Snyk
Snyk is an application scanning tool used for scanning, prioritizing, and fixing security vulnerabilities in your organization's application, projects, or source code. You can bring code, component, and project data from Snyk into Brinqa to track and manage your open-source dependencies, construct a unified view of your attack surface, and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Snyk and how to obtain that information from Snyk. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Snyk from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Snyk with Brinqa:
-
API URL: The Snyk API URL. The default URL is
https://api.snyk.io
. -
API Token: The access token associated with the Snyk account, which must have permissions to log in to the API server and return data.
Obtain a Snyk API token
For the Snyk connector to use the Snyk API, you must provide the API token from Snyk. To generate an API token, follow these steps.
-
Log in to your organization's Snyk account.
-
Navigate to General Account Settings.
-
Click the
KEY
field, and then select and copy your API token.You can also click Revoke and Regenerate on the same page to create a new API token.
If you do not have the permissions to create an API token, contact your Snyk administrator. For additional information, see Snyk documentation.
Additional settings
The Snyk connector contains additional options for specific configuration:
-
Sync only active projects and findings for these projects: Retrieves only active projects and their associated findings. Any findings linked to inactive projects are excluded from the imported data. This option can help streamline your data integration and keep your focus on only active and relevant security concerns.
ImportantDue to the limitations of the Snyk API filters, this option still syncs static code findings for inactive projects at the moment. If you need to purge your static code findings, please contact Brinqa Support. Brinqa and Snyk are working together to resolve this issue.
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Snyk API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Snyk connector can retrieve the following types of data from the Snyk API:
Table 1: Data retrieved from Snyk
Connector Object | Required | Maps to Data Model |
---|---|---|
Collection | No | Not mapped |
Component | Yes | Package |
Ignore | No | Mapped to attributes in Open Source Finding and Static Code Finding |
Open Source Issue | Yes | Open Source Finding |
Open Source Issue Definition | Yes | Open Source Finding Definition |
Project | Yes | Code Project |
Static Code Issue | Yes | Static Code Finding |
Static Code Issue Definition | Yes | Static Code Finding Definition |
Violation | Yes | Violation |
Violation Definition | Yes | Violation Definition |
For detailed steps on how to view the data retrieved from Snyk in the Brinqa Platform, see How to view your data.
Operation options
The Snyk connector supports the following operation options. See connector operation options for information about how to apply them.
Table 2: Snyk connector operation options
Connector Object | Option | All Possible Values | Description | Example |
---|---|---|---|---|
Component | excludeOrg | Any organization assigned to a Snyk project. | Used to retrieve a list of Snyk projects while excluding the projects that belong to a specific organization. | Key: excludeOrg Value: myTeam . This key and value combination retrieves all projects and excludes those from the myTeam organization. |
project or projectId | Any Snyk project ID. | Filters Snyk projects by the specified project ID. | Key: projectId Value: 12345 . This key and value combination only retrieves projects associated with the Snyk project 12345. | |
Open Source Issue | includeJiraTickets | true | Retrieve Snyk related Jira tickets for open source issues. | Key: includeJiraTickets Value: true . This key and value combination retrieves Snyk related Jira tickets for open source issues. |
includePaths | true | Include information about the paths where issues were found in the data. | Key: includePaths Value: true . This key and value combination retrieves information about the paths where issues reside in the data. | |
