Skip to main content

Snyk

CatalogScorecards

Snyk is a cybersecurity platform that scans for and surfaces vulnerabilities across your codebase. By integrating Snyk with Cortex, you can seamlessly map issues back to entities and their owners, driving a more comprehensive understanding of your architecture.

Cortex enhances the Snyk experience by aggregating issues into an entity's event timeline so they can be understood in the context of other events, like deploys and on-call incidents. Cortex can also measure entity quality based on Snyk data and drive quality improvements to your security practices.

Setup and configuration

Getting started

In order to connect Cortex to your Snyk instance, you’ll need to create a Snyk API token.

The token will need the following read permissions:

  • View Organization: Allows Cortex to get a flattened list of all projects across all orgs.
  • View Project: Lists issues for a project.
  • View Organization Reports: Lists reporting issue counts.

Configuration

Once you've created an API token in Snyk, you'll add it on the Snyk Settings page.

caution

If you do not see the Settings page you're looking for, you likely don't have the proper permissions and need to contact your admin.

Once you save your configuration, you'll see the last four characters of the token you entered. If you’ve set everything up correctly, you’ll see the option to Remove Integration in settings.

You can also use the Test configuration button to confirm that the configuration was successful. If your configuration is valid, you’ll see a banner that says “Configuration is valid. If you see issues, please see documentation or reach out to Cortex support.”

You'll also see a list of detected organizations pulled from Snyk, along with the unique Snyk ID and internal name associated with each organization.

Registration

Discovery

Cortex uses the Git repository as the "best guess" for the corresponding Snyk project since Snyk projects are connected to repositories. Cortex will search for all Snyk projects across all Snyk organizations and pull in projects associated with the same repository. For example, if the GitHub repo associated with your Snyk instance is my-org/repo, then the entities in Cortex should also be associated with my-org/repo.

Entity descriptor

If you need to override automatic discovery, you can define the following block in your Cortex entity descriptor.

x-cortex-snyk:
projects:
- organization: 01234567-e65f-4b7b-a8b1-5b642894ec37 # Cortex also supports organization slug in this field
projectId: 01234567-e65f-4b7b-a8b1-5b642894ec37
source: CODE # optional, defaults to OPEN_SOURCE

The value for organization should be organizationID or organizationSlug in Snyk, while the projectId should be the projectID defined in Snyk.

The source field is an optional enum field that can be set to either CODE or OPEN_SOURCE to indicate the Snyk product type. If source is not set, it defaults to OPEN_SOURCE.

tip

You can define organization with the organization ID or its slug in Snyk.

Expected results

Once the Snyk integration is set up, you'll be able to find information about vulnerabilities for each entity linked to a discovered repo.

Entity pages

From the Code and Security tab, you can find issues and vulnerabilities in the Issues and Vulnerabilities block. Because Snyk aggregates problems as "issues," data pulled in from Snyk will be listed as issues, while data pulled in from a Git source will be listed as vulnerabilities.

Within this block, issues and vulnerabilities will be grouped by severity into Critical, High, Medium, and Low blocks. Clicking into any of these will open a list of all applicable issues/vulnerabilities.

tip

Each block will have icons in the corner to indicate the integration(s) data are being pulled from.

Vulnerabilities pulled from Git sources will display the project name and a severity tag. Each issue pulled from Snyk will display the following information, when available:

  • Title
  • Issue ID (linked to the issue in Snyk)
  • Publish date
  • Severity tag
  • Priority score tag

From the Integrations tab in the sidebar, you can open the Snyk page to find more detailed information about each issue. In addition to the above information, you can find the associated organization name and project name.

Note

The name of the Issues and Vulnerabilities block will change depending on what data Cortex finds. If Cortex only detects vulnerabilities from a Git source, the block will display as Vulnerabilities. If it only finds issues from Snyk, it will display as Issues. When both are detected, you'll see Issues and Vulnerabilities.

Event timeline

Issues from Snyk and vulnerabilities detected in Git will populate in the entity's event timeline, which you can find from the Events tab in the sidebar. Issues and vulnerabilities will display alongside other events, like K8s changes, Git commits, and on-call incidents.

Scorecards and CQL

Once the Snyk integration is established, you can create Scorecard rules and write CQL queries based on your Snyk projects.

  • Project registration
  • Aggregated issues for an entity's project
  • Details about issues (when available)
    • CVSS score
    • Disclosure time
    • Exploit maturity
    • Issue ID
    • Language
    • Nearest fixed version
    • Original severity
    • Package name
    • Priority score
    • Publication time
    • Severity
    • Type
    • URL
    • Boolean characteristics:
      • Fixable or partially fixable
      • Ignored
      • Malicious
      • Patchable or patched
      • Pinnable
      • Upgradable

Real-world examples

For a Scorecard focused on security, you can use data pulled from the Snyk integration to set standards using both levels and rules.

An initial level might include a rule to make sure entities are associated with Snyk project - without this, Cortex won't pick up data about issues from Snyk.

snyk != null

The Scorecard's top level might include a rule to ensure that entities have a low number of Snyk issues.

snyk.issues() < 3

To indicate progress over time and incentivize further improvement, you could set a rule for a level in between with a slightly higher count of Snyk issues.

snyk.issues() < 5

If an entity has a Snyk project set and only one or two issues, it will achieve the highest level by these standards. An entity with a Snyk project set and three or four issues will achieve the next-highest level, while an entity with a Snyk project set and five or more issues will achieve the lowest level. Entities without a Snyk project will not achieve any level, regardless of how many issues they have.

You can also write more complex rules to set more specific standards. Instead of setting a rule for a moderate number of Snyk issues, you could check that entities have no outstanding critical issues.

snyk.issues(severity=["CRITICAL"], fixability=["FIXABLE"]) <= 0

Regardless of how you define your rules, Cortex enhances your use of Snyk by making your organization's security standards clear and providing next-level visibility into the security of all of your entities.

tip

Setting a snyk != null rule to make sure each entity has a Snyk project can also serve as a secondary check to confirm an entity is synced properly with Snyk and is reporting frequently.

Background sync

Cortex fetches issues and vulnerabilities from Snyk and Git sources in real time.

Projects from Snyk are synced every 6 hours.

caution

Because the fetch for vulnerabilities and issues is live, it may take some time for this data to load on an entity page.

Still need help?

The following are all the ways to get assistance from our customer engineering team. Please use the option that is best for your users:

  • Email: help@cortex.io, or open a support ticket in the in app Resource Center
  • Chat: Available in the Resource Center
  • Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your customer success manager.