies as automatically fixable with an upgrade PR (see Fix your first vulnerability).

Security issues in Reports
Security issues in Reports

Show issues over time

The Issues over time graph shows the history of vulnerabilities in your Organization:

View issues over time
View issues over time

This shows the number of overall vulnerabilities, and the number of Projects being scanned (the dotted line in the graph).

Why do numbers increase?

If you simply see more vulnerabilities in your codebase over time, this may not accurately reflect your team's work to improve security.

For example, the total number of vulnerabilities is likely to rise when you add more Projects. The graph may display that linkage - when you see jumps in the total numbers of vulnerabilities, you may see corresponding jumps in the total numbers of Projects:

More Projects, more issues
More Projects, more issues

Security metric: ratio of vulnerabilities to Projects

Instead of measuring the total numbers of issues, one useful overall security metric is to compare the number of vulnerabilities with the number of Projects being scanned, and use this ratio as a measure of overall security.

For example, if you double the number of Projects you scan, but only add 10% to the total number of vulnerabilities, your general security is likely to improve. Alternatively, if you see an increase in the number of vulnerabilities, but no increase in the number of Projects being scanned (perhaps because a new vulnerability is discovered in an existing open-source library), then your security is likely to be getting worse.

Viewing snapshot summary

You can hover over a date to see the summary of “to this date” information at that point:

View a snapshot summary
View a snapshot summary

This is especially useful when you see sudden changes in issue numbers on a specific day.

View activity

The Activity section shows the activity over the report period:

View activity in Reports
View activity in Reports

For the reporting period (90 days by default), this activity shows:

  • Tests Run: the number of tests run. By default, Snyk scans each open source Project daily, so an Organization with 100 projects would generate 9,000 scans over 90 days.

  • Projects: the number of Snyk Projects scanned.

  • New issues: new issues detected.

  • Fixed issues: the vulnerabilities fixed by your team.

  • Tests preventing issues: occasions when the team attempted to merge code changes, but Snyk scans informed the team that these changes would have created new issues, so helping prevent new security issues.

  • Ignored issues: a team member decided to ignore that issue.

Filter search results

If you have many Projects to manage and organize in your Organization, you can use filters to focus on specific Projects or specific types of vulnerability:

Filter reports on Project or vulnerability
Filter reports on Project or vulnerability

For example, if your Organization represents your development team, and you want to focus on front-end work in the next Sprint, click the Projects dropdown and select a subset of the front-end Projects to scan.

Why so many Projects? Remember, a Snyk Project represents a single scan item, such as a manifest file. So your application may contain hundreds of Snyk Projects to scan.

For Open Source vulnerabilities, we also have tagging, which lets you add your own tags, including custom values for metadata. See Project tags and Project attributes.

Dashboard results and report results

Filtering results in Reports means that your Dashboard view may show different numbers to your Reports screen.

For example, by default, Snyk does not scan the Dockerfile in the filter, it scans the docker images themselves:

Dockerfile not scanned by default
Dockerfile not scanned by default

This is because, when Snyk scans the Dockerfile, there will be vulnerabilities in the base OS in the container that you are building. Because these vulnerabilities cannot generally be fixed by your development team, this filtering lets your team focus on the issues that they can fix.

To see a report across all your Organizations, navigate to the Snyk Group level and look at reports there.

Reports: Issues

Click the Issues tab to see a full list of all issues for your Organization:

Reports Issues tab
Reports Issues tab

Issues are ranked by their Snyk Priority Score; you can also filter based on columns. For example, you may want to look at the highest scores with the most maturity (which are likely to have more exploits). You can also track the list of issues that got fixed.

Click Export to export or print these results.

You cannot currently export charts and data in the reports summary page.

More information

See Reports for more details.

What's next?

This concludes this walkthrough.

Please refer to the Snyk documentation in general for more information.

PreviousAssign fix workNextGlossary

Last updated

Was this helpful?

#4707: More info: Update pricing plans page

Change request updated