Snyk
Snyk is an application scanning tool used for scanning, prioritizing, and fixing security vulnerabilities in your organization's application, projects, or source code. You can bring code, component, and project data from Snyk into Brinqa to track and manage your open-source dependencies, construct a unified view of your attack surface, and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Snyk and how to obtain that information from Snyk. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Snyk from the Connector drop-down. If you cannot find the connector in the drop-down, make sure that you have installed it first. You must provide the following information to authenticate Snyk with Brinqa:
-
API URL: The Snyk API URL. The default URL is
https://api.snyk.io. -
API Token: The access token associated with the Snyk account, which must have permissions to log in to the API server and return data.
Obtain a Snyk API token
For the Snyk connector to use the Snyk API, you must provide an API token. To generate an API token, follow these steps.
-
Log in to your organization's Snyk account.
-
Click the account drop-down and then click Account settings.
-
Under Account Settings, click General.
-
Under Auth Token, click the KEY field. You can also click Revoke and Regenerate on the same page to create a new API token to replace an existing one.
Your new API token displays. You can not view the token again after this. Copy and save it to a secure location.
If you do not have the permissions to create an API token, contact your Snyk administrator. For additional information, see Snyk documentation.
Additional settings
The Snyk connector contains additional options for specific configuration:
-
Sync only active projects and findings for these projects: Retrieves only active projects and their associated findings. Any findings linked to inactive projects are excluded from the imported data. This option can help streamline your data integration and keep your focus on only active and relevant security concerns.
ImportantDue to limitation of the Snyk API filters, this option doesn't apply to Static code findings. If you need to purge your static code findings, please contact Brinqa Support. Brinqa and Snyk are working together to resolve this issue.
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
-
Maximum retries: The maximum number of times that the integration attempts to connect to the Snyk API before giving up and reporting a failure. The default setting is 5.
Types of data to retrieve
The Snyk connector can retrieve the following types of data from the Snyk API:
Table 1: Data retrieved from Snyk
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Code Repository | No | Code Repository |
| Collection | No | Not mapped |
| Component | Yes | Package |
| Ignore | No | Mapped to attributes in Open Source Finding and Static Code Finding |
| Open Source Issue | Yes | Open Source Finding |
| Open Source Issue Definition | Yes | Open Source Finding Definition |
| Project | Yes | Code Project |
| Static Code Issue | Yes | Static Code Finding |
| Static Code Issue Definition | Yes | Static Code Finding Definition |
| Violation | Yes | Violation |
| Violation Definition | Yes | Violation Definition |
For detailed steps on how to view the data retrieved from Snyk in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Code Repository
Table 2: Code Repository attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| lastCaptured | lastCaptured |
| target.attributes.created_at | sourceCreatedDate |
| target.attributes.is_private | Local variable |
| target.attributes.url | Local variable |
| target.id | uid, name |
| target.relationships.integration.data.attributes.integration_type | Local variable |
| target.relationships.integration.data.id | Local variable |
Component
Table 3: Component attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| dependency.firstPublishedDate | firstSeen |
| dependency.isDeprecated | outdated |
| dependency.latestVersion | latestVersion |
| dependency.latestVersionPublishedDate | lastSeen |
| dependency.licenses.title | licenses |
| dependency.name | description, name, uid |
| dependency.projects.id | projects |
| dependency.type | categories |
| dependency.version | currentVersion |
Open Source Issue
Table 4: Open Source Issue attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| group.attributes.name | tags |
| group.id | tags |
| issueMetadataObject.attributes.created_at | firstFound |
| issueMetadataObject.attributes.updated_at | lastFound |
| openSourceIssue.getIssue.issueData.cveIds | type |
| openSourceIssue.getIssue.issueData.description | results |
| openSourceIssue.getIssue.issueData.cwes | type |
