Intro to Snyk

Understand how projects fit into organizations, which may be part of a group.

Groups are the top level of the Snyk account hierarchy (for Trials and Enterprise plans only).

Groups provide an overview of all included organizations and allows for configuration of some items like group-level service accounts and default notification settings.

License and security policies are defined at the group level for the organizations included in that group.

Organizations are the way that Snyk controls project access and configuration.

Members of an organization gain access to all projects included within that organization.

Organizations are also where many integration settings and configurations are defined.

Projects are the components that Snyk tests, including the related configuration and metadata.

Projects live inside an organization.

Projects are the components that Snyk tests. Projects include related configuration and metadata. Each target you want to scan (repos, container images, Dockerfiles, configuration files, source code) may include more than one project.

Source code files

Snyk analyzes your source code to identify the trace, file path, line, and column to any identified issues.

Manifest files

For Open Source projects, Snyk accesses the manifest and build configuration files to identify Open Source dependencies (direct and indirect).

Container images

You can build and test an image locally/at build with the Snyk CLI, or integrate with a registry and upload the results to the Snyk UI. This will provide a list of vulnerabilities and fixes for container and application open source packages that are in use. Additionally, Snyk can scan a Dockerfile from Git. When you scan a Dockerfile, Snyk views the FROM statement to identify the base image and predict potential vulnerabilities once that container has been built. Note that scanning a Dockerfile is not equivalent to a container scan (which is done in the CLI or in the CI/CD pipeline).

Infrastructure as code files

Snyk scans infrastructure files to search for misconfigurations, based on industry standards of secure configurations. Snyk shows a side-by-side code review interface.

When you log into Snyk, there are a few different choices for authentication. If your company is using single sign-on, make sure to use the SSO link. If you log in with a different authentication provider than the one used to create your Snyk account, you'll create a new account, and won't be logged into the correct organization.

Organizations in Snyk control access to projects. The organization settings and policies also influence scan results, depending on which organization is used when adding a project.

Snyk shows your preferred organization by default when you log into the Snyk UI. Snyk also uses the settings for your preferred organization when you are testing a project locally using the CLI.

Default notification settings come from the organization to which a project is added. Customize which notifications you get for which projects by changing your personal notification settings in the Snyk UI.

The Snyk Vulnerability Database includes details about issues, including the remediation advice, references, the components of the CVSS score, and the research credit and references.

Within the Snyk UI, issues include a link in the header to view the Snyk Vulnerability Database data for that issue. When looking at the links, the last ID, shown here with the SNYK-JS prefix, provides access to the Vulnerability Database card.

There are several Snyk Guides that provide best practices for getting started, implementing, and adopting Snyk according to a specific tech stack:

• Snyk for JavaScript/Node.js developers
• Snyk for Java developers

You can find more here: https://docs.snyk.io/scan-applications/supported-languages-and-frameworks