Snyk
Port's Snyk integration allows you to model Snyk resources in your software catalog and ingest data into them.
Overview
This integration allows you to:
- Map and organize your desired Snyk resources and their metadata in Port (see supported resources below).
- Watch for Snyk object changes (create/update/delete) in real-time, and automatically apply the changes to your entities in Port.
Supported Resources
The resources that can be ingested from Snyk into Port are listed below. it is possible to reference any field that appears in the API responses linked below in the mapping configuration.
Setup
Choose one of the following installation methods:
- Hosted by Port
- Real-time (self-hosted)
- Scheduled (CI)
Using this installation option means that the integration will be hosted by Port, with a customizable resync interval to ingest data into Port.
Live event support
Currently, live events are not supported for integrations hosted by Port.
Resyncs will be performed periodically (with a configurable interval), or manually triggered by you via Port's UI.
Therefore, real-time events (including GitOps) will not be ingested into Port immediately.
Support for live events is WIP and will be supported in the near future.
Alternatively, you can install the integration using the Real-time (self-hosted) method to update Port in real time using webhooks.
Installation
To install, follow these steps:
-
Go to the Data sources page of your portal.
-
Click on the
+ Data sourcebutton in the top-right corner. -
Click on the relevant integration in the list.
-
Under
Select your installation method, chooseHosted by Port. -
Configure the
integration settingsandapplication settingsas you wish (see below for details).
Application settings
Every integration hosted by Port has the following customizable application settings, which are configurable after installation:
-
Resync interval: The frequency at which Port will ingest data from the integration. There are various options available, ranging from every 1 hour to once a day. -
Send raw data examples: A boolean toggle (enabledby default). If enabled, raw data examples will be sent from the integration to Port. These examples are used when testing your mapping configuration, they allow you to run yourjqexpressions against real data and see the results.
Integration settings
Every integration has its own tool-specific settings, under the Integration settings section.
Each of these settings has an ⓘ icon next to it, which you can hover over to see a description of the setting.
Port secrets
Some integration settings require sensitive pieces of data, such as tokens.
For these settings, Port secrets will be used, ensuring that your sensitive data is encrypted and secure.
When filling in such a setting, its value will be obscured (shown as ••••••••).
For each such setting, Port will automatically create a secret in your organization.
To see all secrets in your organization, follow these steps.
Port source IP addresses
When using this installation method, Port will make outbound calls to your 3rd-party applications from static IP addresses.
You may need to add these addresses to your allowlist, in order to allow Port to interact with the integrated service:
- Europe (EU)
- United States (US)
54.73.167.226
63.33.143.237
54.76.185.219
3.234.37.33
54.225.172.136
3.225.234.99
Using this installation option means that the integration will be able to update Port in real time using webhooks.
Prerequisites
To install the integration, you need a Kubernetes cluster that the integration's container chart will be deployed to.
Please make sure that you have kubectl and helm installed on your machine, and that your kubectl CLI is connected to the Kubernetes cluster where you plan to install the integration.
If you are having trouble installing this integration, please refer to these troubleshooting steps.
For details about the available parameters for the installation, see the table below.
- Helm
- ArgoCD
By default, the integration fetches all organizations associated with the provided Snyk token. If you wish to customize access, the following parameters are available:
integration.config.organizationId: Use this parameter to restrict access to a specific organization. If specified, the integration will fetch data only for the provided organization.
integration.config.groups: When you want to limit access to all organizations within specific Snyk groups, use this parameter. Provide a comma-separated list of Snyk group IDs, and the integration will filter data accordingly.
If neither parameter is provided, the integration will operate with the default behavior of fetching all organizations associated with the supplied Snyk token.
To install the integration using Helm:
-
Go to the Snyk data source page in your portal.
-
Select the
Real-time and always onmethod:
-
A
helmcommand will be displayed, with default values already filled out (e.g. your Port cliend ID, client secret, etc).
Copy the command, replace the placeholders with your values, then run it in your terminal to install the integration.
The baseUrl, port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.
Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.
- If you use the EU region of Port (https://app.getport.io), your API URL is
https://api.getport.io. - If you use the US region of Port (https://app.us.getport.io), your API URL is
https://api.us.getport.io.
To install the integration using ArgoCD:
- Create a
values.yamlfile inargocd/my-ocean-snyk-integrationin your git repository with the content:
By default, the integration fetches all organizations associated with the provided Snyk token.
Remember to replace the placeholder for SNYK_TOKEN.
initializePortResources: true
scheduledResyncInterval: 120
integration:
identifier: my-ocean-snyk-integration
type: snyk
eventListener:
type: POLLING
secrets:
token: SNYK_TOKEN
If you wish to customize access, the following configurations are available:
- The
organizationIdkey is used to restrict access to a specific organization. If specified in thevalues.yamlfile, the integration will fetch data only for the provided organization.
Remember to replace the placeholders for SNYK_TOKEN and SNYK_ORGANIZATION_ID.
initializePortResources: true
scheduledResyncInterval: 120
integration:
identifier: my-ocean-snyk-integration
type: snyk
eventListener:
type: POLLING
config:
organizationId: SNYK_ORGANIZATION_ID
secrets:
token: SNYK_TOKEN
- The
groupskey is used to restrict access to all organizations within specific Snyk groups. In thevalues.yamlfile, provide a comma-separated list of Snyk group IDs to thegroupskey, and the integration will filter data for all organizations in the group(s).
