• Browse topics
Login
Login

SNYK LEARN LOGIN

OTHER REGIONS

For Snyk Enterprise customers with regional contracts. More info

ServiceNow - Vulnerability assignment rules

ServiceNow Workflows

Introduction

Vulnerability assignment rules introduction

ServiceNow has the incredible ability to auto-assign tasks, or, in this case, application vulnerability items that have been imported from Snyk into ServiceNow.

High-level steps:

  1. Define criteria to assign rules

Option 1: use project tags for assignment. In Snyk, assign an ID at the project level using the Project Tags option in the web interface, the CLI --project-tags option or the API to assign a tag.

Assigning tags at the Snyk project level (i.e. git-repository/package.json) determines how ServiceNow will automatically assign the issues.

Option 2: define groups responsible for business applications and assign application vulnerability items (AVITs) accordingly.

  1. Create vulnerability assignment rules within ServiceNow

Navigate to vulnerability assignment rules

  • Specify assignment rules (i.e. to group or user) and matching criteria
  • Define a default group. Where one is not assigned, consider directing vulnerabilities to the AppSec group or an owner who can triage results that don't get effectively categorized/assigned.

Note that for you to assign to group you will need to lookup SYSID in the groups definition table, for the relevant group.

Example 1

In the first example, we will assign the project tag "CMDBID:sn-goof", an id suitable for the application in this example known as "Goof". This tag will be used to automatically assign the issue, or AVIT, in ServiceNow to the correct group to get it fixed.

Video: 4m17s

  • The code displayed in the example appears below the video.

Example 2

This second example is more advanced, and is based on the definition of business application within ServiceNow. The following example will discuss the role of Business Application table, which is very popular for this purpose, however other tables may be used instead.

In this example, five applications were defined. You will see:

Step 1: Assign a group for any vulnerabilities found within an application.

Step 2: Create a Vulnerability assignment rule, performing a lookup from CMDB.

Step 3: If the name of the app matches the tag value, assign to the group associated with that application.

Step 4: If you don't find a match, assign the value to the default.

Video: 4m09s

  • The code displayed in the example appears below the video.

Scan your code & stay secure with Snyk - for FREE!

Did you know you can use Snyk for free to verify that your code
doesn't include this or other vulnerabilities?

Scan your code

What to learn next?

general Prioritizing issues with Snyk Essentials and Snyk AppRiskNEW

Prioritizing issues with Snyk Essentials and Snyk AppRisk

Using Issues (Snyk Enterprise Plan) and Issue Insights (Snyk AppRisk) to review and prioritize issues.
0% Completed
 
general Integrations for asset management and discovery with Snyk Essentials and Snyk AppRiskNEW

Integrations for asset management and discovery with Snyk Essentials and Snyk AppRisk

In this lesson you will learn the core capabilities and initial integrations with Snyk Essentials and additional capabilities introduced with the purchase of Snyk AppRisk
0% Completed
 
general Reviewing Inventory for asset management and discovery with Snyk Essentials and Snyk AppRiskNEW

Reviewing Inventory for asset management and discovery with Snyk Essentials and Snyk AppRisk

The Inventory provides a central, filterable view of all the detected assets, their control coverage, and essential metadata.
0% Completed