| openSourceIssue.getIssue.issueData.severity | type |
| openSourceIssue.getIssue.issueData.title | type |
| openSourceIssue.getIssue.pkgName | targets |
| openSourceIssue.getIssue.pkgVersions | targets |
| openSourceIssue.getIssue.id | Local variable |
| openSourceIssue.getIssue.isIgnored | Local variable |
| openSourceIssue.getIssue.isMaliciousPackage | Local variable |
| openSourceIssue.getIssue.isPatched | Local variable |
| openSourceIssue.getIssue.priority.score | Local variable |
| openSourceIssue.getProjectId | targets, Local variable |
| openSourceIssue.getTickets.id | Local variable |
| openSourceIssue.getTickets.key | Local variable |
| org.attributes.name | tags |
| org.attributes.slug | tags |
| org.id | tags |
| paths | path |
| projectIssue.getIssue.id | uid |
| projectIssue.getProjectId | uid |
| ProviderStatus | status, statusCategory, sourceStatus, providerStatus |
Open Source Issue Definition
Table 5: Open Source Issue Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| issueData.CVSSv3 | cvssV3Vector |
| issueData.cvssScore | cvssV3BaseScore |
| issueData.description | description, references, recommendation, exploits |
| issueData.disclosureTime | disclosedDate |
| issueData.exploitMaturity | exploitMaturity |
| issueData.identifiers.get("CVE") | cveIds, cveRecords |
| issueData.identifiers.get("CWE") | cweIds, weaknesses |
| issueData.language | languages |
| issueData.publicationTime | publishedDate |
| issueData.severity | severity, sourceSeverity, severityScore |
| issueData.semver | affected |
| issueData.url | references |
| issueObject.fixInfo.fixedIn | Local variable |
| issueObject.fixInfo.isFixable | fixable |
| issueObject.fixInfo.isPartiallyFixable | partiallyFixable |
| issueObject.fixInfo.isPatchable | patchAvailable |
| issueObject.fixInfo.isUpgradable | upgradeable |
| issueObject.issueData.title | name |
| openSourceIssue.getIssue.issueData.title | uid |
| openSourceIssue.getIssue.issueData.severity | severity, sourceSeverity, severityScore |
| openSourceIssue.getIssue.issueData.description | description, references, recommendation, exploits |
| openSourceIssue.getIssue.issueData.cveIds | cveIds, cveRecords |
| openSourceIssue.getIssue.issueData.cwes | cweIds, weaknesses |
Project
Table 6: Project attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| categories | categories |
| group.attributes.name | Local variable |
| group.id | Local variable |
| now | lastCaptured |
| org.attributes.name | Local variable |
| org.attributes.slug | Local variable |
| org.id | Local variable |
| project.attributes.business_criticality | Local variable |
| project.attributes.environment | Local variable |
| project.attributes.lifecycle | Local variable |
| project.attributes.name | name, description |
| project.attributes.origin | Local variable |
| project.attributes.settings.recurring_tests.frequency | Local variable |
| project.attributes.status | status |
| project.attributes.type | categories, description |
| project.id | uid |
| project.meta.latestIssueCounts.updatedAt | lastAssessed |
| project.relationships.target.data.id | Local variable |
| tags | tags |
| userObject.attributes.username | owner |
| userObject.attributes.username (project.relationships.owner) | Local variable |
| userObject.attributes.username (project.relationships.importer) | Local variable |
Static Code Issue
Table 7: Static Code Issue attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| attributes.fingerprint | Local variable |
| attributes.fingerprintVersion | Local variable |
| attributes.priorityScore | Local variable |
| attributes.priorityScoreFactors | Local variable |
| attributes.primaryFilePath | fileName |
| group.attributes.name | tags, Local variable |
| group.id | tags, Local variable |
| issueDetailsObject.attributes.ignored | status, Local variable |
| issueObject.attributes.created_at | firstFound |
| issueObject.attributes.key | Local variable |
| issueObject.attributes.risk.score.value | Local variable |
| issueObject.attributes.status | status, statusCategory, sourceStatus, providerStatus |
| issueObject.attributes.title | type |
| issueObject.attributes.updated_at | lastFound |
| issueObject.id | uid |
| issueObject.relationships.scan_item.data.id | Local variable |
| issueObject.relationships.scan_item.id | targets |
| org.attributes.name | tags, Local variable |
| org.attributes.slug | tags, Local variable |
| org.id | tags, Local variable |
| primaryRegion.endColumn | codeSnippet |
| primaryRegion.endLine | codeSnippet |
| primaryRegion.startColumn | codeSnippet |
| primaryRegion.startLine | codeSnippet |
| staticCodeIssue.getTickets.id | Local variable |
