Integrate with Sysdig
To enhance its capabilities when detecting workload information, Snyk has partnered with Sysdig. The integration enriches the workload issues that Snyk detects with the runtime data provided by Sysdig.
Enable the Sysdig integration
For a successful integration with Sysdig, the Snyk Controller requires an extra Sysdig Secret in the snyk-monitor
namespace. The Sysdig Secret name is snyk-sysdig-secret
.
Execute the commands below after installing Sysdig, in order to allow the Snyk Controller to detect Sysdig in the cluster.
Create the snyk-sysdig-secret
in the snyk-monitor
namespace:
SYSDIG_RISK_SPOTLIGHT_TOKEN is the "Risk Spotlight Integrations Token" and must be generated through the Sysdig UI. To create this API token, see the Sysdig Risk Spotlight guide.
SYSDIG_ENDPOINT_URL is associated with your Sysdig SaaS application and region. To identify it, see SaaS Regions and IP Ranges. For example, for US West (Oregon), the domain is us2.app.sysdig.com (you must omit the prefix "https://").
SYSDIG_AGENT_CLUSTER are the ones that you configured when installing the Sysdig Agent - global.clusterConfig.name.
To enable Snyk to integrate with Sysdig and collect information about packages executed at runtime, use --set sysdig.enabled=true
when installing the Snyk Controller:
Your Snyk Controller now collects data from Sysdig every 30 minutes.
Enrich Snyk vulnerability data and priority score
To enrich the priority score of vulnerabilities it detects, Snyk uses packages executed at runtime. This allows Snyk to better prioritize which vulnerabilities to fix first. The priority score is available on both the Project page and in the Snyk public API.
To see which packages have been executed at runtime, you must wait for the next daily scan or manually import the workload into Snyk.
After enabling the Sysdig integration, allow 30 minutes before manually importing the workload. This is because of the following timing considerations related to the collection of executed packages:
The Snyk Controller collects data about executed packages once every 30 minutes.
Snyk re-scans imported Kubernetes Projects for new vulnerabilities daily.
Application support
For application vulnerabilities, Snyk currently provides support for the following languages:
Java
JavaScript
Go
To see the updated list of supported languages, see Detect application vulnerabilities in container images.
Last updated