Snyk Integration + Training

Resources
 1 Integrations

2 Tech Stack Best Practices

Agenda 3 Import Strategy

4 Next Steps
Integrations
 Integrations

Docker Visual Studio VS Code CircleCI Snyk API Harbor Quay Nucleus Security

IBM
WebStorm PyCharm buildah GitHub GitHub Enter BitBucket Snyk CLI npm Enterprise Pri Amazon ECR Kenna Security Brinqua Fortify SSC
prise Pipelines Cloud vate Registry

VMWare
PhpStorm GoLand Eclipse Bitbucket Bitbucket Azure Pip TeamCity Kubernetes Artifactory Google Container R Snyk API Jira Vulcan
Cloud Server elines Tanzu egistry

Docker
IntelliJ RubyMine Snyk CLI Azure Rep GitLab Concourse Jenkins RedHat Ope Docker Hu Azure Container Regi micro focus Slack RiskSense
os & others nshift b stry

Coding Source Control CI/CD Runtime Registries Issue Management

GitHub Enterprise Integration

GitHub integration is meant for individual users,

whereas the GitHub Enterprise allows you to use one
access token for an entire organisation.

Link: Using GitHub or GitHub Enterprise integration

SCM Settings
Tech Stack Best Practices
 Languages - Package Manager Support
Package
Language Suggested Integration Notes
Manager
nuget .NET (C#, F#, Visual Basic) SCM/CLI. For C#: if using single target framework, results may be better in CLI. Learn more
Bazel Bazel API Test Dep Graph endpoint Learn more
C/C++ C/C++ CLI. Use --unmanaged function. Learn more
Mix/Hex Elixr CLI Learn more
Go Modules Go CLI. When imported from SCM, Snyk looks at all packages in the module, even if not called by app. Learn more
Gradle Java/Kotlin CLI. CLI allows for sub-packages to be scanned. Learn more
maven Java/Kotlin SCM/CLI Learn more
npm JavaScript/TypeScript SCM/CLI Learn more
yarn JavaScript/TypeScript SCM/CLI Learn more
Composer PHP SCM/CLI Learn more
pip/PyPi Python SCM/CLI. URLs in requirements.txt files are only supported in CLI. Learn more
Poetry Python SCM/CLI Learn more
pipenv Python CLI Learn more
conda Python CLI. Need to convert environments.yml to requirements.txt before importing. Learn more
Bundler Ruby SCM/CLI Learn more
SBT Scala CLI Learn more
Swift/CocoaPods Swift/Objective-C CLI Learn more

Link: Open Source - Supported languages and package managers

 .NET + NuGet
Method Implementation Considerations Supported Manifest Types

*.csproj
*.vbproj
- Creates one project per target framework.
SCM *.fsproj
- Private dependencies not supported via SCM.
.NET Core: *.proj files
.NET Framework: *.proj file and packages.config

- CLI may provide more accurate resolution of .NET runtime dependencies (see
docs).
projects.assets.json (from .csproj, .vbproj, .fsproj)
CLI - CLI only supports a single framework, if using multiple target frameworks,
packages.config
Snyk will select the first target framework that is declared.
- Private dependencies only supported via CLI.

Link: Snyk for .NET

 Go + Go Modules
Method Implementation Considerations Supported Manifest Types

- Dependencies resolved at the module level rather than at the package level,
because Snyk does not have full access to project source code.
- Open Beta (Settings > Languages > Goprovides CLI-equivalent accuracy.
SCM go.mod
Note: This involves Snyk taking a temporary clone of the Git repository.
Cloned files are stored in an encrypted, isolated environment and deleted
immediately after the test.

- Snyk scans Go Modules projects in the CLI at the package level rather than
CLI on the module level, as we have full access to your project source code. go.mod
- You must have a go.mod file at the root of your project

Link: Snyk for Go

 Java/Kotlin + Gradle
Method Implementation Considerations Supported Manifest Types

Groovy
- Supported versions: Gradle 2.*, 3.*,4.*, 5.*, 6.*
build.gradle
SCM - Enable lockfiles in your project to improve the accuracy for Git imports.
gradle.lockfile
Kotlin
- Kotlin: build.gradle.kts files are not currently supported in Git.

- If using sub-projects, to scan all projects at once (recommended), use the -- build.gradle (Groovy)
CLI
all-sub-projects option.
Recommended
- build.gradle.kts (Kotlin DSL) only supported via CLI. build.gradle.kts (Kotlin)

Link: Snyk for Java and Kotlin

 Java/Kotlin + Maven
Method Implementation Considerations Supported Manifest Types

SCM
- Supported versions: Maven 3.* pom.xml
Recommended

- Supported Maven version: 3.x only.

- Maven package manager must be installed in local environment first.
- Execute in root folder.
CLI pom.xml
- Flag for multiple pom.xmls in directory (non-aggregate): --all-projects
- Flag for aggregate maven projects: --maven-aggregate-project
- snyk-maven-plugin to put snyk scans right into a pom.xml.

Link: Snyk for Java and Kotlin

 JavaScript + npm
Method Implementation Considerations Supported Manifest Types

- Npm versions 6.x, 7.x are supported in Git services.

