Import Projects
Depending on the integrations you have configured, and the language / package managers in your tech stack, you can import Projects into Snyk using:
A source control integration with your Git repositories
The Snyk CLI with CI/CD.
The best import route varies based on the languages and package managers in your tech stack.
Here are some key points to determine the best starting point. For details, see Git repositories and CI/CD comparisons.
Getting started with Snyk
For details, see Getting started and Start scanning.
Depending on your needs, Snyk offers various integration methods:
Git Integration
For details, see Git repositories (SCMs) integrations with Snyk.
Connect your repositories for automatic scanning.
For a small number of applications, typically under a hundred:
From the Snyk Web UI, connect to Git code repositories from the Settings-Integrations page.
In the integration settings:
Disable the automatic fixes and PR/Merge checks when first onboarding Projects.
Enable them once a steady state is reached and blocking is desired.
From the Projects page, add the Projects.
Monitor results in Git code repositories.
For hundreds or thousands of repositories:
At scale, Snyk recommends using the API. APIs are available with the Snyk Enterprise plan.
Use the Snyk API to import your Projects. This leverages an existing source control integration and can be used to automate processes.
The snyk-api-import tool uses the API to manage onboarding at scale for large enterprises and is the suggested tool to use at scale. The source control structure will need to be mirrored.
Snyk CLI
For details, see Snyk CLI.
The CLI allows granular scanning of individual Projects.
A command must be formulated for each type of test to perform (open source, code, infrastructure as code, and container).
To use the Snyk CLI:
Install CLI using one of the appropriate methods as part of the build script.
In the script, navigate to the Project folder.
Run the appropriate
snyk test
orsnyk monitor
commands and options for the type of scan you want to run. Where to implement testing in your scripts is generally flexible but most commonly prior to deployment. Use the monitor command alone for Snyk Open Source and Snyk Container to passively report. When using gating via the test command, the purpose is to break the build if issues are found that meet particular criteria like--severity-threshold
or any number of options in the CLI or snyk-filter plugin. In general, Snyk Open source is typically run in test and/or monitor after the dependencies are installed on the build system. A typical command can look as follows:Code:
snyk code test --org=[org-id]
Open source:
snyk test --all-projects --org=[org-id]
snyk monitor --all-projects --org=[org-id]
Replace[org-id]
with the ID of your Organization.
For Container and Infrastructure as Code scans, see Container and Infrastructure as Code, as this will vary based on the type being scanned.
Review results either locally when running
snyk test
, or via the Snyk Web UI when using monitor or report.
For demonstrations of various pipeline integrations, see Snyk-Labs.
Last updated