Snyk Code

snyk

StackHawk’s official Snyk Code integration.

Overview

StackHawk with Snyk helps teams find security issues in open-source dependencies and proprietary code before they hit production. View your Snyk Code results, including the line of code, alongside your HawkScan findings. Teams use Snyk Code to show where there may be a vulnerability then confirm it is exploitable and validate with a StackHawk HawkScan. Correlating the two scan result sets immediately prioritizes issues for developers and enables them to confirm, reproduce and fix them quickly and efficiently.

Features

  • As part of HawkScan runs, automatically link HawkScan Findings with Snyk Code Issues
  • In the Finding Details view, a Snyk Code tab shows issue details with links to Snyk for further information

Requirements

StackHawk

  • You must have a StackHawk account
  • Your StackHawk Organization needs to be a Pro or Enterprise customer to use the Synk Code Integration

Snyk

  • Your Snyk account must have Snyk V3 API access enabled, please contact Snyk support for more details
  • You must have access to a valid Snyk Code project
  • You must know your Snyk Organization ID. You can find this in Snyk: Settings->General->Organization ID
  • You must have a Snyk API Token. Ideally this would be a Service Account Snyk API Token, but a Personal Snyk API Token works as well.

Setup

  1. Log into StackHawk and visit the Snyk Integration page
  2. Click the Enable Snyk button
  3. In the Connect To Snyk modal, enter your Snyk Organization ID and your Snyk API Token (Service Account or Personal API Token will work), and then click Next
  4. In the Connect Snyk Project modal, select the Snyk Project and Application you want to connect, and then click Finish
  5. Now on the Snyk Code Integration page, you should now see a Connected Projects list that shows the connected Snyk Project and Application.

Configuration

You can add and delete Connected Projects in Snyk Code Integration

Usage

Once Snyk Code Integration is installed, the Snyk logo will appear throughout StackHawk when there is a Snyk connection. When a StackHawk Application and a Snyk Code Project are connected, HawkScan will link its Findings with correlated Snyk Code Issues for all Environments in the given Application.

Application Badging

Applications mapped to a Snyk project will have the logo under the name of the Application.

  Application Snyk Badging  

Scan and Finding List Badging

When viewing the Scan list or the list of Findings on a specific scan, a SAST column with be present. If this column has the Snyk logo, this means that there is a linked Snyk Code Issue.

Scan List

  Scan List Snyk Badging  

Finding List

  Finding List Snyk Badging  

Finding Details Snyk Code Tab

When looking at the details of a specific Finding that has a linked Snyk Code Issue, the Snyk Code tab will be displayed. It will have details on the Snyk Code Issues, with links to Snyk for more information. Note that the Snyk Code tab in Finding Details will show at most 15 instances of the found Snyk Issue.

  Finding Details Snyk Tab  

TroubleShooting

If you are having problems setting up Snyk Code with StackHawk, please verify that your Snyk account has V3 API access.

If your scan results aren’t showing any linked Snyk Code Issues and you are expecting them to, make sure you have connected a StackHawk Application and Snyk Code Project in the Snyk Code Integration.

Snyk Issues will only be linked for scans run when an Application and Project are connected, there is no way to retroactively link past scans with Snyk Code issues.

Currently, it’s not possible to select a single Environment under an Application to map to a Snyk Code Project. Mappings are done at the Application level and so all scans for all Environments in that Application will get Findings linked with Snyk Code Issues.

Feedback

Have any suggestions, feature requests, or feedback to share? Drop us a line at support@stackhawk.com