LogoLogo
Login to CortexBook a DemoCortex Academycortex.ioCortex Status
  • Cortex Docs
  • Cortex Quick Start
  • Ingesting data into Cortex
    • Managing Entities
      • Adding entities
        • Add services
        • Add domains
        • Add teams
        • Add custom entity types
        • Defining dependencies
      • Entity details page
      • Defining ownership
      • Defining relationship types
      • Grouping entities
      • Adding external documentation
      • Adding Deploy data
      • Adding custom data
      • Viewing discovered entities
      • Archiving entities
      • Relationship graph
      • Using On-call Assistant for incidents
      • Managing Terraform infra in Cortex
    • Managing Catalogs
    • Integrations
      • Internally hosted integrations
      • ArgoCD
      • AWS
      • Azure DevOps
      • Azure Resources
      • BambooHR
      • Bitbucket
      • BugSnag
      • Buildkite
      • Checkmarx
      • CircleCI
      • ClickUp
      • Codecov
      • Coralogix
      • Custom webhook integrations
      • Datadog
      • Dynatrace
      • Entra ID (Azure AD)
      • FireHydrant
      • GitHub
      • GitLab
      • Google
      • Grafana
      • incident.io
      • Instana
      • Jenkins
      • Jira
      • Kubernetes
      • LaunchDarkly
      • Lightstep
      • Mend
      • Microsoft Teams
      • New Relic
      • Okta
      • Opsgenie
      • PagerDuty
      • Prometheus
      • Rollbar
      • Rootly
      • Sentry
      • Semgrep
      • ServiceNow
      • Slack
      • Snyk
      • SonarQube
      • Splunk Observability Cloud (SignalFx)
      • Splunk On-Call (VictorOps)
      • Sumo Logic
      • Veracode
      • Wiz
      • Workday
      • xMatters
  • Scorecards
    • Initiatives and Action items
      • Creating issues based on Initiatives
    • Scorecard rule exemptions
    • Scorecard rule filters
    • Scorecard examples
    • Scorecards as code
  • Reports
    • Executive report
    • All Scorecards report
    • Bird's eye report
    • Progress report
    • Report card
  • Eng Intelligence
    • Custom Metrics
    • Jira Metrics
    • Metrics Explorer (Beta)
    • Velocity Dashboard (Beta)
  • Cortex Query Language (CQL)
    • Running and saving CQL queries
    • Using CQL reports
    • Using JQ in Cortex
  • Workflows
    • Creating a Workflow
      • Workflows as code
    • Blocks
    • Running a Workflow
    • Registering a Scaffolder template
      • Scaffolder advanced usage
    • Using a Workflow to sync in ArgoCD
    • Kicking off a Jenkins pipeline in a Workflow
    • Calling internal service endpoints in a Workflow
  • Plugins
    • Creating a plugin
      • Creating a plugin proxy
    • Migrating Backstage plugins to Cortex
  • Engineering homepage
  • Workspace Settings
    • Using GitOps for Cortex
      • GitOps logs
    • Managing users
      • Roles and permissions
        • Custom roles
        • Team ownership entity editing
      • Configuring SSO
        • Microsoft Entra ID
        • Google
        • Other OIDC providers
        • Okta
          • Okta SCIM
      • Configuring identity mappings
      • Onboarding management
    • API keys, secrets, and tokens
      • Secrets
      • Personal tokens
    • Audit logs
    • Entity settings
      • Data verification
      • Auto archiving entities
    • IP allowlist
    • Notifications
      • Notification logs
    • Customizing your workspace
    • Using search in Cortex
  • Cortex API
    • REST API operations
      • API Keys
      • Audit Logs
      • Catalog Entities
      • Custom Data
        • Custom Data (Advanced)
      • Custom Events
      • Custom Metrics
      • Dependencies
      • Deploys
      • Discovery Audit
      • Docs
      • Eng Intel: User Labels
      • Entity Relationship Types (Beta)
      • Entity Relationships (Beta)
      • Entity Types
      • GitOps Logs
      • Groups
      • Initiatives
      • Integrations APIs
        • Azure Active Directory (Entra ID) API
        • Azure Resources API
        • AWS API
        • Azure DevOps API
        • CircleCI API
        • Coralogix API
        • Datadog API
        • GitHub API
        • GitLab API
        • incident.io API
        • LaunchDarkly API
        • New Relic API
        • PagerDuty API
        • Prometheus API
        • SonarQube API
      • IP Allowlist
      • Notification Logs
      • On call
      • Packages
      • Plugins
      • Queries
      • SCIM
      • Scorecards
      • Secrets
      • Team Hierarchies
      • Teams
      • Workflows
Powered by GitBook
On this page
  • How to configure Snyk with Cortex
  • Prerequisites
  • Configure the integration in Cortex
  • How to connect Cortex entities to Snyk projects
  • Discovery
  • Editing the entity descriptor
  • Using the Snyk integration
  • Viewing Snyk vulnerabilities on an entity
  • Scorecards and CQL
  • Background sync
  • Still need help?​

