Overview
Nucleus integrates open source dependency, SAST, infrastructure as code and container image vulnerability information from Snyk into Nucleus, where they are automatically correlated with source code repositories and container images for a complete picture of application security risk.
This powerful integration incorporates Snyk comprehensive and actionable vulnerability data into Nucleus dashboards, reports, alerts, and automation workflows so the data can be managed centrally with the rest of the enterprise’s vulnerability information. Users can identify vulnerabilities in both direct and indirect dependencies, container images, and Kubernetes applications, while also reporting on data alongside other tools – including penetration tests, cloud configuration audits, and infrastructure scans.
The Snyk connector supports ingesting:
- Package vulnerabilities and license checks from Snyk Open Source and Snyk Container
- Logic / SAST vulnerabilities from Snyk Code
- Misconfigurations as compliance findings from Snyk Infrastructure as Code
Connector Setup
Connector Setup Checklist
Follow the steps in this checklist to successfully set up this connector:
API Access
Generate a Snyk Group or Organisation level service account API key.Connector Configuration
Create and configure the connector in your Nucleus project.Vulnerability Data Ingestion
Create a vulnerability scan ingest rules to ingest vulnerabilities from Snyk.
1. API Access
The Snyk connector supports ingesting data from a single organization by creating an Organization service account, or one or more Snyk organizations by creating a Group service account.
Follow the Snyk Documentation to set up a Group or Organization level service account.
b. For Group, the Group Viewer role is required.
a. For Organization, set the Organization Collaborator role.Copy your generated API token.
2. Connector Configuration
Open Nucleus and go to Integration Hub > Connector Setup.
Under the Scanners section, click the Snyk icon.
In the Setup Snyk Connector popup, complete the following fields:
| Field | Info |
|---|---|
| Name | Enter a short name for the connector to uniquely identify it, such as "Snyk scanner - U.S. East coast" |
| Description | Optionally, enter a description for the connector |
| Snyk URL | Enter the URL to your Snyk region. See note below for valid regions. |
| API Token | Enter the Token just generated in the Snyk console |
Click the Save Connection button and wait for the Success message.
Click the Test Connection button. You'll see a message to notify you that the connection test was successful. Your connector is now setup properly.
Close the popup window.
The Snyk connector supports the different regions hosted by Snyk (see more information here).
The URL configured in the connector must be the base URL without the api or app subdomain prefix and without a path to the API as Nucleus uses a mixture of the v1 and v3 APIs.
For example, for the US region of Snyk, use https://snyk.io. For the EU region of Snyk, use https://app.eu.snyk.io. See Snyk's documentation for all available regions and base URLs.
3. Vulnerability Data Ingestion
- Go to Integration Hub > Import via Connector.
- Select the Snyk connector you just created.
- Select the import method (All, Organization or Target).
- If you selected Organization or Target, select which you would like to import.
- Select a schedule and click Save & Finish.
Limitations
Snyk Code Finding Instance Uniqueness
The API for Snyk Code has limitations which limits Nucleus' ability to differentiate between similar code vulnerabilities, which results in multiple instances of a vulnerability having the same details.
Snyk Code Description & Recommendation
Whilst findings from Snyk Code do have a unique finding description and recommendation in the UI, these fields are unavailable in the API. Until such time that these fields are available, findings from Snyk Code will show the following for their description and recommendation fields:
We recommend reaching out to your Snyk customer success manager to request that support for retrieving these fields is added to the API.
If you have any questions, please contact us through the support center.