How to set up and use the Snyk connector in RiskSense.
Snyk is an open-source security platform that allows developers to identify, prioritize, and automatically fix open-source vulnerabilities throughout the development process. RiskSense offers an API-based connector that integrates Snyk vulnerability information into the RiskSense platform for further prioritization and accessibility.
- Configuration requires an account with Snyk and the Standard or Pro plan.
- Add one or more Project(s) to Snyk.
Snyk User Permissions
Go to Settings in the Navigation Bar and select the Members tab on the left-hand side. Members can be invited and assigned a role on this page.
Visit the Snyk Knowledge Center for more information on managing groups and organizations.
Connector Configuration in RiskSense
Setting Up the Snyk Connector
Navigate to the Automate > Integrations page.
Using the search bar in the upper-right corner of the Integrations page, type Snyk to find the connector. Locate the Snyk card under Applications and click Configuration.
In the new window under Connection, complete the required fields, as described below.
- Name: The connector’s name, e.g., “My Snyk Connector”.
- URL: Snyk URL, e.g., https://app.snyk.io/.
- API Key: The API token that has access to the Snyk Reporting API.
- Network: RiskSense network name (ingested applications associated with this network).
Click Test Credentials to verify the credentials are correct and have access to make API calls to the Snyk instance.
Configure the desired schedule for the connector to retrieve results from the Snyk instance and optionally turn on Enable auto URBA (Update Remediation by Assessment). User may specify the oldest scan data pull from the following options: 30 days, 60 days, 90 days, 6 months, or 1 year.
Click Save to create the connector.
Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.
On the Configuration () > Uploads page, Snyk data is parsed from the scan file and displayed on the Applications and Application Findings pages.
Snyk Data Mapping in RiskSense
The Scanner Name associated with these scans is SNYK, which can be used as a filter on both the Applications and Application Findings pages in RiskSense.
Application data extracted from the Snyk scan file is shown on the Applications page as an asset.
- Vulnerability Counts by Severity
- Last Scan Date
- Package Manager
- Affected Files
Application Findings Page
All finding data extracted from the Snyk scan file is shown on the Application Findings page in RiskSense.
- Findings that are Fixed or Ignored will not be displayed in the Application Findings view
- Affected File is listed under Detailed Information
- Additional Metadata Fields:
- Risk Type (License, Security)
- Module Name
- Semantic Versioning
- Published On
- Exploit Level
- GHSA ID
The Snyk scan file contains the following severity levels: high, medium, and low. Based on the type of plugin, RiskSense mapped these levels to Severity using the CHMLI scale as follows:
|Snyk Severity||Mapping to RiskSense Severity|
|Security Issue Types|
|License Issue Types|