Due to some maintenance issues, this service has been switched in read-only mode, you can find more information about the why

and how to migrate your plugin documentation in this blogpost

Skip to end of metadata
Go to start of metadata

V2

Snyk Security Scanner is a Jenkins plugin that enables Jenkins users to test their applications against the Snyk vulnerability database.

Global Configuration

Configure your Jenkins settings to install the Snyk Security Scanner plugin:

  1. Go to Manage Jenkins > Manage Plugins > Available and search for Snyk Security. Install the plugin.
  2. Go to Manage Jenkins > Global Tool Configuration and add a Snyk Installation to have the Snyk CLI available during Jenkins builds. We recommend using the latest version to keep up to date with new releases of the Snyk CLI.
  3. Go to Manage Jenkins > Credentials > System and add a Snyk API Token to allow the Snyk Security Scanner to identify with Snyk. Specify a meaningful credential ID value in the ID field (i.e. `my-org-snyk-api-token`).

Note: in order to install a pre-released version of the plugin, change the Update Site to http://updates.jenkins-ci.org/experimental/update-center.json in the Advanced settings. See this post for more details.

Project Configuration

Freestyle Jobs

Enable the Snyk Security Scanner in the project configuration page. To add Snyk Security Scanner to the project's build, select Build > Add build step > Invoke Snyk Security Task.

Basic Configuration

  • When issues are found - This specifies if builds should be failed or continued based on issues found by Snyk.
  • Monitor project on build - Take a current application dependencies snapshot for continuous monitoring by Snyk.
  • Snyk token - The ID for the API token from the Credentials plugin to be used to authenticate with Snyk (credential type must be "Snyk API token").
  • Target file - The path to the application manifest file to be scanned by Snyk Security Scanner.
  • Organisation - The Snyk organisation in which this project should be tested and monitored.
  • Project name - A custom name for the Snyk project created for this Jenkins project on every build.

Advanced Configuration

To see the advanced configuration for the plugin, click the Advanced button. This section allows you to specify Snyk installation as well as additional runtime arguments for the Snyk Security Scanner.

  • Snyk installation - The Snyk installation as configured in the Global Tool Configuration.
  • Additional arguments - Refer to the Snyk CLI help page for information on additional arguments.

Pipeline Jobs

The Snyk Security Scanner pipeline integration exposes the snykSecurity function to scan your dependencies as part of your pipeline script. We recommend to use the "Snippet Generator" to generate the needed step statement to copy into your Jenkinsfile.

The snykSecurity function accepts the following parameters:

  • snykInstallation - Snyk installation configured in the Global Tool Configuration.
  • snykTokenId - The ID for the API token from the Credentials plugin to be used to authenticate to Snyk.
  • additionalArguments (optional, default none) - Refer to the Snyk CLI help page for information on additional arguments.
  • failOnIssues (optional, default true) - This specifies if builds should be failed or continued based on issues found by Snyk.
  • organisation (optional, default none) - The Snyk organisation in which this project should be tested and monitored.
  • projectName (optional, default none) - A custom name for the Snyk project created for this Jenkins project on every build.
  • severity (optional, default low)- Only report vulnerabilities of provided level or higher (low/medium/high).
  • targetFile (optional, default none) - The path to the manifest file to be used by Snyk.

Migration from v1

Note: the new v2 of the plugin contains incompatible changes to v1 and will require you to adapt your Jenkins jobs. You have to perform global configuration steps as described [here|#global-configuration].

  • The plugin does not requires Docker installation on master or worker nodes. Add a Snyk installer in the Global Tool Configuration section.
  • You don't need to pass Snyk API token as {{SNYK_TOKEN}} environment variable to the job. Add a credential of type Snyk API token.
  • Parameters 'Runtime Arguments', 'Docker Image', 'HTTP Proxy', 'HTTPS Proxy' are obsolete.
  • Pipeline syntax was changed, see 'Pipeline jobs' section for documentation.


 V1 documentation

Getting Started

  • This plugin adds Snyk Security Scanning to your project or pipeline, allowing you to test and monitor your projects for security and license issues.

