This plugin adds Snyk Security Scanning to your project or pipeline, allowing you to test and monitor your projects for security and license issues.
This plugin requires Docker installation on the Jenkins worker in order to scan your dependencies.
- Check https://hub.docker.com/r/snyk/snyk-cli/tags/ for a full list of runtimes and package managers supported by the Snyk CLI Docker image.
Pull the relevant Snyk CLI docker image by running the following command: docker pull snyk/snyk-cli:[tag].
Add Jenkins user to the docker group: sudo usermod -aG docker <jenkins-user> and verify that the Jenkins user can run docker command without a sudo.
Job Setup and configuration
- The Snyk plugin expects to have an environment variable called SNYK_TOKEN that contains Snyk's API key. We recommend adding the SNYK_TOKEN using Jenkins Credentials plugin.
- You can obtain your Snyk's API Key here - https://snyk.io/account
- The Snyk plugin expects to run after the installation of the project's dependencies. (i.e 'npm install' or 'mvn install')
- For Maven projects, the Snyk plugin expects to have an environment variable called MAVEN_REPO_PATH that contains the path to your maven repository (e.g /home/user/.m2)
How to use Snyk Plugin with Jenkinsfile:
Snyk pipeline integration expose snykSecurity function to scan your dependencies as part of your pipeline script.
Usage example: snykSecurity(tokenCredentialId: 'SNYK_TOKEN', failOnBuild: true, monitor: true)
This example call Snyk security with the credential Id we created using the Jenkins Credentials plugin, we choose to fail the build in case we find vulnerabilities and to take snapshot of the project current dependencies.
This function accepts the following parameters:
- tokenCredentialId (Type: String) : Snyk credential token id that contains Snyk's API token
- failOnBuild (Type: Boolean): Set to true to have the Jenkins build FAIL if Snyk detects issues in the project.
- monitor (Type: Boolean): Set to true to monitor the project on every build by taking a snapshot of its current dependencies on Snyk.io. Selecting this option will keep you notified about newly disclosed vulnerabilities and remediation options in the project.
- organization (Type: String): OPTIONAL - set to the Snyk organisation in which this project should be tested and monitored. Leave empty to use your default organisation.
- packageName (Type: String): OPTIONAL - set a custom name for the Snyk project created for this Jenkins project on every build. Leave empty for the project's name to be detected in the manifest file.
- targetFile (Type: String): OPTIONAL - set to the relative path of the manifest file in the project. Leave empty for Snyk to auto-detect the manifest file in the project's root folder.
- envVars (Type: String): OPTIONAL - set to the runtime agruments for the build tool invoked by Snyk. This is useful when you want to test a specific profile (in Maven) or configuration (in Gradle), or define system properties, such as -Dpkg_version=1.4 -Pprod -s ./settings.xml for Maven or --configuration runtime -Pmyprop=myvalue for Gradle.
- dockerImage (Type: String): OPTIONAL - set to the Docker image to be used by the plugin. Leave empty to use 'snyk/snyk-cli'. Inspect the different tags at https://hub.docker.com/r/snyk/snyk-cli/tags to choose the right runtime for your project.
- httpProxy (Type: String): OPTIONAL - set to the HTTP Proxy URL to be used in the Snyk plugin Docker container. Leave empty for no proxy.
- httpsProxy (Type: String): OPTIONAL - set to the HTTPS Proxy URL to be used in the Snyk plugin Docker container. Leave empty for no proxy.