To configure Snyk Essentials and Snyk AppRisk, navigate to the Group level, and click the Integrations menu on the left.

• Add integrations by clicking the Integration Hub option

Preconfigured integrations

• The Snyk products, configured at the Organization level.
  • Snyk Essentials/Snyk AppRisk will automatically start to identify assets and create an inventory from the configured targets and projects.

Integration types

• Application context - an external data source describing the asset or providing additional information pertinent to that asset. For example, Backstage provides the Owner, lifecycle, system, and other context.
• Source Code Management (SCM) - Create direct connections to code repositories to identify assets that exist outside the Organization-level scans. This is the first integration you should configure using a token with broad visibility.
• Snyk AppRisk features
  • Observability/ITSM/Kubernetes - Integrations into runtime environments offer various capabilities depending on the type of integration. Typically, the discoverability of assets such as containers, the coverage of those assets, and runtime risk factors like whether they are public-facing, deployed, or even loaded packages can help prioritize issues by these important risk factors.
  • Secrets - Determining coverage of assets and providing discoverability of assets.

Integrating code repositories

• Click on Integration Hub and select the code repository to connect, providing the necessary information for each field.

Application Context with Backstage , ServiceNow CMDB and other tools

There are two flavors of Application context sources: Backstage, and integration based sources.

For Backstage:

• Snyk can consume Backstage files and utilize key fields for searching, setting policies, and providing application context.
• Enable Backstage in the SCM integration settings if your supported file, such as catalog-info.yaml, is located in the root directory.
• Update the field values if you are using different names or wish to display alternate values in Snyk.
• The field usage is explained in the Backstage paragraph of the Policy and Inventory sections below.

For Integration sourced application context:

• Click Integration Hub, select the relevant integration
• Map the fields in Snyk to the corresponding elements for that integration.
• Individual modules will be available in Snyk docs and Snyk Learn.

Privately hosted code repositories

• For Brokered integrations, follow the steps described here to enable Snyk Essentials/Snyk AppRisk on the broker

Important Considerations

When you integrate SCM code repositories with Snyk Essentials, use a secondary token. This token will allow access to the entire code repository, ensuring a complete overview rather than just the sections that have been imported into Snyk. This strategy offers an alternative view to using Snyk for security scans and reduces the risk of blind spots caused by limited tokens. Organizations often issue tokens that only provide access to their own applications.

• Plan on your first import/sync taking up to 24 hours to complete.

Last Sync/Next Sync

Updates to your controls and assets are analyzed on a schedule. You can determine the last/next run by observing the "Last Sync" and "Next Sync" on each integration.

Video: 7m48s

Integrating with Snyk AppRisk provides additional features and functionalities, which include, but are not limited to, the following:

• Runtime signals and asset discovery
• Risk factors (Public facing, loaded package) where supported
• Integration with 3rd party secrets tools