Step by step guide to integrate Snyk with Jenkins pipeline

Snyk is an open source scanning tool. Today’s post is a walk through on how to setup Snyk with your Jenkins pipeline. It’s a fairly short post and we will divide the setup in three sections: Configure Snyk from the portal, setup Jenkins and finally perform the scan.

Image for post
Image for post

Set the api key

Obtain the organisation ID and API key for your Snyk installation. Free version https://snyk.io or for enterprise version use your enterprise organisation ID and API key.

Image for post
Image for post
Snyk portal

Obtain the api key

Obtain your API token from the portal.

Image for post
Image for post
API token

Setup Jenkins

Install Snyk plugin

Download the Snyk plugin from Jenkins marketplace. We used Snyk security plugin version 1.9.10 as shown below.

Image for post
Image for post

Configure Snyk plugin

Configure the Snyk plugin on Jenkins with the API token. Navigate to Manage Jenkins -> Configure System -> Global Properties -> Environment variables.

Use the API token “SNYK_TOKEN” as environment variable as shown below.

Image for post
Image for post

Few caveats to note:

After you download the snyk plugin ensure you have docker installed on your Jenkins box. By default, Snyk plugin will pull a docker image with Snyk installed and perform the scan or you can use a local Snyk docker image.

Perform Scan

Create a pipeline

Create a pipeline and include your git repository.

Image for post
Image for post

Under build section, add Snyk as a build step and modify as required. You can include your own Snyk docker image as mentioned earlier under “Docker Image”. You can also customize to fail the build as shown below or let the build to continue when snyk detect any vulnerabilities. You can also include runtime arguments such as only display issues which are medium or above using severity threshold flag.

Image for post
Image for post
Snyk settings

Once the scan is complete, build will either fail or pass depending on the snyk results. You should be able to view the scan results within Jenkins as below:

Image for post
Image for post
Results
Image for post
Image for post

In the above case the build fail as the project contains high and medium risk issues. If issues are to be ignored or accepted, You can modify the snyk policy file (.snyk) which you can create from the command line via “snyk wizard”. You can then include the policy file on the same directory as the source code and snyk should detect the policy automatically.

I hope you found this tutorial useful. Feel free to provide any comment or feedback.

Product Security | Sydney |https://www.linkedin.com/in/tanvirahmed11/

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store