Skip to main content

Snyk

CatalogScorecards

Summary

Snyk is a security platform that allows teams to find and fix vulnerabilities in their code. You can use Snyk to drive insights into values such as:

  • Vulnerabilities

Setup

In order to connect Cortex to your Snyk instance, you’ll need to create a Snyk API Token, and add it under Settings → Snyk. You’ll need the following permissions:

  • View Organization to list all orgs for us to get a flattened list of all projects across all orgs
  • View Project for us to list issues for a project
  • View Organization Reports to get reporting issue counts
caution

If you do not see the Settings page you're looking for in the sidebar, you likely don't have the proper permissions and need to contact your admin.

Registration

Discovery

Cortex uses the Git repository configured in the Catalog Descriptor to automatically discover the associated Snyk projects. It does so by getting a list of all Snyk projects across all Snyk organizations, and finding any projects that are associated with the same repository.

Entity descriptor

If you need to override the automatic discovery, you can define the following block in your Cortex entity descriptor.

x-cortex-snyk:
projects:
- organization: 01234567-e65f-4b7b-a8b1-5b642894ec37 # optionally, we also support the organization slug in this same field
projectId: 01234567-e65f-4b7b-a8b1-5b642894ec37
source: CODE # optional, defaults to OPEN_SOURCE

The value for organization and projectId should be the organizationId (or organizationSlug) and projectId respectively, as defined in Snyk. source is an optional enum field that can be set to either CODE or OPEN_SOURCE to indicate the type of Snyk product. If source is not set, it defaults to OPEN_SOURCE.