SCM package.json
- Workspaces npm 7.x is not supported.
Recommended package-lock.json
- Customise JS npm language settings in the web UI.

package.json
- Does not support Lerna.
package-lock.json (lockfileVersion: 2)
- JS version <=6.* - peer dependencies are not scanned by default.
CLI
- JS version >=7.* - peer dependencies scanned by default
If package-lock.json is unavailable,
- JS version 7.* - workspaces not yet supported.
Snyk will scan the node_modules folder

Link: Snyk for JavaScript

 JavaScript + Yarn
Method Implementation Considerations Supported Manifest Types
- PR checks use the root yarn.lock and workspace package.json.
- If your package.json and root yarn.lock are out-of-sync then Snyk will show errors on the
project page and import logs.
SCM package.json
- If locally installed packages do not appear in a lockfile, disable the ‘Require package.json and
Recommended yarn.lock files to be in sync setting’, on the Languages Settings page for JavaScript. yarn.lock
- If using private registries, a Snyk-generated lockfile might not be appropriate. Exclude yarn.lock
from being generated on the Languages Settings page for JavaScript w/yarn.

package.json
- Yarn version 1: Resolutions not supported.
yarn.lock
- Yarn version 2: Resolutions supported.
CLI
- Yarn workspaces: Use --all-projects or --yarn-workspaces with --detection-
If package-lock.json is unavailable,
depth flags. Nohoist is not supported.
Snyk will scan the node_modules folder

Link: Snyk for JavaScript

 Python + pip/PyPi
Method Implementation Considerations Supported Manifest Types

- URLs in requirements.txt files are not supported.

SCM requirements.txt
- Install the full pip project.

- Dependencies must be installed to provide the most accurate results.

CLI requirements.txt
- When testing setup.py, file must be specified on CLI (--file=setup.py), and
Recommended setup.py
Snyk will only detect dependencies listed under the "install_requires" key.

Link: Snyk for Python

 PHP + Composer
Method Implementation Considerations Supported Manifest Types

- Scans production dependencies by default. composer.json

SCM
- Fix PRs not available. composer.lock

composer.json
CLI - No implementation considerations.
composer.lock

Link: Snyk for PHP

Snyk Code
Supported languages:
- C# - Python
- Go - Ruby
- Java - TypeScript
- JavaScript - Apex
- PHP
Beta support exists for Kotlin, Scala and Swift.

The following files are automatically excluded:

- Web UI: Files that are larger than 4MB
- CLI and IDE: Files that are larger than 1MB
- Minified JS files with 3 or less lines
Import Strategy
 Summary of Snyk usage in SDLC
1 - Non-Intrusive / Gain Visibility 2 - Easy Starting / Early Warnings

- CLI scans within the build pipeline → - Snyk PR tests being used →
provides a good “safety net” aka: “stop the bleeding”

3 - Automated Remediation 4 - Shifting Left

- PRs raised automatically to fix issues → - CLI being used by devs →

simplify remediation scan your app at any point

- Leverage Snyk API → - IDE plugins being used by devs →

ultimate in customisation choose the right dependency up front!
Project Import Strategy
Snyk CLI (e.g. Scala, Gradle, Swift, Go, Objective-C)
- Do your devs prefer CLI interaction?
- Is ultimate accuracy at all times important?

Snyk SCM integration

- Do devs prefer the ease of use of a GUI and access to reporting?
- Are you planning to have Snyk scan all PRs that are raised?
- Optionally, the snyk-api-import tool can sync/mirror with SCMs

Snyk API
- Do you prefer to have ultimate control?
- Do you prefer to automate and customise Snyk actions?
Snyk Tools
snyk-api-import:
https://github.com/snyk-tech-services/snyk-api-import/
Bulk removing projects from Snyk
bulk-delete:
https://github.com/snyk-playground/cx-tools/tree/main/bulk-delete

Delete projects in bulk based on the criteria you specify, such as organisations or project origin.

For example, the below command would bulk-delete on the following criteria:
- Snyk Open Source projects using the NPM or Gradle package manager
- Imported from GitHub
- Project is in one of the specified organisations: “test-org-1” or “test-org-2”

python3 snyk-bulk-delete.py --products opensource --sca-types "npm gradle" --orgs "test-org-1 test-org-2" --origins
github
Next Steps
 Read more about "How to get started"

Get started Good practices for Good practices for SCM Snyk Python client for Snyk external tools
CI/CD implementation implementation bulk actions repository

Link Link
Link Link Link

Snyk Open Source Snyk Code Snyk Container Snyk IaC Developer Launch
Guide

Link Link Link Link Link

Resource Links
- Snyk User Hub: https://snyk.io/user-hub

- Snyk User Docs: https://docs.snyk.io

- Snyk Training: https://training.snyk.io

- Events and Webinars: https://snyk.io/events

- Support: https://support.snyk.io

- DevSecOps community: https://snyk.io/community

 Snyk Training

Implementing Snyk Managing Snyk organisations Using Snyk to find and fix issues
Learn about the key decisions and tasks for Learn about the tasks for configuring and managing Learn about the tasks for using Snyk in the Web UI,
implementing Snyk with courses such as: Snyk with courses such as: in the CLI, or an IDE with courses such as:

- Ways to integrate Snyk at your company - Set up and Manage an Organization - Introduction to using Snyk in an IDE
- Project import strategies - Source Code Manager Configurations - Introduction to using Snyk with CI/CD
- Intro to Snyk for Administrators - Members and Permissions - Find and fix with Snyk Open Source
- Launch Snyk to your teams - Using Snyk Reports - Find and fix with Snyk Code

Access for free at https://training.snyk.io

 How to Get Help Fast

Chat
Chat live with Support agents on the Snyk website for fastest
response to technical questions

support@snyk.io
Email us to provide product feedback or
log a technical support case
Snyk Support Portal
https://support.snyk.io