Snyk integration

  • Updated on Dec 5, 2024
  • Published on Jul 25, 2023
  • 1 minute(s) read
Prev Next

Snyk is a cloud-based software development platform that helps developers find and fix security vulnerabilities in their open-source dependencies. It provides a range of tools and services to help developers identify and remediate vulnerabilities in their applications before they are deployed to production. Snyk scans application dependencies to identify known vulnerabilities and guides how to remediate them. Traceable provides a Snyk integration with its API security testing (AST). This integration allows you to correlate vulnerabilities found by AST with static code analysis performed by Snyk.

Integrating Snyk with Traceable is a one-step process. Navigate to Integrations, search Snyk, and click Configure in the widget. In the Add New Snyk Integration pop-up window, specify the Snyk API token for the integration to complete. For more information on generating a Snyk API Token, see Revoke and regenerate a Snyk API token.

Snyk Integration

Scan Policy and Snyk Integration

After you have successfully integrated Snyk with Traceable, you can enable Snyk integration when you create a suite under API Security Testing. To do so, in the Integrations section of suite creation, complete the following steps:

  1. Select the Snyk check box to enable the integration.

  2. Select the Snyk Organization and Snyk Projects for which you wish to correlate the results and run the scan.

  3. Click Save.

Enabling Snyk Integration

Understand the Snyk integration results

The security issues detected as part of the Suite scan are shown in the Vulnerabilities tab on the Suite Details page. You can click on any Vulnerability Type to view its details.

Suite Details

Clicking on a vulnerability gives you its detailed report as shown below.

Vulnerability Details

This page lists the API Endpoints where Traceable identified the vulnerability. You can click on an API endpoint to view its Evidence. The Snyk button on this page is enabled if there are any correlations between vulnerabilities found during the test and Snyk-identified code issues; otherwise, it is not visible. As shown below, Blind SQL injection was discovered by AST scans as well as Snyk in static code analysis.

Evidence and Snyk Details

Click on the Snyk () icon as shown above to view the detailed analysis. For example, when you click on the Snyk button for Blind SQL Injection, you are redirected to the Snyk Code Analysis window where the issue is displayed. It indicates that line number 10 in your code has an issue. On this page, you can either Ignore the issue or view the detailed code by clicking Full details.

Snyk Code Analysis