| staticCodeIssue.getTickets.key | Local variable |
Static Code Issue Definition
Table 8: Static Code Issue Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| issueDetailsObject.attributes.cwe | cweIds, weaknesses |
| issueObject.attributes.title.severity.cwes | type, uid |
| issueDetailsObject.attributes.severity | severity, sourceSeverity, severityScore |
| staticCodeIssue.getIssueObject.attributes.title | name, description |
| staticCodeIssue.getIssueObject.type | categories |
Violation
Table 9: Violation attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| attackVector | Local variable |
| attackComplexity | Local variable |
| availabilityImpact | Local variable |
| businessCriticality | Local variable |
| confidentialityImpact | Local variable |
| daysSincePublished | Local variable |
| exploitMaturity | Local variable |
| integrityImpact | Local variable |
| isMalicious | Local variable |
| packagePopularityScore | Local variable |
| paths | path |
| privilegesRequired | Local variable |
| providerUrgency | Local variable |
| scope | Local variable |
| socialTrends | Local variable |
| transitiveDependency | Local variable |
| userInteraction | Local variable |
| projectIssue.getIssue.id | uid |
| projectIssue.getProjectId | uid |
| group.id | tags |
| group.attributes.name | tags |
| org.id | tags |
| org.attributes.name | tags |
| org.attributes.slug | tags |
| issueMetadataObject.attributes.created_at | firstFound |
| issueMetadataObject.attributes.updated_at | lastFound |
| ProviderStatus | status, statusCategory, sourceStatus, providerStatus |
Violation Definition
Table 10: Violation Definition attribute mappings
| Source Field Name | Maps to Attribute |
|---|---|
| issueData.CVSSv3 | cvssV3Vector |
| issueData.cvssScore | cvssV3BaseScore |
| issueData.description | description, references, recommendation, exploits |
| issueData.disclosureTime | disclosedDate |
| issueData.exploitMaturity | exploitMaturity |
| issueData.identifiers.get("CVE") | cveIds, cveRecords |
| issueData.identifiers.get("CWE") | cweIds, weaknesses |
| issueData.language | languages |
| issueData.publicationTime | publishedDate |
| issueData.severity | severity, sourceSeverity, severityScore |
| issueData.semver | affected |
| issueData.url | references |
| issueObject.fixInfo.fixedIn | Local variable |
| issueObject.fixInfo.isFixable | fixable |
| issueObject.fixInfo.isPartiallyFixable | partiallyFixable |
| issueObject.fixInfo.isPatchable | patchAvailable |
| issueObject.fixInfo.isUpgradable | upgradeable |
| issueObject.issueData.title | name |
| openSourceIssue.getIssue.issueData.title | uid |
| openSourceIssue.getIssue.issueData.severity | severity, sourceSeverity, severityScore |
| openSourceIssue.getIssue.issueData.description | description, references, recommendation, exploits |
| openSourceIssue.getIssue.issueData.cveIds | cveIds, cveRecords |
| openSourceIssue.getIssue.issueData.cwes | cweIds, weaknesses |
Local variable indicates that the field is processed within a specific context, such as a particular workflow or calculation. Unlike other attributes, local variables aren't mapped to the unified data models. They only exist on the source data model.
Operation options
The Snyk connector supports the following operation options. See connector operation options for information about how to apply them.
Table 11: Snyk connector operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Component | excludeOrg | Any organization assigned to a Snyk project. | Used to retrieve a list of Snyk projects while excluding the projects that belong to a specific organization. | Key: excludeOrg Value: myTeam. This key and value combination retrieves all projects and excludes those from the myTeam organization. |
| project or projectId | Any Snyk project ID. | Filters Snyk projects by the specified project ID. | Key: projectId Value: 12345. This key and value combination only retrieves projects associated with the Snyk project 12345. | |
| Open Source Issue | includeJiraTickets | true | Retrieve Snyk related Jira tickets for open source issues. | Key: includeJiraTickets Value: true. This key and value combination retrieves Snyk related Jira tickets for open source issues. |
| includePaths | true | Include information about the paths where issues were found in the data. | Key: includePaths Value: true. This key and value combination retrieves information about the paths where issues reside in the data. | |
| severities | low, medium, high, or critical | A comma-separated list of severity levels. Retrieves open source issues based on the specified severity level. | Key: severities Value: critical,high. This key and value combination only retrieves open source issues with a critical or high severity level. | |