  • This plugin requires Docker installation on the Jenkins worker in order to scan your dependencies.

  • Check https://hub.docker.com/r/snyk/snyk-cli/tags/ for a full list of runtimes and package managers supported by the Snyk CLI Docker image.
  • Pull the relevant Snyk CLI docker image by running the following command:  docker pull snyk/snyk-cli:[tag].

  • Add Jenkins user to the docker group: sudo usermod -aG docker <jenkins-user> and verify that the Jenkins user can run docker command without a sudo.

Job Setup and configuration

  • The Snyk plugin expects to have an environment variable called SNYK_TOKEN that contains Snyk's API key. We recommend adding the SNYK_TOKEN using Jenkins Credentials plugin.
  • The Snyk plugin expects to run after the installation of the project's dependencies. (i.e 'npm install' or 'mvn install')
  • For Maven projects, the Snyk plugin expects to have an environment variable called MAVEN_REPO_PATH that contains the path to your maven repository (e.g /home/user/.m2)

How to use Snyk Plugin with Jenkinsfile:

Snyk pipeline integration expose snykSecurity function to scan your dependencies as part of your pipeline script. 

Usage example: snykSecurity(tokenCredentialId: 'SNYK_TOKEN', failOnBuild: true, monitor: true) 

This example call Snyk security with the credential Id we created using the Jenkins Credentials plugin, we choose to fail the build in case we find vulnerabilities and to take snapshot of the project current dependencies.

This function accepts the following parameters:

    • tokenCredentialId (Type: String) : Snyk credential token id that contains Snyk's API token
    • failOnBuild (Type: Boolean): Set to true to have the Jenkins build FAIL if Snyk detects issues in the project.
    • monitor (Type: Boolean):  Set to true to monitor the project on every build by taking a snapshot of its current dependencies on Snyk.io. Selecting this option will keep you notified about newly disclosed vulnerabilities and remediation options in the project.
    • organization (Type: String): OPTIONAL - set to the Snyk organisation in which this project should be tested and monitored. Leave empty to use your default organisation.
    • packageName (Type: String): OPTIONAL -  set a custom name for the Snyk project created for this Jenkins project on every build. Leave empty for the project's name to be detected in the manifest file.
    • targetFile (Type: String):  OPTIONAL - set to the relative path of the manifest file in the project. Leave empty for Snyk to auto-detect the manifest file in the project's root folder.
    • envVars (Type: String):  OPTIONAL - set to the runtime agruments for the build tool invoked by Snyk. This is useful when you want to test a specific profile (in Maven) or configuration (in Gradle), or define system properties, such as -Dpkg_version=1.4 -Pprod -s ./settings.xml for Maven or --configuration runtime -Pmyprop=myvalue for Gradle.
    • dockerImage (Type: String)OPTIONAL - set to the Docker image to be used by the plugin. Leave empty to use 'snyk/snyk-cli'. Inspect the different tags at https://hub.docker.com/r/snyk/snyk-cli/tags to choose the right runtime for your project.
    • httpProxy (Type: String): OPTIONAL - set to the HTTP Proxy URL to be used in the Snyk plugin Docker container. Leave empty for no proxy.
    • httpsProxy (Type: String): OPTIONAL - set to the HTTPS Proxy URL to be used in the Snyk plugin Docker container. Leave empty for no proxy.
  • No labels

14 Comments

  1. Unknown User (moshe_zvi)

    jenkins@XXX:~# sudo docker pull snyk/snyk-cli
    Using default tag: latest
    Error response from daemon: manifest for snyk/snyk-cli:latest not found

  2. Unknown User (adrukh)

    Our CLI docker image includes relevant files for the project runtime it needs to scan. Therefore, we do not publish the `latest` tag, but instead have tags for the different runtimes we support (npm, rubygems, maven, gradle, sbt, composer, nuget, etc.)

     

    See the full list at https://hub.docker.com/r/snyk/snyk-cli/tags/

  3. Unknown User (eugene_kainara)

    Hello,

    My build is failing after upgrade to 2.0.x.

