Snyk is an open source scanning tool. Today’s post is a walk through on how to setup Snyk with your Jenkins pipeline. It’s a fairly short post and we will divide the setup in three sections: Configure Snyk from the portal, setup Jenkins and finally perform the scan.
Set the api key
Obtain the organisation ID and API key for your Snyk installation. Free version https://snyk.io or for enterprise version use your enterprise organisation ID and API key.
Obtain the api key
Obtain your API token from the portal.
Install Snyk plugin
Download the Snyk plugin from Jenkins marketplace. We used Snyk security plugin version 1.9.10 as shown below.
Configure Snyk plugin
Configure the Snyk plugin on Jenkins with the API token. Navigate to Manage Jenkins -> Configure System -> Global Properties -> Environment variables.
Use the API token “SNYK_TOKEN” as environment variable as shown below.
Few caveats to note:
After you download the snyk plugin ensure you have docker installed on your Jenkins box. By default, Snyk plugin will pull a docker image with Snyk installed and perform the scan or you can use a local Snyk docker image.
Create a pipeline
Create a pipeline and include your git repository.
Under build section, add Snyk as a build step and modify as required. You can include your own Snyk docker image as mentioned earlier under “Docker Image”. You can also customize to fail the build as shown below or let the build to continue when snyk detect any vulnerabilities. You can also include runtime arguments such as only display issues which are medium or above using severity threshold flag.
Once the scan is complete, build will either fail or pass depending on the snyk results. You should be able to view the scan results within Jenkins as below:
In the above case the build fail as the project contains high and medium risk issues. If issues are to be ignored or accepted, You can modify the snyk policy file (.snyk) which you can create from the command line via “snyk wizard”. You can then include the policy file on the same directory as the source code and snyk should detect the policy automatically.
I hope you found this tutorial useful. Feel free to provide any comment or feedback.