This task / extension for Azure Pipelines allows you to easily run Snyk scans within your Azure Pipeline jobs. You will need to first create a Snyk account. There are two major options:
- Snyk scan for vulnerable dependencies leveraging your project's manfiest files, for example
pom.xml
,package.json
, etc. - Snyk scan for container images. This will look at Docker images.
In addition to running a Snyk security scan, you also have the option to monitor your application / container, in which case the dependency tree or container image metadata will be posted to your Snyk account for ongoing monitoring.
This extension requires that Node.js and npm be installed on the build agent. These are available by default on all Microsoft-hosted build agents. However, if you are using a self-hosted build agent, you may need to explicitly activate Node.js and npm and ensure they are in your PATH. This can be done using the NodeTool task from Microsoft prior to the SnykSecurityScan
task in your pipeline.
- Install the extension into your Azure DevOps environment.
- Configure a service connection endpoint with your Snyk token. This is done at the project level. In Azure DevOps, go to Project settings -> Service connections -> New service connection -> Snyk Authentication. Give your service connection and enter a valid Snyk Token.
- Within an Azure DevOps Pipeline, add the Snyk Security Scan task and configure it according to your needs according to details and examples below.
Parameter | Description | Required | Default | Type |
---|---|---|---|---|
serviceConnectionEndpoint | The Azure DevOps service connection endpoint where your Snyk API token is defined. Define this within your Azure DevOps project settings / S | no | none | String / Azure Service Connection Endpoint of type SnykAuth / Snyk Authentication |
testType | Used by the task UI only. Valid options are app or code or container |
no | "app" | string: "app" or "code" or container" |
dockerImageName | The name of the container image to test. | yes, if container image test | none | string |
dockerfilePath | The path to the Dockerfile corresponding to the dockerImageName |
yes, if container image test | none | string |
targetFile | Applicable to application type tests only. The path to the manifest file to be used by Snyk. Should only be provided if non-standard. | no | none | string |
severityThreshold | The severity-threshold to use when testing and reporting. By default, issues of all severity types will be found. | no | "low" | string: "low" or "medium" or "high" or "critical" |
codeSeverityThreshold | The Snyk Code severity-threshold to use when testing and reporting. By default, issues of all severity types will be found. | no | "low" | string: "low" or "medium" or "high" |
failOnThreshold | The severityThreshold parameter is used to control the interaction with the Snyk CLI and reporting vulnerabilities. The failOnThreshold gives you additional control over build failure behaviour. For example, with failOnIssues set to true and failOnThreshold to critical , all issues would be reported on but only critical issues would cause a build failure. critical is only applicable for app or container testType. See Usage Examples for more information |
no | "low" | string: "low" or "medium" or "high" or "critical" |
monitorWhen | When to run snyk monitor applicable if testType is set as app or container . Valid options are always (default), noIssuesFound , and never . If set, this option overrides the value of monitorOnBuild . |
no | "always" | boolean |
failOnIssues | This specifies if builds should be failed or continued based on issues found by Snyk. Combine with failOnThreshold to control which severity of issues causes the build to fail |
yes | true | boolean |
projectName | A custom name for the Snyk project to be created on snyk.io | no | none | string |
organization | Name of the Snyk organisation name, under which this project should be tested and monitored | no | none | string |
testDirectory | Alternate working directory. For example, if you want to test a manifest file in a directory other than the root of your repo, you would put in relative path to that directory. | no | none | string |
ignoreUnknownCA | Use to ignore unknown or self-signed certificates. This might be useful in for self-hosted build agents with unusual network configurations or for Snyk on-prem installs configured with a self-signed certificate. | no | false | boolean |
additionalArguments | Additional Snyk CLI arguments to be passed in. Refer to the Snyk CLI help page for information on additional arguments. | no | none | string |
distributionChannel | Declare version for Snyk binaries. 'Stable' is for the current stable releases, whilst 'Preview' is for access to the latest features. You can also declare a specific version such as '1.1287.0' | no | Stable | string |
- task: SnykSecurityScan@1
inputs:
serviceConnectionEndpoint: 'mySnykToken'
testType: 'app'
failOnIssues: true
monitorWhen: 'always'
If you do not want the Snyk task fail your pipeline when issues are found, but still want to monitor the results in the Snyk UI
To do this, you need to:
- set
failOnIssues
tofalse
, which will make sure the Snyk task will not fail your pipeline even if issues (vulnerabilities, etc) are found - have
monitorWhen
set toalways
(or just leavemonitorWhen
out, sincealways
is the default)
Here's a full example:
- task: SnykSecurityScan@1
inputs:
serviceConnectionEndpoint: 'mySnykToken'
testType: 'app'
failOnIssues: false
monitorWhen: 'always'
An example that specifies a value for severityThreshold
as medium and configures failOnThreshold
to critical. This configuration would only fail the build when critical issues are found, but all issues detected at medium, high and critical would be reported back to your snyk project for analysis.
- task: SnykSecurityScan@1
inputs:
serviceConnectionEndpoint: 'mySnykToken'
testType: 'app'
severityThreshold: 'medium'
failOnIssues: true
failOnThreshold: 'critical'
monitorWhen: 'always'
- task: SnykSecurityScan@1
inputs:
serviceConnectionEndpoint: 'mySnykToken'
testType: 'container'
dockerImageName: 'my-container-image-name'
dockerfilePath: 'Dockerfile'
failOnIssues: true
monitorWhen: 'always'
Snyk Code applicable Severity Threshold: high, medium or low (default). This is specified with codeSeverityThreshold
. failOnIssues
as defaulted to true will subsequently fail the build if issues are found with severity corresponding or higher than failOnThreshold
severity. If failOnIssues
is set to false, the build will continue.
- task: SnykSecurityScan@1
inputs:
serviceConnectionEndpoint: 'mySnykToken'
testType: 'code'
codeSeverityThreshold: 'medium'
failOnThreshold: 'high'
failOnIssues: true
Made with 💜 by Snyk