Snyk Code

snyk

StackHawk’s official Snyk Code integration.

Overview

StackHawk with Snyk helps teams find security issues in open-source dependencies and proprietary code before they hit production. View your Snyk Code results, including the line of code, alongside your HawkScan findings. Teams use Snyk Code to show where there may be a vulnerability then confirm it is exploitable and validate with a StackHawk HawkScan. Correlating the two scan result sets immediately prioritizes issues for developers and enables them to confirm, reproduce and fix them quickly and efficiently.

Features

  • As part of HawkScan runs, automatically link HawkScan Findings with Snyk Code Issues
  • In the Finding Details view, a Snyk Code tab shows issue details with links to Snyk for further information

StackHawk Requirements

You must have one of the following StackHawk account types to use the Snyk Code Integration:

  • Pro
  • Enterprise
  • Enterprise Trial

Snyk Requirements

Integrate with a Snyk Group

  • Know your Snyk Group ID. Find your Group ID by navigating to Group > Settings > General > Group ID in Snyk.

    Snyk Group ID

  • Have a Snyk API Token from a Snyk Group Service Account. Create a Group Service Account and API Token by navigating to Group > Settings > General > Manage Service Accounts in Snyk.

    Snyk Group Service Account

Integrate with a Snyk Organization

  • Know your Snyk Organization ID. Find your Snyk Organization ID by navigating to Organization > Settings > General > Organization ID in Snyk.

    Snyk Organization ID

  • Have a Snyk API Token that corresponds to your Organization. Ideally, this token would be an Organization Service Account Snyk API Token, but a Personal Snyk API Token works. Create an Organization Service Account and API Token by navigating to Organization > Settings > General > Manage Service Accounts in Snyk.

    Snyk Organization Service Account

Setup

  1. Log in to StackHawk and navigate to the Snyk Integration page.
  2. Click Enable Snyk.
  3. In the Connect To Snyk modal:
    1. Select your Snyk Account Type, either Group or Organization (if you’re using a Personal Snyk API Token, select Organization).
    2. Enter either your Snyk Organization ID or your Snyk Group ID.
    3. Enter your Snyk API Token (Service Account or Personal API Token will work) and click Next.
  4. In the Connect Snyk Project modal, select the Snyk Project and Application you want to connect and click Finish. On the Snyk Code Integration page in the StackHawk Platform, the Connected Projects list shows the connected Snyk Project and Application.

Configuration

You can add and delete Connected Projects in Snyk Code Integration

Usage

Once Snyk Code Integration is installed, the Snyk logo will appear throughout StackHawk when there is a Snyk connection. When a StackHawk Application and a Snyk Code Project are connected, HawkScan will link its Findings with correlated Snyk Code Issues for all Environments in the given Application.

Application Badging

Applications mapped to a Snyk project will have the logo under the name of the Application.

  Application Snyk Badging  

Scan and Finding List Badging

When viewing the Scan list or the list of Findings on a specific scan, a SAST column with be present. If this column has the Snyk logo, this means that there is a linked Snyk Code Issue.

Scan List

  Scan List Snyk Badging  

Finding List

  Finding List Snyk Badging  

Finding Details Snyk Code Tab

When looking at the details of a specific Finding that has a linked Snyk Code Issue, the Snyk Code tab will be displayed. It will have details on the Snyk Code Issues, with links to Snyk for more information. Note that the Snyk Code tab in Finding Details will show at most 15 instances of the found Snyk Issue.

  Finding Details Snyk Tab  

TroubleShooting

If you are having problems setting up Snyk Code with StackHawk, please verify that your Snyk account has V3 API access.

If your scan results aren’t showing any linked Snyk Code Issues and you are expecting them to, make sure you have connected a StackHawk Application and Snyk Code Project in the Snyk Code Integration.

Snyk Issues will only be linked for scans run when an Application and Project are connected, there is no way to retroactively link past scans with Snyk Code issues.

Currently, it’s not possible to select a single Environment under an Application to map to a Snyk Code Project. Mappings are done at the Application level and so all scans for all Environments in that Application will get Findings linked with Snyk Code Issues.

Feedback

Have any suggestions, feature requests, or feedback to share? Contact StackHawk Support .