Was this helpful?

Export as PDF
  1. Ingesting data into Cortex
  2. Integrations

Snyk

Last updated 10 days ago

Was this helpful?

is a cybersecurity platform that scans for and surfaces vulnerabilities across your codebase.

Integrating Snyk with Cortex allows you to:

  • , quickly connecting issues to entities and their owners

    • Enhance the Snyk experience by aggregating issues into an entity's event timeline so they can be understood in the context of other events, like deploys and on-call incidents

  • Use to measure entity quality based on Snyk data and drive quality improvements to your security practices

How to configure Snyk with Cortex

Prerequisites

Before getting started:

  • Create a . The token will need the following read permissions:

    • View Organization Reports: Lists reporting issue counts.

    • View Organization: Allows Cortex to get a flattened list of all projects across all orgs.

    • View Project History: Allows Cortex to get project history.

    • View Project: Lists issues for a project.

Configure the integration in Cortex

Once you've created an API token in Snyk, you can create a configuration from .

    1. In Cortex, click your avatar in the lower left corner, then click Settings.

    2. Under "Integrations," click Snyk.

  1. Click Add configuration.

  2. Configure the integration form:

    • API token: Enter the API token you generated in Snyk.

  3. Click Save.

After saving your configuration, you are redirected to the Snyk integration settings page in Cortex. In the upper right corner of the page, click Test configuration to ensure Snyk was configured properly.

On this page, you'll also see a list of detected organizations pulled from Snyk, along with the unique Snyk ID and internal name associated with each organization.

How to connect Cortex entities to Snyk projects

Discovery

Cortex uses the Git repository as the "best guess" for the corresponding Snyk project since Snyk projects are connected to repositories. Cortex will search for all Snyk projects across all Snyk organizations and pull in projects associated with the same repository. For example, if the GitHub repo associated with your Snyk instance is my-org/repo, then the entities in Cortex should also be associated with my-org/repo.

Editing the entity descriptor

You can define projects under the x-cortex-snyk block:

x-cortex-snyk:
  projects:
    - organization: org-name
      projectId: 01234567-e65f-4b7b-a8b1-5b642894ec37
      source: CODE
Field
Description
Required

organization

The organizationID or organizationSlug in Snyk

✓

projectId

The projectID defined in Snyk

✓

source

You can define organization with the organization ID or its slug in Snyk.

Using the Snyk integration

Viewing Snyk vulnerabilities on an entity

Once the Snyk integration is set up, you'll be able to find information about vulnerabilities for each entity linked to a discovered repo.

Entity page overview

Entity code & security sidebar

In an entity's sidebar, click Code & security > Snyk to view detected issues and vulnerabilities from Snyk, including the associated organization name and project name.

Because Snyk aggregates problems as "issues," data pulled in from Snyk will be listed as issues, while data pulled in from a Git source will be listed as vulnerabilities.

