Projects are the components that Snyk tests. Projects include related configuration and metadata. Each target you want to scan (repos, container images, Dockerfiles, configuration files, source code) may include more than one project.

Snyk Open Source

Manifest files

For Open Source projects, Snyk accesses the manifest and build configuration files to identify Open Source dependencies (direct and indirect).

Snyk Container

Container images

When you scan a Dockerfile, Snyk views the FROM statement to identify the base image and predict potential vulnerabilities once that container has been built. Note that scanning a Dockerfile is not equivalent to a container scan (which is done in the CLI or in the CI/CD pipeline).

Snyk Code

Source code files

Snyk caches repository code for a one-time analysis and retains the file path, line, and column to any identified issues.

Snyk IaC

Infrastructure as code files

Snyk scans infrastructure files to search for misconfigurations, based on industry standards of secure configurations. Snyk shows a side-by-side code review interface. Snyk does not retain the file.

No matter which way you add projects to Snyk, projects are added to a specific organization. That organization provides reporting at an aggregate level.

We recommend importing a small number of projects at first as you begin gaining visibility into your issues.

Source control manager integration

Use a source code manager integration (like GitHub) to begin monitoring projects for issues in Snyk.

Snyk CLI

The Snyk monitor command in the CLI pushes the results to the Snyk UI and continues to monitor those projects. This process can be done as part of a CI/CD pipeline.

Snyk API

For a more advanced import strategy, refer to Tech Services Snyk API import.

This script is intended to help import projects into Snyk with a controlled pace utilizing available Snyk APIs to avoid rate limiting from the source code manager, and to provide a stable import.

Before importing projects at scale, make sure to configure your organization settings in Snyk according to your current phase of Snyk adoption.

Consider building your complete Software Bill of Materials to assess risk across your organization before implementing these types of automations in Snyk.

• Consider disabling email notifications by default in the beginning. Choose specific projects for which you want to enable email notifications, and allow individuals to configure their own notification settings. Learn more in the Notifications course.
• Consider disabling SCM automations, including Automatic Fix PRs and Default Snyk tests in the beginning. These are powerful tools when your teams are ready for them. Learn more in the Source Code Manager Configurations course.

Once you have imported a small number of projects to work out your process, you can determine a plan for importing additional projects.

When defining your plan, consider the speed at which you want to adopt Snyk, as well as the repository structure and the number of projects that you want to import.