V2
Snyk Security Scanner is a Jenkins plugin that enables Jenkins users to test their applications against the Snyk vulnerability database.
Global Configuration
Configure your Jenkins settings to install the Snyk Security Scanner plugin:
- Go to Manage Jenkins > Manage Plugins > Available and search for Snyk Security. Install the plugin.
- Go to Manage Jenkins > Global Tool Configuration and add a Snyk Installation to have the Snyk CLI available during Jenkins builds. We recommend using the latest version to keep up to date with new releases of the Snyk CLI.
- Go to Manage Jenkins > Credentials > System and add a Snyk API Token to allow the Snyk Security Scanner to identify with Snyk. Specify a meaningful credential ID value in the ID field (i.e. `my-org-snyk-api-token`).
Note: in order to install a pre-released version of the plugin, change the Update Site to http://updates.jenkins-ci.org/experimental/update-center.json in the Advanced settings. See this post for more details.
Project Configuration
Freestyle Jobs
Enable the Snyk Security Scanner in the project configuration page. To add Snyk Security Scanner to the project's build, select Build > Add build step > Invoke Snyk Security Task.
Basic Configuration
- When issues are found - This specifies if builds should be failed or continued based on issues found by Snyk.
- Monitor project on build - Take a current application dependencies snapshot for continuous monitoring by Snyk.
- Snyk token - The ID for the API token from the Credentials plugin to be used to authenticate with Snyk (credential type must be "Snyk API token").
- Target file - The path to the application manifest file to be scanned by Snyk Security Scanner.
- Organisation - The Snyk organisation in which this project should be tested and monitored.
- Project name - A custom name for the Snyk project created for this Jenkins project on every build.
Advanced Configuration
To see the advanced configuration for the plugin, click the Advanced button. This section allows you to specify Snyk installation as well as additional runtime arguments for the Snyk Security Scanner.
- Snyk installation - The Snyk installation as configured in the Global Tool Configuration.
- Additional arguments - Refer to the Snyk CLI help page for information on additional arguments.
Pipeline Jobs
The Snyk Security Scanner pipeline integration exposes the snykSecurity function to scan your dependencies as part of your pipeline script. We recommend to use the "Snippet Generator" to generate the needed step statement to copy into your Jenkinsfile.
The snykSecurity function accepts the following parameters:
- snykInstallation - Snyk installation configured in the Global Tool Configuration.
- snykTokenId - The ID for the API token from the Credentials plugin to be used to authenticate to Snyk.
- additionalArguments (optional, default none) - Refer to the Snyk CLI help page for information on additional arguments.
- failOnIssues (optional, default true) - This specifies if builds should be failed or continued based on issues found by Snyk.
- organisation (optional, default none) - The Snyk organisation in which this project should be tested and monitored.
- projectName (optional, default none) - A custom name for the Snyk project created for this Jenkins project on every build.
- severity (optional, default low)- Only report vulnerabilities of provided level or higher (low/medium/high).
- targetFile (optional, default none) - The path to the manifest file to be used by Snyk.
Migration from v1
Note: the new v2 of the plugin contains incompatible changes to v1 and will require you to adapt your Jenkins jobs. You have to perform global configuration steps as described [here|#global-configuration].
- The plugin does not requires Docker installation on master or worker nodes. Add a Snyk installer in the Global Tool Configuration section.
- You don't need to pass Snyk API token as {{SNYK_TOKEN}} environment variable to the job. Add a credential of type Snyk API token.
- Parameters 'Runtime Arguments', 'Docker Image', 'HTTP Proxy', 'HTTPS Proxy' are obsolete.
- Pipeline syntax was changed, see 'Pipeline jobs' section for documentation.
Attachments:
snyk-security-fail2.log (text/plain)
snyk-slave-error.log (text/plain)