Vulnerabilities pulled from Git sources display the project name and a severity tag. Each issue pulled from Snyk displays the following information, when available:

  • Title

  • Issue ID (linked to the issue in Snyk)

  • Publish date

  • Severity tag

  • Priority score tag

Event timeline

Issues from Snyk and vulnerabilities detected in Git appear in the entity's event timeline, which you can find from the Events link in the entity's sidebar. Issues and vulnerabilities display alongside other events, such as K8s changes, Git commits, and on-call incidents.

Scorecards and CQL

With the Snyk integration, you can create Scorecard rules and write CQL queries based on Snyk projects.

Check if Snyk project is set

Definition: snyk (==/!=) null

Example

An initial level in a security Scorecard might include a rule to make sure entities are associated with Snyk project - without this, Cortex won't pick up data about issues from Snyk.

snyk != null

Setting a snyk != null rule can also serve as a secondary check to confirm an entity is synced properly with Snyk and is reporting frequently.

Number of Snyk issues
  • Project registration

  • Aggregated issues for an entity's project

  • Details about issues (when available)

    • CVSS score

    • Disclosure time

    • Exploit maturity

    • Issue ID

    • Language

    • Nearest fixed version

    • Original severity

    • Package name

    • Priority score

    • Publication time

    • Severity

    • Type

    • URL

    • Boolean characteristics:

      • Fixable or partially fixable

      • Ignored

      • Malicious

      • Patchable or patched

      • Pinnable

      • Upgradable

Definition: snyk.issues()

Example

The Scorecard's top level might include a rule to ensure that entities have a low number of Snyk issues.

snyk.issues() < 3

To indicate progress over time and incentivize further improvement, you could set an intermediate rule with a slightly higher count of Snyk issues.

snyk.issues() < 5

If an entity has a Snyk project set and only one or two issues, it will achieve the highest level by these standards. An entity with a Snyk project set and three or four issues will achieve the next-highest level, while an entity with a Snyk project set and five or more issues will achieve the lowest level. Entities without a Snyk project will not achieve any level, regardless of how many issues they have.

You can also write more complex rules to set more specific standards. Instead of setting a rule for a moderate number of Snyk issues, you could check that entities have no outstanding critical issues.

snyk.issues(severity=["CRITICAL"], fixability=["FIXABLE"]) <= 0

Snyk does not currently support aggregated issues in regions outside of the U.S.A. Please use .issues() rather than .numOfIssues() if in a non-U.S.A. region.

Background sync

Cortex fetches issues and vulnerabilities from Snyk and Git sources in real time. Depending on the volume of data, it may take additional time for the data to load on an entity page.

Projects from Snyk are synced every 6 hours.

The following options are available to get assistance from the Cortex Customer Engineering team:

  • Chat: Available in the Resource Center

  • Slack: Users with a connected Slack channel will have a workflow added to their account. From here, you can either @CortexTechnicalSupport or add a :ticket: reaction to a question in Slack, and the team will respond directly.

Don’t have a Slack channel? Talk with your Customer Success Manager.

In Cortex, navigate to the :

Region: Enter the Snyk where your data is hosted. The default region is USA.

that can be set to either CODE or OPEN_SOURCE to indicate the Snyk product type; defaults to OPEN_SOURCE when not set

On an overview, see vulnerabilities listed under the Code & security block. Within this block, issues and vulnerabilities are grouped by severity: Critical, High, Medium, and Low. Click into any of these to open a list of all applicable issues and vulnerabilities.

See more examples in the in Cortex.

Check if entity has a registered Snyk project in its entity descriptor. If no registration exists, but there is a , Cortex will try to automatically detect which corresponding Snyk project is associated with a given entity.

List all for a given entity's Snyk project.

Still need help?

Email: , or open a support ticket in the in app Resource Center

Snyk settings page
region
entity details page
CQL Explorer
Git repository registration
aggregated issues
​
help@cortex.io
Snyk
Snyk API token
Snyk settings
View vulnerabilities on entity pages in Cortex
Scorecards
Enum field