SupportSnyk LearnAPI referenceProduct updatesSign up for free
Edit

Use policies in the SDLC

You can apply policies across all stages of the SDLC, from the developer’s local development environment, in the IDE or CLI, through to Git-based workflows and CI/CD, and into production.

These multiple security and compliance controls ensure issues are flagged as early as possible in the development process when it is less costly and time-consuming to fix.

Additionally, the .snyk file is a policy file that Snyk uses to define certain analysis behaviors and to specify patches for the CLI and CI/CD plugins. See The .snyk file for details

Apply policies to Projects or Organizations

For both security policies and license policies, you can

Example: apply a license policy to Projects

Your company’s legal team requires strict license compliance controls for business-critical frontend applications, but is less concerned about internal development projects.

First, add the Critical, Production, and Frontend attributes to the Snyk Projects you want this policy to apply to:

Add relevant attributes to a Project
Add relevant attributes to a Project

Next, create a new license policy with those attributes:

Create license policy matching attributes
Create license policy matching attributes

In the policy itself, a high severity can be applied to any copyleft license identified in projects, such as the GPL-3.0 and AGPL-3.0 licenses. When creating license policies, we recommend you describe why Snyk fails the test. For example, if their build failed due to the GPL license, developers can see the explanation, so they know what action to take. See Create a license policy and rules for details.

This policy is now applied to all Projects containing those attributes, and takes effect the next time Snyk scans those Projects.

See License policies for more details.

Example: apply a security policy to Projects

Using a similar process to the previous example, you can define a security policy to automatically ignore all Medium severity vulnerabilities in the FrontEnd environment without a known exploit:

Snyk security policy - ignore Medium vulns
Snyk security policy - ignore Medium vulns

This policy is now applied to all Projects containing those attributes., and takes effect the next time Snyk scans those Projects.

See Security policies for more details.

Apply policies in GitHub repos

For GitHub Projects monitored by Snyk, any new pull request from a contributing developer can be checked against policies assigned to that Project. This ensures that policy-breaking code cannot be committed to the repository.

See PR Checks for details of Snyk’s PR Checks feature.

Example: PR check on JavaScript package license

This example shows a pull request to add the fullpage.js package to a JavaScript application. Although this change passes the security policy check (the latest version of the package has no known vulnerability), it fails the license policy check (because of the GPLv3 license included which violates the company’s license policy).

PR Check fail on license compliance
PR Check fail on license compliance

Apply policies in CI/CD

Policies take effect in CI/CD, ensuring builds comply with security and compliance boundaries.

Example: Workflow High-severity vulnerability

This example shows a GitHub Actions build workflow failing because of a high-severity vulnerability identified in Snyk’s testing:

CI/CD check fail on security policy breach
CI/CD check fail on security policy breach
PreviousIntroduction to policiesNextView policies

Last updated

Was this helpful?

#4707: More info: Update pricing plans page

Change request updated