| Open Source Issue Definition | includeJiraTickets | true | Retrieve Snyk related Jira tickets for open source issue definitions. | Key: includeJiraTickets Value: true. This key and value combination retrieves Snyk related Jira tickets for open source issue definitions. |
| includePaths | true | Include information about the paths where issue definitions were found in the data. | Key: includePaths Value: true. This key and value combination retrieves information about the paths where issue definitions reside in the data. | |
| severities | low, medium, high, or critical | A comma-separated list of severity levels. Retrieves issues based on the specified severity level. | Key: severities Value: high,medium. This key and value combination only retrieves issues with a high or medium severity level. | |
| types | vuln or license | Retrieves issues based on whether they are classified as a vulnerability or license issue. | Key: types Value: vuln. This key and value combination only retrieves issues that classified as vulnerabilities. | |
| Project | excludeOrg | Any organization assigned to a Snyk project. | Used to retrieve a list of Snyk projects while excluding the projects that belong to a specific organization. | Key: excludeOrg Value: myTeam. This key and value combination retrieves all projects and excludes those from the myTeam organization. |
| project or projectId | Any Snyk project ID. | Filters Snyk projects by the specified project ID. | Key: projectId Value: 12345. This key and value combination only retrieves projects associated with the Snyk project 12345. | |
| Static Code Issue | includeJiraTickets | true | Retrieve Snyk related Jira tickets for static code issues. | Key: includeJiraTickets Value: true. This key and value combination retrieves Snyk related Jira tickets for static code issues. |
| includePaths | true | Include information about the paths where issues were found in the data. | Key: includePaths Value: true. This key and value combination retrieves information about the paths where issues reside in the data. | |
| severities | low, medium, high, or critical | A comma-separated list of severity levels. Retrieves static code issues based on the specified severity level. | Key: severities Value: critical. This key and value combination only retrieves static code issues with a critical severity level. | |
| Static Code Issue Definition | includeJiraTickets | true | Retrieve Snyk related Jira tickets for static code issue definitions. | Key: includeJiraTickets Value: true. This key and value combination retrieves Snyk related Jira tickets for static code issue definitions. |
| includePaths | true | Include information about the paths where issues were found in the data. | Key: includePaths Value: true. This key and value combination retrieves information about the paths where issues reside in the data. | |
| severities | low, medium, high, or critical | A comma-separated list of severity levels. Retrieves static code issue definitions based on the specified severity level. | Key: severities Value: critical,high. This key and value combination only retrieves static code issue definitions with a critical or high severity level. | |
| Violation | includeJiraTickets | true | Retrieve Snyk related Jira tickets for violations. | Key: includeJiraTickets Value: true. This key and value combination retrieves Snyk related Jira tickets for violations. |
| includePaths | true | Include information about the paths where violations were found in the data. | Key: includePaths Value: true. This key and value combination retrieves information about the paths where violations reside in the data. | |
| Violation Definition | includeJiraTickets | true | Retrieve Snyk related Jira tickets for violation definitions. | Key: includeJiraTickets Value: true. This key and value combination retrieves Snyk related Jira tickets for violation definitions. |
| includePaths | true | Include information about the paths where violation definitions were found in the data. | Key: includePaths Value: true. This key and value combination retrieves information about the paths where violation definitions reside in the data. |
The option keys and values are case-sensitive as they are shown in this documentation.
APIs
The Snyk connector uses the Snyk API v1 and Snyk REST API. Specifically, it uses the following endpoints:
Table 12: Snyk API Endpoints
| Connector Object | API Endpoints |
|---|---|
| Code Repository | GET /rest/orgs |
GET /rest/orgs/{orgId}/targets | |
| Collection | GET rest/groups |
GET rest/groups/{groupId}/orgs | |
GET rest/orgs/{orgId}/collections | |
