SupportSnyk LearnAPI referenceProduct updatesSign up for free
Edit

Insights setup: Associating Snyk Open Source, Code & Container Projects

After you’ve set up Insights, we can then set up the required linking for the chosen application.

Overview

To prioritize your Snyk Code and Snyk Open Source vulnerabilities, we need to understand the relationships between those imported Snyk Projects and the Container Project. We use the relationships between these Projects as a proxy to understand the composition of the container image.

The container image is the build artifact that is deployed and running on your Kubernetes cluster, so by understanding:

  • The link between the Source Code, Open Source Dependencies and the image.

  • What images are deployed to Kubernetes and how they are configured.

Snyk can map your application from its source code to its deployed state.

Mapping your application
Mapping your application

Use Project Tags to link Projects

Add Snyk Project tags to all the Projects used by your application, to link these Projects together and allow Insights to represent the whole of the application that you are testing.

To associate two Projects together, add the exact same tag to both Projects. For example, add the same tag to your Snyk Open Source Projects and Snyk Container Project if they are related to each other.

See the examples below.

Requirements

  • The same tag must be applied to the container image and Code or Open Source Projects

  • The tag must follow the specified format

  • The Projects do not have to be in the same Snyk Organization to be mapped but MUST be in the same Snyk Group

Project tags
Project tags

Examples

Single repo to single image

In this example, there is a single repository containing your package.json which is built into an image called image-A.

Example: single repo to single image
Example: single repo to single image

To map these associations, you would have the following tags setup:

Location
Asset
Snyk Project Location
Tag(s)
Notes

github.com/my-team/front-end

package.json

Snyk Org: my-team

Project name: package.json

component=pkg:github/my-team/front-end@main

The same tag is applied to both sides

Built container image called image-A

Snyk Org: my-team

Project name: image-A

component=pkg:github/my-team/front-end@main

Multiple Repos to single image

Example: multiple repos to single image
Example: multiple repos to single image

For this scenario, there are two contributing repositories.

There is a front end repository containing the package.json scanned by Snyk Open Source and a back end repository containing go code scanned by Snyk Code.

In order to map these associations you would have the following tags setup:

Location
Asset
Snyk Project Location
Tag(s)
Notes

github.com/my-team/front-end

package.json

Snyk Org: my-team

Project name: package.json

component=pkg:github/my-team/front-end@main

github.com/my-team/back-end

Go source code

Snyk Org: my-team

Project name: Code

component=pkg:github/my-team/back-end@main

Built container image called image-A

Snyk Org: my-team

Project name: image-A

component=pkg:github/my-team/front-end@main

component=pkg:github/my-team/back-end@main

The image has two tags applied, as there are two upstream dependencies which have different tags.

You can apply multiple tags to an image.

Monorepo to many images

Example: monorepo to multiple images
Example: monorepo to multiple images

In this example, the application team is using a monorepo approach. The contents of the repository are built into different container images as they may be run separately.

Here we need to further differentiate the tags by scoping them even more accurately.

Location
Asset
Snyk Project Location
Tag(s)

github.com/my-team/service

package.json

Snyk Org: my-team

Project name: package.json

component=pkg:github/my-team/service/front-end@main

The tag is further scoped by specifying /front-end at the end

Built container image called my-app-frontend:latest

Snyk Org: my-team

Project name: my-app-frontend:latest

component=pkg:github/my-team/service/front-end@main

Location
Asset
Snyk Project Location
Tag(s)
Notes

github.com/insights/service

Go source code

Snyk Org: my-team

Project name: Code

component=pkg:github/my-team/service/back-end@main

The tag is further scoped by specifying /back-end at the end

Built container image called my-app-backend:latest

Snyk Org: my-team

Project name: my-app-backend:latest

component=pkg:github/my-team/service/back-end@main

Tags Application

Project Tags can be applied as follows:

Product
Method
Project Source

Snyk Code

  • API

For projects created by

  • Git Import

Snyk Open Source

  • API

  • UI

  • CLI

For projects created by

  • Git Import

  • CLI Monitor

Snyk Container

  • API

  • UI

  • CLI

For projects created by

  • Git Import

  • CLI Monitor

  • Container Registry Integration

Snyk’s recommendation is to apply the tags through the API, because through this method the process can be automated.

UI Example

Project tags: UI example
Project tags: UI example

CLI Example

snyk monitor --project-tags=component=pkg:github/my-team/back-end@main

API Example

See the Project Update documentation.

For example:

 "tags": [
    {
      "key": "component",
      "value": "pkg:github/my-team/back-end@main"
    }
  ],

To make sure you have set up your Kubernetes connector properly, navigate to the Data tab on the Insights page and check the Image composition section to view the data that Insights has access to.

PreviousInsights setup: Image scanningNextReporting

Last updated

Was this helpful?

#4707: More info: Update pricing plans page

Change request updated