Run an analysis with the JetBrains plugins

Ensure the Snyk extension is configured, authenticated, and trusted for your current Project, as described in the configuration and authentication pages.

You can trigger snyk test using one of these methods:

automatic (default)
manual

A Snyk scan is triggered automatically when your Project is opened and when any supported files are saved. This behavior can be turned off using the existing configuration.

Ensure your files are saved before manually running an analysis.

To manually trigger snyk test (see the screen image that follows):

Click the Snyk icon in the sidebar to open the Snyk panel.
Click the Run (play) button at the top of the plugin sidebar.

If the play button is grayed out, there is a scan in progress. Wait for it to complete before starting another can.

Scan configuration

You may customize your scan behavior to reflect your company's security policy, or to focus on certain areas.

Severity filter

Snyk reports critical, high, medium, and low severities. There are two ways to control severity:

plugin settings for the Scan configuration
small buttons on top of the issues in the Snyk panel as shown in the screen image that follows

By default, all levels are selected. You must select at least one.

Snyk severity icons have the following meaning:

May allow attackers to access sensitive data and run code on your application.

May allow attackers to access sensitive data on your application.

May allow attackers under some conditions to access sensitive data on your application.

The application may expose some data allowing vulnerability mapping, which can be used with other vulnerabilities to attack the application.

Filter by issue type

Snyk reports the following types of issues:

Open Source issues: found in open source dependencies. see details in the section below.
Code Security issues: found in your application’s source code; see details in the section below.
Code Quality issues: found in your application source code; see details in the section below.
Infrastructure as Code issues: found in infrastructure as code files; see details in the section below.
Container issues: found in images sourced from Kubernetes workload files; see details in the section below.

The exact capabilities and available scanners depend on your plan. Be sure your Organization's admin has enabled all Snyk products prior to configuring any of them in the IDE plugin.

There are two ways to show or hide specific issue types:

plugin settings for the Scan configuration
filter button in the panel's sidebar as shown in the screen image that follows

By default, all issue types shown are selected.

Net New Issues versus All Issues

Starting with version 2.10.0, it is possible to see only newly introduced issues.

This functionality reduces noise and allows developers to focus on current changes only. Developers can prevent issues early, thus unlocking their CI/CD pipeline and speeding up delivery.

The logic uses a local Git repository and shows the difference between current findings minus those in a base branch.

This can be configured using scan configuration settings. Net New Issues is turned off by default, so you must take manual action to turn it on.

After this feature is enabled, Snyk only reports the delta findings.

For newly created feature branches, there will be no reported issues. That is an intended state, that developers would aim for; see the screen image that follows:

The base branch is usually automatically determined for each Git repository.

In advanced cases, developers may change their base branch by following these steps (see the screen image that follows):

Click on the top-level node in the Issues tree
Use dropdown selection to choose any branch
Click OK to save the selection

Available Snyk issues types

Snyk Code issues

Snyk Code analysis shows a list of security vulnerabilities and code issues found in your application code. For more details and examples of fixes others used to fix the issue, select the security vulnerability or the code security issue.

Snyk Open Source issues

Snyk Open Source analysis shows a list of vulnerabilities and license issues found in all manifest files. To see more detailed information, select a vulnerability or license issue.

Snyk Infrastructure as Code issues

With every scan, Snyk IaC analysis shows issues in your Terraform, Kubernetes, AWS CloudFormation, and Azure Resource Manager (ARM) code. The scan is based on the Snyk CLI and s fast and friendly for local development. To see more detailed information, select an issue.

Snyk Container issues

This is an experimental feature, that is likely to change.

The JetBrains plugin scans Kubernetes configuration files and searches for container images. Vulnerabilities are found quickly using the extracted container images and comparative analysis against the latest information from the Snyk Vulnerability Database.

Snyk Container analysis shows each of the security vulnerabilities that might affect your image. To see more detailed information, select a vulnerability.

A comparison table is displayed with the severity levels such as critical or high. This shows the difference in vulnerabilities between the current image and the image recommended by Snyk, with the same characteristics sorted by severity. This helps you decide if you want to upgrade your image to the recommended one and increase the level of confidence in the image you are running in production.

PreviousFolder trust for the JetBrains plugins NextTroubleshooting for the JetBrains plugin

Last updated 16 days ago