To configure Snyk Essentials and Snyk AppRisk, navigate to the Group level, and click the Integrations menu on the left.

• Clicking Integration Hub provides access to specify which integrations to add.

Preconfigured integrations

• The Snyk products, configured at the Organization level.
  • Snyk Essentials/Snyk AppRisk will automatically begin detecting assets and cataloging/inventorying from those configured targets and projects.

Integration types

• Application context - external datasource describing the asset or providing additional information pertinent to that asset. As an example, Backstage providing Owner, lifecycle, system and other context.
• Source Code Management (SCM) - Create direct connections to the code repositories to detect what assets exist outside the scans configured at the organization level. This is typically the first integration customers should configure with a token with broad visibility.
• Snyk AppRisk features
  • Observability/ITSM/Kubernetes - Integrations into runtime environments that provide different capabilities based on integration type. Typically discoverability of assets like Containers,coverage of those assets, and/or runtime risk factors like Public facing, Deployed, or even Loaded package signals, can be used to prioritize issues from these integrations.
  • Secrets - Determining coverage of assets and providing discoverability of assets.

Integrating code repositories

• Click Integration Hub, and choose the code repository to integrate into, providing the data each field requires.

Application Context with Backstage , ServiceNow CMDB and other tools

There are two flavors of Application context sources: Backstage, and integration based sources.

For Backstage:

• Snyk can consume Backstage files and utilize key fields for searching, setting policies, and providing application context.
• Enable Backstage in the Git integration settings, if you have your supported file, for example catalog-info.yaml, in the root.
• Change the field values if you are using alternate names or you wish alternate values to be displayed in Snyk.
• To see how these fields are used, fast forward in the course to the related Backstage sections in Policy and Inventory sections below.

For Integration sourced application context:

• Click Integration Hub, select the relevant integration
• Map the fields to display in Snyk to the relevant element for that integration.
• Individual modules will be available in Snyk docs and Snyk Learn.

Private Code Repositories

• For Brokered integrations, follow the steps described here to enable Snyk Essentials/Snyk AppRisk on the broker

Important Considerations

An important note about integrating Git code repositories with Snyk Essentials is that a secondary token should be used with a broad/complete view of the code repository, not just what's been imported into Snyk. This provides a counterview to what's been onboarded via Snyk for security scans and reduces the likelihood of a blindspot being introduced by using a limited token at the Organization level configuration. It's not uncommon at the Organization level to only provide a token that has access to the applications that that Organization owns.

Plan on your first import/sync taking up to 24 hours to complete.

Last Sync/Next Sync

Updates to your controls and assets are analyzed on a schedule. You can determine the last/next run by observing the "Last Sync" and "Next Sync" on each integration.

Video: 7m48s

Integrations with Snyk AppRisk provide additional capabilities such as, but not limited to

• Runtime signals and asset discovery
• Risk factors (Public facing, loaded package) where supported
• Integration into 3rd party secret tools