Integrating Snyk at your company
Snyk across the SDLC
Snyk tests and monitors your projects for issues.
Snyk recommends different approaches, depending on your situation and the languages of the projects you want to test.
You can choose to implement Snyk at different points in your software development life cycle.
To shift left and fix while developing, encourage developers to check for vulnerabilities and license issues as part of the development process. Developers can use the CLI, an IDE plug-in, or the Snyk web application.
Set up Snyk to check for vulnerabilities and license issues when anyone opens a new pull request in the repository. Use policies to prevent pull requests. Create Jira tickets for new vulnerabilities.
Use automations to create PRs with the required upgrade or patch based on your requirements.
No changes are made to code without human approval.
Integrate Snyk with CI/CD tools. Use automated Snyk tests or create policies to help prevent vulnerabilities from passing through build processes.
Monitor the runtime environment with continuous tests to verify that there’s no exposure to existing vulnerabilities and monitor for newly disclosed vulnerabilities.
Tool, pipeline, and workflow integrations
As you are preparing to roll out Snyk, consider your tech stack. Snyk integrates with a number of different development tools.
Here are some sample integrations for you to explore what's possible.
To review the current integrations and languages, visit the documentation.
A sampling of our coding integrations:
- Snyk CLI
- VS Code
- Visual Studio 2019,2022
Source control integrations
A sampling of our source control manager integrations:
- Azure Repos
A sampling of our CI/CD integrations:
- BitBucket Pipelines
- AWS Code Pipeline
- Azure Pipelines
A sampling of our runtime integrations:
A sampling of our registry integrations:
- Docker Hub
- Azure Container Registry (ACR)
- Amazon ECR
- Google Container Registry
- and many more
Issue management integrations
A sampling of our issue management tool integrations:
- Snyk API
Language and package manager support
The way Snyk works will depend on the languages and package managers being used by your projects.
When using Gradle or Scala, Snyk recommends implementing Snyk via the CLI or as part of your CI/CD process. Read more about this consideration in the support documentation.
For more information about Snyk with specific tech stacks refer to the following guides:
We recommend that you adopt Snyk in phases. Where you start depends on where you are in your security journey. The phase you are in will also determine how you configure some of the Snyk integrations. We call these phases of the Snyk Developer Adoption model:
- gain visibility
- prevent new issues
- fix the backlog
- optimize security
This is an overview of the journey. It's not linear, and may not go in any specific order or even include all phases at your company.
Learn more about the each phase of maturing your security with Snyk, including the activities and expected outcomes for each phase, as well as the change management to think about before moving to a new phase.
Gain visibility phase
In this stage, the goal is to get visibility of your security posture.
Shift left security
Encourage developers to install the Snyk plug-in for their IDEs to begin checking for security issues before committing their code.
Start importing critical projects to begin assessing your risk profile. Try a few manual fixes to experiment with how you want to roll out Snyk.
In this phase, you'll begin building a prioritization plan to start addressing the vulnerabilities in your projects. Snyk reports, the priority score of issues, and filters help your teams determine which issues need to be fixed first.
Determine what metrics you want to follow to validate the success of your efforts to fix issues.
No automations... yet
We recommend keeping most automations off at this phase.
To pilot the gatekeeper approach with one team, you can enable Default Snyk test for pull requests on a limited basis.
Ready for the next phase?
The key change management activity before moving to the next phase is to announce the new gatekeeper policy to the teams who'll be affected by it.
Prevent new issues phase
In this stage, the goal is to start using Snyk as a gatekeeper to block developers from introducing new issues to the code.
Use Snyk as a gatekeeper
When your teams are ready to prevent the introduction of new vulnerabilities to code, you can add automated processes.
You'll want to configure Snyk to indicate how you want to block PRs/builds. The Source Code Manager Configurations course provides detailed scenarios.
The gatekeeper approach isn't all or nothing. Many Snyk customers start by failing pull requests only for high priority projects, that have critical or high severity issues, and only if those issues have a fix available.
You can adjust the fail conditions for what's right for your teams, including as strict as failing all PRs if there are any issues detected in the repo.
Ready for the next phase?
Before moving to introducing autofix PR creation and Jira tickets, the key change management activity is to announce those as part of developers' responsibility.
Fix the backlog phase
In this stage, you will work to reduce your technical security debt and introduce additional automation.
Reduce technical security debt
Dedicate developer sprint time to fixing issues. Use the prioritization plan you created to start working through the backlog of issues.
Introduce additional automation
For some projects, you may want to enable autofix PRs and have Snyk create Jira tickets.
At this phase, report on the mean time-to-fix to monitor your progress.
Ready for the next phase?
Before moving to optimization steps, announce the goals and consider implementing gamification.
Optimize security phase
The end goal is to get to a place where you are continuing to monitor what's in production and to improve your processes by having developers test earlier on.
In this phase, you may want to use a gamified approach to encourage developers to test earlier in the process. You'll also want to plan security as part of new product or feature development.
Example workflows can help facilitate implementation planning discussions. The examples in the following videos will provide a structured look at different ways to implement Snyk. These flows illustrate how you might use Snyk in:
- Open source and code local development
- Git integrations with Snyk
- CI/CD pipelines
- Container processes
We also discuss an example of a structured process for prioritizing issues that Snyk discovers.
We recommend mapping your own workflows for using Snyk. These maps help identify places for automation and process improvement, and can be used as a critical internal change management tool during the implementation process.
Open source and code local development workflows
Shift security left by implementing Snyk in local development workflows. This video illustrates workflow processes for:
- Checking for open source issues before code is pushed to the repository
- Checking for code security and quality issues before code is pushed to the repository
- Using Snyk results to remediate or ignore an issue
Git integration workflows
Once your company is ready for Snyk automations, there are several potential workflows to add Snyk to your software development lifecycle. This video illustrates workflow processes for:
- Creating a mandatory security check before code is added to the repository
- Creating pull requests automatically if an issue Snyk identifies has a fix available
- Creating pull requests automatically if a dependency in use has an available upgrade
Adding Snyk to a CI/CD workflow can prevent new issues from being pushed into a feature or main branch. This video illustrates workflow processes for:
- Finding vulnerabilities before code is committed to a feature branch
- Finding vulnerabilities before code is committed to the main branch
Snyk Container helps secure container images. This video illustrates workflow processes for:
- Building secure container images locally
- Selecting secure base images for developers to use
- Automating creation of pull requests when fixes are available for identified container issues
- Splitting responsibilities between DevOps building secure containers for the registry, and developers building on those images
Once you determine which issues are present in your applications, a prioritization strategy helps with decisions on what to do about those issues. This video illustrates a structured process for prioritizing issues.
Congrats! You considered where and how you want to implement Snyk at your company. You also discovered where you are in the Snyk Developer Adoption model in your security journey.