| Component | GET rest/groups |
GET rest/groups/{groupId}/orgs | |
GET /api/v1/org/{orgId}/dependencies | |
| Ignore | GET rest/orgs |
GET rest/orgs/{orgId}/projects | |
GET /api/v1/org/{orgId}/project/{projectId}/ignores | |
| Open Source Issue | GET rest/groups |
GET rest/groups/{groupId}/orgs | |
GET rest/orgs/{orgId}/projects | |
GET api/v1/org/{orgId}/project/{projectId}/jira-issues | |
GET api/v1/org/{orgId}/project/{projectId}/aggregated-issues | |
GET api/v1/org/{orgId}/project/{projectId}/issue/{issueId}/paths | |
| Open Source Issue Definition | GET rest/groups |
GET rest/groups/{groupId}/orgs | |
GET rest/orgs/{orgId}/projects | |
GET api/v1/org/{orgId}/project/{projectId}/jira-issues | |
GET api/v1/org/{orgId}/project/{projectId}/aggregated-issues | |
GET api/v1/org/{orgId}/project/{projectId}/issue/{issueId}/paths | |
| Project | GET rest/groups |
GET rest/groups/{groupId}/orgs | |
GET rest/orgs/{orgId}/projects | |
| Static Code Issue | GET rest/groups |
GET rest/groups/{groupId}/orgs | |
GET rest/orgs/{orgId}/projects | |
GET api/v1/org/{orgId}/project/{projectId}/jira-issues | |
GET rest/orgs/{orgId}/issues | |
| Static Code Issue Definition | GET rest/groups |
GET rest/groups/{groupId}/orgs | |
GET rest/orgs/{orgId}/projects | |
GET api/v1/org/{orgId}/project/{projectId}/jira-issues | |
GET rest/orgs/{orgId}/issues | |
| Violation | GET rest/groups |
GET rest/groups/{groupId}/orgs | |
GET rest/orgs/{orgId}/projects | |
GET api/v1/org/{orgId}/project/{projectId}/jira-issues | |
GET api/v1/org/{orgId}/project/{projectId}/aggregated-issues | |
GET api/v1/org/{orgId}/project/{projectId}/issue/{issueId}/paths | |
| Violation Definition | GET rest/groups |
GET rest/groups/{groupId}/orgs | |
GET rest/orgs/{orgId}/projects | |
GET api/v1/org/{orgId}/project/{projectId}/jira-issues | |
GET api/v1/org/{orgId}/project/{projectId}/aggregated-issues | |
GET api/v1/org/{orgId}/project/{projectId}/issue/{issueId}/paths |
The Snyk API is only available with Enterprise plans. See Snyk documentation for more information.
Changelog
The Snyk connector has undergone the following changes:
3.0.18
- Added the JIRA_IDS and JIRA_KEYS attributes to the Static Code Issue object.
3.0.17
- Added support for Data lifecycle management to the Code Repository, Collection, Component, Open Source Issue, Project, Static Code Issue, and Violation objects.
3.0.16
- Fixed an issue where the IGNORED_BY, REASON, and REASON_TYPE attributes on the Ignore object were returning blank values.
3.0.15
- Added the Code Repository connector object and established a relationship between the Code Project and Code Repository objects.
3.0.14
- Changed the MALICIOUS_PACKAGE attribute type on the Open Source Issue object from string to boolean.
3.0.13
-
Added group information in each connector object.
-
Added Collection to the list of connector objects retrieved.
-
Added the PROJECT_ID attribute to the Static Code Issue object.
3.0.12
-
Added the RISK_SCORE attribute to the Static Code Issue object.
-
Added the following attributes to the Open Source Issue object:
- ATTACK_COMPLEXITY
- ATTACK_VECTOR
- AVAILABILITY_IMPACT
- BUSINESS_CRITICALITY
- CONFIDENTIALITY_IMPACT
- DAYS_SINCE_PUBLISHED
- EPSS_SCORE
- EXPLOIT_MATURITY
- INTEGRITY_IMPACT
- MALICIOUS
- PACKAGE_POPULARITY_SCORE
- PRIVILEGES_REQUIRED
- PROVIDER_URGENCY
- REACHABLE
- SCOPE
- SOCIAL_TRENDS
- TRANSITIVE_DEPENDENCY
- USER_INTERACTION
3.0.11
- Fixed an issue where the Static Code Issue sync was not retrieving all static code issues.
3.0.10
- Added the LAST_ASSESSED attribute in the Project object to store the last tested date from Snyk.
3.0.9
- Added a new operation option in the Open Source Issue object to retrieve Snyk-related Jira tickets:
includeJiraTickets.
3.0.8
-
Added logging for the Open Source Issue object.
-
Improved performance by parallelizing project streams when syncing Open Source Issue and Static Code Issue objects.
-
Updated dependencies.
3.0.7
-
Added ORG-level attributes, such as ORG_ID, ORG_NAME, as source attributes.
-
Added COMPONENT and PROJECT_ID to the Open Source Finding object as source attributes.
3.0.6
- Implemented a different approach for managing the STATUS_CATEGORY attribute in findings, as it is not provided in the data retrieved from Snyk.
3.0.5
- Switched to Snyk REST API (formerly Snyk API v3) to retrieve static code issues.
3.0.4
-
Migrated to new Organization and Project API endpoints.
-
Added a configuration to retrieve only active projects by default and findings associated with active projects.
3.0.3
- Switched to Snyk API v3 since Snyk API v1 has been deprecated.
3.0.2
- Started using
UIDas the identifier instead ofname.
3.0.0
- Initial Integration+ release.