/snyk-security-scanner-plugin

Test and monitor your projects for vulnerabilities with Jenkins. This plugin is officially maintained by Snyk. Dockercon 202

Primary LanguageJava

Snyk Security

Homepage Changelog Installs Vulnerabilities

Snyk

Test and monitor your projects for vulnerabilities with Jenkins. Officially maintained by Snyk.

Usage

To use the plugin up you will need to take the following steps in order:

  1. Install the Snyk Security Plugin
  2. Configure a Snyk Installation
  3. Configure a Snyk API Token Credential
  4. Add Snyk Security to your Project
  5. Run a Build and View Your Snyk Report

1. Install the Snyk Security Plugin

  • Go to "Manage Jenkins" > "Manage Plugins" > "Available".
  • Search for "Snyk Security".
  • Install the plugin.

2. Configure a Snyk Installation

  • Go to "Manage Jenkins" > "Global Tool Configuration"
  • Add a "Snyk Installation"
  • Configure the Installation
  • Remember the "Name" as you'll need it when configuring the build step.

Automatic Installations

The plugin can download the latest version of Snyk's binaries and keep them up-to-date for you.

📷 Show Preview

Snyk Installer Auto Update

Manual Installations

  • Download the following binaries. Choose the binary suitable for your agent's operating system:
  • Place the binaries in a single directory on your agent.
    • Do not change the filename of the binaries.
    • Make sure you have the correct permissions to execute the binaries.
  • Provide the absolute path to the directory under "Installation directory".
📷 Show Preview

Snyk Installer Manual

3. Configure a Snyk API Token Credential

  • Get your Snyk API Token
  • Go to "Manage Jenkins" > "Manage Credentials"
  • Choose a Store
  • Choose a Domain
  • Go to "Add Credentials"
  • Select "Snyk API Token"
  • Configure the Credentials
  • Remember the "ID" as you'll need it when configuring the build step.
📷 Show Preview

Snyk API Token

4. Add Snyk Security to your Project

This step will depend on if you're using Freestyle Projects or Pipeline Projects.

Freestyle Projects

  • Select a project
  • Go to "Configure"
  • Under "Build", select "Add build step" select "Invoke Snyk Security Task"
  • Configure as needed. Click the "?" icons for more information about each option.
📷 Show Preview

Basic configuration

Pipeline Projects

Use the snykSecurity step as part of your pipeline script. You can use the "Snippet Generator" to generate the code from a web form and copy it into your pipeline.

📷 Show Example
pipeline {
  agent any

  stages {
    stage('Build') {
      steps {
        echo 'Building...'
      }
    }
    stage('Test') {
      steps {
        echo 'Testing...'
        snykSecurity(
          snykInstallation: '<Your Snyk Installation Name>',
          snykTokenId: '<Your Snyk API Token ID>',
          // place other parameters here
        )
      }
    }
    stage('Deploy') {
      steps {
        echo 'Deploying...'
      }
    }
  }
}

You can pass the following parameters to your snykSecurity step.

snykInstallation (required)

Snyk Installation Name. As configured in "2. Configure a Snyk Installation".

snykTokenId (optional, default: none)

Snyk API Token Credential ID. As configured in "3. Configure a Snyk API Token Credential".

If you prefer to provide the Snyk API Token another way, such using alternative credential bindings, you'll need to provide a "SNYK_TOKEN" build environment variable.

failOnIssues (optional, default: true)

Whether the step should fail if issues and vulnerabilities are found.

failOnError (optional, default: true)

Whether the step should fail if Snyk fails to scan the project due to an error. Errors include scenarios like: failing to download Snyk's binaries, improper Jenkins setup, bad configuration and server errors.

organisation (optional, default: automatic)

The Snyk Organisation in which this project should be tested and monitored. See --org under Snyk CLI docs for default behaviour.

projectName (optional, default: automatic)

A custom name for the Snyk project created for this Jenkins project on every build. See --project-name under Snyk CLI docs for default behaviour.

targetFile (optional, default: automatic)

The path to the manifest file to be used by Snyk. See --file under Snyk CLI docs for default behaviour.

severity (optional, default: automatic)

The minimum severity to detect. Can be one of the following: low, medium, high , critical. See --severity-threshold under Snyk CLI docs for default behaviour.

additionalArguments (optional, default: none)

See Snyk CLI docs for information on additional arguments.

5. View your Snyk Security Report

  • Complete a new build of your project.
  • Go to the build's page.
  • Click on "Snyk Security Report" in the sidebar to see the results.
📷 Show Preview

Snyk Build Report

If there are any errors you may not see the report. See Troubleshooting.

Troubleshooting

Increase Logging

To see more information on your steps, you can increase logging and re-run your steps.

  • View the "Console Output" for a specific build.
  • Add a logger to capture all io.snyk.jenkins logs. Follow this article .
  • Add --debug to "Additional Arguments" to capture all Snyk CLI logs. Debug output is available under "Console Output" for your build.

Failed Installations

By default, Snyk Installations will download Snyk's binaries over the network from static.snyk.io. If this fails there may be a network or proxy issue. If you cannot fix the issue, you can use a Manual Installation instead.


Made with 💜 by Snyk