CI/CD setup
Last updated
Last updated
More information
Snyk privacy policy© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
To configure Snyk to run in a pipeline, retrieve key configuration inputs from your Snyk account.
When you run Snyk in your CI/CD platform, you typically want to post the test results to Snyk for review and ongoing monitoring.
If you do not define a target Organization, Snyk uses the default Organization for your authentication token:
For user accounts, this is the user's preferred Organization, configurable in the user's settings.
For Organization service accounts, this is the Organization in which the account was created.
You can define the target Organization in the Snyk CLI by using the --org
CLI option and either the orgslugname
or Organization ID:
You can define the target Organization using its orgslugname
as displayed in the address bar of the browser in the Snyk UI.
Alternatively, you can define the target Organization using its ORG_ID on the Organization settings page.
For more information, see How to select the Organization to use in the CLI.
For instructions on authenticating with Snyk, see Authenticate the CLI with your account.
Snyk supports the following approaches to add tests to a build pipeline:
Snyk integration plugins: Snyk provides pre-built plugins for several CI servers, including Jenkins, Team City, Bitbucket Pipelines, and Azure Pipelines.
Snyk CLI: Teams with more complex workflows or using a build system without a Snyk pre-built plugin, can use the Snyk CLI during CI/CD setups. See Setting up using Snyk CLI for details.
Snyk API: For teams with complex requirements, Snyk provides a REST API, which you can use for functions including initiating scans, onboarding new Projects, and testing arbitrary libraries. See the Snyk API documentation for details.
The Snyk CLI is a NodeJS application that can be scripted directly by developers for easy integration into most CI/CD environments. The Snyk CLI is available as an npm application, pre-packaged binary, or container image. For more information, see Install or update the Snyk CLI.
The Snyk CLI can be configured to:
Return non-zero error codes only when certain criteria are met, for example, exit with an error code only if vulnerabilities of high severity are present.
Output all of its data into JSON for more flexibility.
To continuously avoid known vulnerabilities in your dependencies, integrate Snyk into your continuous integration (build) system. In addition to this documentation, see the integration configuration examples in the Snyk Labs GitHub repository.
If you monitor a Project with Snyk, you will be notified if the dependencies in your Project are affected by newly disclosed vulnerabilities. To ensure the list of dependencies Snyk has for your Open Source Project is up to date, refresh it continuously by running snyk monitor
in your deployment process. Configure your environment to include the SNYK_TOKEN
environment variable. You can find your API token in your Snyk account settings.
Ensure you do not check your personal Snyk API token into source control, to avoid exposing it to others. Instead, use CI environment variables to configure your token.
See the guidance for how to do this in the following documentation:
You can find additional documentation through a web search for setting up env variables in CI
.