Snyk integration

Snyk is a cloud-based software development platform that helps developers find and fix security vulnerabilities in their open-source dependencies. It provides a range of tools and services to help developers identify and remediate vulnerabilities in their applications before they are deployed to production. Snyk scans application dependencies to identify known vulnerabilities and provides guidance on how to remediate them. Traceable provides a Snyk integration with its API security testing (AST). This integration allows you to correlate vulnerabilities found by AST with static code analysis performed by Snyk.

Integrating Snyk with Traceable is a one-step process. Navigate to Integrations → All available integrations and select and click on Configure in the Snyk box. 

You would need to add the Snyk API token for the integration to complete. For more information on generating Snyk API Token, see Obtaining your Snyk API Token in Snyk documentation. Add this token in the Snyk API Token field as shown below.

Scan policy and Snyk integration

Once you have successfully integrated Snyk with Traceable, you can enable Snyk integration when you create a Scan Policy. Create a scan policy as explained earlier and toggle the Add Snyk Integration button to enable the integration. Select the organization and project for which you wish to correlate the results and run the scan. 

Understand the Snyk integration results

You can view the scan results from the Scan history dashboard as explained in the next section. Click on the Scan name to view the detailed result.

Clicking on the Scan name gives you the detailed report as shown below. The Snyk button under the SAST column is enabled if there are any correlations between vulnerabilities found during test and Snyk identified code issues; otherwise, it is greyed out. As shown below, Blind SQL injection was discovered by AST scans as well as Snyk in static code analysis.

Click on the Snyk button as shown above to view the detailed analysis. For example, when you click on the Snyk button for Blind SQL Injection, a Code Analysis slider window is displayed. It indicates that the line number 296 has an issue. You can view the detailed code when you click on View in GitHub, or you can view the issue on Snyk issue details page.