Prioritization setup: Associating Snyk Open Source, Code, and Container Projects

After you have set up the prioritization with Insights, Snyk can set up the required linking for the chosen application.

To prioritize your Snyk Code and Snyk Open Source vulnerabilities, Snyk needs to understand the relationships between those imported Snyk Projects and the Container Project. Snyk uses the relationships between these Projects as a proxy to understand the composition of the container image.

The Insights UI displays a variety of asset types, including but not limited to:

Repository assets
Packages
Container images
Scanned artifacts

These assets are directly linked to the ones displayed on the Snyk AppRisk Inventory view.

For more details regarding supported assets, you can navigate to the Asset and Issue pages.

The container image is the build artifact that is deployed and running on your Kubernetes cluster, so Snyk can map your application from its source code to its deployed state by understanding the following:

The link between the Source Code and Open Source Dependencies and the image.
What images are deployed to Kubernetes, and how are they configured.

Use Project tags to link Projects

Add Snyk Project tags to all the Projects used by your application to link these Projects together and allow Snyk to represent the whole of the application that you are testing.

To associate two Projects together, add the exact same tag to both Projects. For example, add the same tag to your Snyk Open Source Projects and Snyk Container Project if they are related to each other.

See the examples at the end of this section.

Requirements for Project tags

The same tag must be applied to the container image and Code or Open Source Projects,
The tag must follow the specified format,
The Projects do not have to be in the same Snyk Organization to be mapped but MUST be in the same Snyk Group,

Examples of Project tags

Single repo to a single image

In this example, there is a single repository containing your package.json which is built into an image called image-A.

To map these associations, you would have the following tags set up:

Location Asset Snyk Project Location Tag(s) Notes

Location	Asset	Snyk Project Location	Tag(s)	Notes
github.com/my-team/front-end	`package.json`	Snyk Org: my-team Project name: package.json	`component=pkg:github/my-team/front-end@main`	The same tag is applied to both sides
	Built container image called `image-A`	Snyk Org: my-team Project name: image-A	`component=pkg:github/my-team/front-end@main`

github.com/my-team/front-end

package.json

Snyk Org: my-team

Project name: package.json

component=pkg:github/my-team/front-end@main

The same tag is applied to both sides

Built container image called image-A

Snyk Org: my-team

Project name: image-A

component=pkg:github/my-team/front-end@main

Multiple repos to a single image

For this scenario, there are two contributing repositories.

There is a front-end repository containing the package.json scanned by Snyk Open Source and a back-end repository containing go code scanned by Snyk Code.

To map these associations, you would have the following tags set up:

Location Asset Snyk Project Location Tag(s) Notes

Location	Asset	Snyk Project Location	Tag(s)	Notes
github.com/my-team/front-end	`package.json`	Snyk Org: my-team Project name: package.json	`component=pkg:github/my-team/front-end@main`
github.com/my-team/back-end	`Go source code`	Snyk Org: my-team Project name: Code	`component=pkg:github/my-team/back-end@main`
	Built container image called `image-A`	Snyk Org: my-team Project name: image-A	`component=pkg:github/my-team/front-end@main` `component=pkg:github/my-team/back-end@main`	The image has two tags applied, as there are two upstream dependencies which have different tags. You can apply multiple tags to an image.

github.com/my-team/front-end

package.json

Snyk Org: my-team

Project name: package.json

component=pkg:github/my-team/front-end@main

github.com/my-team/back-end

Go source code

Snyk Org: my-team

Project name: Code

component=pkg:github/my-team/back-end@main

Built container image called image-A

Snyk Org: my-team

Project name: image-A

component=pkg:github/my-team/front-end@main

component=pkg:github/my-team/back-end@main

The image has two tags applied, as there are two upstream dependencies which have different tags.

You can apply multiple tags to an image.

Monorepo to many images

In this example, the application team is using a monorepo approach. The contents of the repository are built into different container images as they may be run separately.

Here we need to further differentiate the tags by scoping them more accurately.

Location Asset Snyk Project Location Tag(s)

Location	Asset	Snyk Project Location	Tag(s)
github.com/my-team/service	`package.json`	Snyk Org: my-team Project name: package.json	`component=pkg:github/my-team/service/front-end@main`	The tag is further scoped by specifying /front-end at the end
	Built container image called `my-app-frontend:latest`	Snyk Org: my-team Project name: my-app-frontend:latest	`component=pkg:github/my-team/service/front-end@main`

github.com/my-team/service

package.json

Snyk Org: my-team

Project name: package.json

component=pkg:github/my-team/service/front-end@main

The tag is further scoped by specifying /front-end at the end

Built container image called my-app-frontend:latest

Snyk Org: my-team

Project name: my-app-frontend:latest

component=pkg:github/my-team/service/front-end@main

Location Asset Snyk Project Location Tag(s) Notes

Location	Asset	Snyk Project Location	Tag(s)	Notes
github.com/my-team/service	`Go source code`	Snyk Org: my-team Project name: Code	`component=pkg:github/my-team/service/back-end@main`	The tag is further scoped by specifying /back-end at the end
	Built container image called `my-app-backend:latest`	Snyk Org: my-team Project name: my-app-backend:latest	`component=pkg:github/my-team/service/back-end@main`

github.com/my-team/service

Go source code

Snyk Org: my-team

Project name: Code

component=pkg:github/my-team/service/back-end@main

The tag is further scoped by specifying /back-end at the end

Built container image called my-app-backend:latest

Snyk Org: my-team

Project name: my-app-backend:latest

component=pkg:github/my-team/service/back-end@main

Tags application

Project Tags can be applied as follows:

Product	Method	Project Source
Snyk Code	API	For projects created by Git Import
Snyk Open Source	API UI CLI	For projects created by Git Import CLI Monitor
Snyk Container	API UI CLI	For projects created by Git Import CLI Monitor Container Registry Integration

Product

Method

Project Source

Snyk Code

For projects created by

Git Import

Snyk Open Source

For projects created by

Git Import
CLI Monitor

Snyk Container

For projects created by

Git Import
CLI Monitor
Container Registry Integration

Snyk recommends applying the tags through the API because the process can be automated using the API.

UI example for Project tags

CLI Example

snyk monitor --project-tags=component=pkg:github/my-team/back-end@main

API Example

See the Project Update documentation.

Example:

 "tags": [
    {
      "key": "component",
      "value": "pkg:github/my-team/back-end@main"
    }
  ],

To ensure you have set up your Kubernetes Connector properly, navigate to the Set up Insights tab on the Insights page and check the Image composition section to view the data Insights has access to.

PreviousPrioritization setup: Image scanning NextUsing the Insights UI

Last updated 16 days ago