    I'm use maven as a build tool and have following configuration of SnykSecurity step

    steps {
      snykSecurity(
        organisation: 'myOrg',
        severity: 'medium',
        snykInstallation: 'SNYK_LATEST',
        snykTokenId: 'snyk-token-id'
      )
    }

    And my build is failing with "Error result: /bin/sh: 1: mvn: not found". For full error see snyk-security-fail.log 

    I'm use a Multibranch Pipeline Jenkins build. Maven tool is added to the build. 


    Java: 8u202

    Maven: 3.6.0

    Jenkins: 2.170

    Snyk Security Plugin: 2.0.2

    1. Unknown User (adrukh)

      Unknown User (eugene_kainara) thanks for pointing this out!


      There is a known issue where our plugin expects `mvn` to be available via `$PATH`, but the default Maven installer is modifying `$PATH` only when `withMaven` is used. We will work on a fix in the next two weeks and update here.


      In the mean time, a workaround I can suggest is for you to adjust your build's `$PATH` env var to include your local installation of `mvn`.

      1. Unknown User (eugene_kainara)

        Unknown User (adrukh) withMaven wrapper also don't fix this issue

              steps {
                withMaven(maven: 'MAVEN_3.6', tempBinDir: '') {
                    sh "mvn --version"
                    snykSecurity(
                      organisation: 'myOrg',
                      severity: 'medium',
                      snykInstallation: 'SNYK_LATEST',
                      snykTokenId: 'snyk-token-id'
                    )
                }
              }

        And also I'm getting "mvn: not found" error snyk-security-fail2.log 

        Notice that "mvn --version" - works in both scenarios.

        1. Unknown User (adrukh)

          Indeed, the injection of `$PATH` by `withMaven` doesn't work well with our implementation, and that's exactly what we will be fixing soon. `sh` is a special case that does take this injection into account, and we will find a way to do the same thing.

          1. Unknown User (eugene_kainara)

            Ok, we will wait for new plugin releases.

            Also is it possible to autodetect and use a Maven(https://github.com/takari/maven-wrapper) or Gradle wrapper? It will be very good feature.

            1. Unknown User (adrukh)

              This is best discussed over our CLI repos:

              Our gradle plugin detects a wrapper locally in the project folder and uses it - https://github.com/snyk/snyk-gradle-plugin/blob/master/lib/index.ts#L277-L292

              Or maven plugin does not - https://github.com/snyk/snyk-mvn-plugin/blob/master/lib/index.js#L19


              Please open an issue on `snyk/snyk-mvn-plugin` and we'll discuss it there.

            2. Unknown User (adrukh)

              Unknown User (eugene_kainara) we just released version 2.0.3 of the plugin which should handle this issue - https://github.com/jenkinsci/snyk-security-scanner-plugin/releases/tag/2.0.3


              Please give this a try and let us know if it is working as expected.

              1. Unknown User (eugene_kainara)

                Thanks Unknown User (adrukh), with 2.0.3 it works with maven tool provided by build.

  4. Unknown User (eugene_kainara)

    Hello, 

    Yesterday my Jenkins jobs start failing with following error.

    Do you have any ideas what's wrong?


    Snyk tool is latest version

    Jenkins-snyk-plugin 2.0.3(after upgrade to 2.0.4 builds are still failing)

    1. Unknown User (adrukh)

      Unknown User (eugene_kainara) can you please email support@snyk.io and reference this issue? We'll take it from there.

  5. Unknown User (binsbaby)

    Hi,

    I was trying to integrate Snyk security plugin with my Jenkins integration. My project is running on Node.js framework. I could able to integrate it successfully the build is running.. first build is working Great!.

    But I am facing some issues with next build.. Both snyk_report.json and snyk_monitor_report.json files are not getting removed automatically. I know these files are generated by Snyk plugin during first build.

    I can see the Remove command execution inside Jenkins logs, during clean up. But files are still present. The only way i can delete is by stopping the Jenkins server.

    Jenkins version is 2.150.1 and Snyk Plugin is 2.0.4

    Thanks in Advance!

    1. Unknown User (adrukh)

      Unknown User (binsbaby) can you please send an email to support@snyk.io with the details and we'll take it from there.