Snyk Connector Guide

How to set up and use the Snyk connector in RiskSense.

Overview

Snyk is an open-source security platform that allows developers to identify, prioritize, and automatically fix open-source vulnerabilities throughout the development process. RiskSense offers an API-based connector that integrates Snyk vulnerability information into the RiskSense platform for further prioritization and accessibility.

Snyk Configuration

  • Configuration requires an account with Snyk and the Standard or Pro plan.
  • Add one or more Project(s) to Snyk.

Snyk User Permissions

Go to Settings in the Navigation Bar and select the Members tab on the left-hand side. Members can be invited and assigned a role on this page.

Snyk Connector - Settings and Members Menu Locations

Visit the Snyk Knowledge Center for more information on managing groups and organizations.

Connector Configuration in RiskSense

Setting Up the Snyk Connector

Navigate to the Automate > Integrations page.

Navigation - Automate - Integrations

Using the search bar in the upper-right corner of the Integrations page, type Snyk to find the connector. Locate the Snyk card under Applications and click Configuration.

Snyk Connector - Configuration Button Location

In the new window under Connection, complete the required fields, as described below.

Snyk Connector - Connector Configuration Window

  • Name: The connector’s name, e.g., “My Snyk Connector”.
  • URL: Snyk URL, e.g., https://app.snyk.io/.
  • API Key: The API token that has access to the Snyk Reporting API.
  • Network: RiskSense network name (ingested applications associated with this network).

Click Test Credentials to verify the credentials are correct and have access to make API calls to the Snyk instance.

Snyk Connector - Test Credentials

Configure the desired schedule for the connector to retrieve results from the Snyk instance and optionally turn on Enable auto URBA (Update Remediation by Assessment). User may specify the oldest scan data pull from the following options: 30 days, 60 days, 90 days, 6 months, or 1 year.

Snyk Connector - Oldest Scan Data Pull Options

Click Save to create the connector.

Snyk Connector - Save Button Location

Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.

Snyk Connector - Configured Snyk Connector\

On the Configuration (Settings Menu - Gear - Small) > Uploads page, Snyk data is parsed from the scan file and displayed on the Applications and Application Findings pages.

Snyk Data Mapping in RiskSense

The Scanner Name associated with these scans is SNYK, which can be used as a filter on both the Applications and Application Findings pages in RiskSense.

Applications Page

Application data extracted from the Snyk scan file is shown on the Applications page as an asset.

  • Address
  • URLs
  • Vulnerability Counts by Severity
  • Last Scan Date
  • Source
  • Package Manager
  • Affected Files

Application Findings Page

All finding data extracted from the Snyk scan file is shown on the Application Findings page in RiskSense.

  • Findings that are Fixed or Ignored will not be displayed in the Application Findings view
  • Affected File is listed under Detailed Information
  • Additional Metadata Fields:
    • Risk Type (License, Security)
    • Module Name
    • Semantic Versioning
    • Published On
    • Language
    • Exploit Level
    • OSVDB
    • GHSA ID
    • NSP

Severity Mapping

The Snyk scan file contains the following severity levels: high, medium, and low. Based on the type of plugin, RiskSense mapped these levels to Severity using the CHMLI scale as follows:

Snyk Severity Mapping to RiskSense Severity
Security Issue Types
High 9
Medium 5
Low 3
License Issue Types
High 9
Medium 5
Low 3