severities | low, medium, high, or critical | Retrieves issues based on the specified severity level. | Key: severities Value: medium . This key and value combination only retrieves issues with a medium severity level. | |
Open Source Issue Definition | severities | low, medium, high, or critical | Retrieves issues based on the specified severity level. | Key: severities Value: medium . This key and value combination only retrieves issues with a medium severity level. |
types | vuln or license | Retrieves issues based on whether they are classified as a vulnerability or license issue. | Key: types Value: vuln . This key and value combination only retrieves issues that classified as vulnerabilities. | |
Project | excludeOrg | Any organization assigned to a Snyk project. | Used to retrieve a list of Snyk projects while excluding the projects that belong to a specific organization. | Key: excludeOrg Value: myTeam . This key and value combination retrieves all projects and excludes those from the myTeam organization. |
project or projectId | Any Snyk project ID. | Filters Snyk projects by the specified project ID. | Key: projectId Value: 12345 . This key and value combination only retrieves projects associated with the Snyk project 12345. | |
Violation | includePaths | true | Include information about the paths where violations were found in the data. | Key: includePaths Value: true . This key and value combination retrieves information about the paths where violations reside in the data. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Snyk connector uses the Snyk API v1. Specifically, it uses the following endpoints:
-
POST https://api.snyk.io/api/v1/org/<orgId>/dependencies
-
POST https://api.snyk.io/api/v1/org/<orgId>/project/<projectId>/aggregated-issues
-
GET https://api.snyk.io/api/v1/org/<orgId>/project/<projectId>/ignores
-
GET https://api.snyk.io/api/v1/org/<orgId>/project/<projectId>/issue/<issueId>/paths
The Synk connector also uses the Snyk REST API, formerly Snyk API v3. Specifically, it uses the following endpoints:
-
GET https://api.snyk.io/rest/orgs/
-
GET https://api.snyk.io/rest/org/{orgId}/projects
-
GET https://api.snyk.io/rest/orgs/{orgId}/issues
-
GET https://api.snyk.io/rest/orgs/{orgId}/issues/detail/code
The API is only available with Enterprise plans. See Snyk documentation for more information.
Changelog
The Snyk connector has undergone the following changes:
3.0.13
- Added group information in each connector object.
- Added Collection to the list of connector objects retrieved.
- Added the PROJECT_ID attribute to the Static Code Issue object.
3.0.12
-
Added the RISK_SCORE attribute to the Static Code Issue object.
-
Added the following attributes to the Open Source Issue object:
- ATTACK_COMPLEXITY
- ATTACK_VECTOR
- AVAILABILITY_IMPACT
- BUSINESS_CRITICALITY
- CONFIDENTIALITY_IMPACT
- DAYS_SINCE_PUBLISHED
- EPSS_SCORE
- EXPLOIT_MATURITY
- INTEGRITY_IMPACT
- MALICIOUS
- PACKAGE_POPULARITY_SCORE
- PRIVILEGES_REQUIRED
- PROVIDER_URGENCY
- REACHABLE
- SCOPE
- SOCIAL_TRENDS
- TRANSITIVE_DEPENDENCY
- USER_INTERACTION
3.0.11
- Fixed an issue where the Static Code Issue sync was not retrieving all static code issues.
3.0.10
- Added the LAST_ASSESSED attribute in the Project object to store the last tested date from Snyk.
3.0.9
- Added a new operation option in the Open Source Issue object to retrieve Snyk-related Jira tickets:
includeJiraTickets
.
3.0.8
-
Added logging for the Open Source Issue object.
-
Improved performance by parallelizing project streams when syncing Open Source Issue and Static Code Issue objects.
-
Updated dependencies.
3.0.7
-
Added ORG-level attributes, such as ORG_ID, ORG_NAME, as source attributes.
-
Added COMPONENT and PROJECT_ID to the Open Source Finding object as source attributes.
3.0.6
- Implemented a different approach for managing the STATUS_CATEGORY attribute in findings, as it is not provided in the data retrieved from Snyk.
3.0.5
- Switched to Snyk REST API (formerly Snyk API v3) to retrieve static code issues.
3.0.4
-
Migrated to new Organization and Project API endpoints.
-
Added a configuration to retrieve only active projects by default and findings associated with active projects.
3.0.3
- Switched to Snyk API v3 since Snyk API v1 has been deprecated.
3.0.2
- Started using
UID
as the identifier instead ofname
.
3.0.0
- Initial Integration+ release.