Use policies in the SDLC
Last updated
Last updated
More information
Snyk privacy policy© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
You can apply policies across all stages of the SDLC, from the developer’s local development environment, in the IDE or CLI, through to Git-based workflows and CI/CD, and into production.
These multiple security and compliance controls ensure issues are flagged as early as possible in the development process when it is least costly and time-consuming to fix them.
In addition, the .snyk file is a policy file that Snyk uses to define certain analysis behaviors and to specify patches for the CLI and CI/CD plugins. See for details
For both and , you can apply a policy to Project attributes and to an Organization. This enables you to assign policies to Projects and to Organizations. For details, see and .
Scenario: The legal team in your company requires strict license compliance controls for business-critical front-end applications but is less concerned about internal development Projects.
To meet this requirement, first add the Critical, Production, and Frontend attributes to the Snyk Projects you want this policy to apply to:
Next, create a new license policy and apply the policy to those attributes:
This policy is now assigned to all Projects with the selected attributes applied and takes effect the next time Snyk scans those Projects.
Using a process similar to the one in the previous example, you can define a security policy to automatically ignore all Medium severity vulnerabilities in the FrontEnd environment without a known exploit:
This policy is now assigned to all Projects with the selected attributes applied and takes effect the next time Snyk scans those Projects.
For GitHub Projects monitored by Snyk, any new pull request from a contributing developer can be checked against policies assigned to that Project. This ensures that policy-breaking code cannot be committed to the repository.
An example follows of a PR check on a JavaScript package license.
This example shows a pull request to add the fullpage.js package to a JavaScript application. Although this change passes the security policy check, because the latest version of the package has no known vulnerability, it fails the license policy check because the GPLv3 license is included in violation of the license policy of the company.
Assigned policies take effect in CI/CD, ensuring builds comply with security and compliance boundaries.
In the policy itself, a high severity can be applied to any copyleft license identified in Projects, such as the and . When you create license policies, Snyk recommends that you describe why Snyk will fail the test. Thus, for example, if a build fails due to the GPL license, developers can see the explanation, and they will know what action to take. See for details.
See for more details.
See for more details.
See for details of Snyk’s PR Checks feature.