Remember to replace the placeholders for SNYK_TOKEN and SNYK_GROUPS.
initializePortResources: true
scheduledResyncInterval: 120
integration:
identifier: my-ocean-snyk-integration
type: snyk
eventListener:
type: POLLING
config:
groups: SNYK_GROUPS
secrets:
token: SNYK_TOKEN
- Install the
my-ocean-snyk-integrationArgoCD Application by creating the followingmy-ocean-snyk-integration.yamlmanifest:
Remember to replace the placeholders for YOUR_PORT_CLIENT_ID YOUR_PORT_CLIENT_SECRET and YOUR_GIT_REPO_URL.
Multiple sources ArgoCD documentation can be found here.
ArgoCD Application
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-ocean-snyk-integration
namespace: argocd
spec:
destination:
namespace: my-ocean-snyk-integration
server: https://kubernetes.default.svc
project: default
sources:
- repoURL: 'https://port-labs.github.io/helm-charts/'
chart: port-ocean
targetRevision: 0.1.14
helm:
valueFiles:
- $values/argocd/my-ocean-snyk-integration/values.yaml
parameters:
- name: port.clientId
value: YOUR_PORT_CLIENT_ID
- name: port.clientSecret
value: YOUR_PORT_CLIENT_SECRET
- name: port.baseUrl
value: https://api.getport.io
- repoURL: YOUR_GIT_REPO_URL
targetRevision: main
ref: values
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
The baseUrl, port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.
Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.
- If you use the EU region of Port (https://app.getport.io), your API URL is
https://api.getport.io. - If you use the US region of Port (https://app.us.getport.io), your API URL is
https://api.us.getport.io.
- Apply your application manifest with
kubectl:
kubectl apply -f my-ocean-snyk-integration.yaml
This table summarizes the available parameters for the installation.
| Parameter | Description | Required |
|---|---|---|
port.clientId | Your Port client id | ✅ |
port.clientSecret | Your Port client secret | ✅ |
port.baseUrl | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
integration.identifier | Change the identifier to describe your integration | ✅ |
integration.type | The integration type | ✅ |
integration.eventListener.type | The event listener type | ✅ |
integration.secrets.token | The Snyk API token | ✅ |
integration.config.organizationId | The Snyk organization ID. Fetches data for this organization when provided | ❌ |
integration.config.groups | A comma-separated list of Snyk group ids to filter data for. Fetches data for organizations within the specified groups | ❌ |
integration.config.apiUrl | The Snyk API URL. If not specified, the default will be https://api.snyk.io | ❌ |
integration.config.appHost | The host of the Port Ocean app. Used to set up the integration endpoint as the target for Webhooks created in Snyk | ✅ |
integration.secret.webhookSecret | This is a password you create, that Snyk uses to sign webhook events to Port | ❌ |
scheduledResyncInterval | The number of minutes between each resync | ❌ |
initializePortResources | Default true, When set to true the integration will create default blueprints and the port App config Mapping | ❌ |
sendRawDataExamples | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
For advanced configuration such as proxies or self-signed certificates, click here.
This workflow/pipeline will run the Snyk integration once and then exit, this is useful for scheduled ingestion of data.
If you want the integration to update Port in real time using webhooks you should use the Real-time (self-hosted) installation option
By default, the integration fetches all organizations associated with the provided Snyk token.
If you wish to customize access, the following parameters are available:
OCEAN__INTEGRATION__CONFIG__ORGANIZATION_ID: Use this parameter to restrict access to a specific organization. If specified, the integration will fetch data only for the provided organization.
OCEAN__INTEGRATION__CONFIG__GROUPS: When you want to limit access to all organizations within specific Snyk groups, use this parameter. Provide a comma-separated list of Snyk group IDs, and the integration will filter data accordingly.
- GitHub
- Jenkins
- Azure Devops
- GitLab
Make sure to configure the following Github Secrets:
| Parameter | Description | Required |
|---|---|---|
OCEAN__INTEGRATION__CONFIG__TOKEN | The Snyk API token | ✅ |
OCEAN__INTEGRATION__CONFIG__ORGANIZATION_ID | The Snyk organization ID. Provide this parameter to limit access to a specific organization. | ❌ |
OCEAN__INTEGRATION__CONFIG__GROUPS | A comma-separated list of Snyk group ids to filter data for. Provide this parameter to limit access to all organizations within specific group(s) | ❌ |
OCEAN__INTEGRATION__CONFIG__API_URL | The Snyk API URL. If not specified, the default will be https://api.snyk.io | ❌ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true, When set to false the integration will not create default blueprints and the port App config Mapping | ❌ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
OCEAN__INTEGRATION__IDENTIFIER | Change the identifier to describe your integration, if not set will use the default one | ❌ |
OCEAN__PORT__CLIENT_ID | Your port client id | ✅ |
OCEAN__PORT__CLIENT_SECRET | Your port client secret | ✅ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
Here is an example for snyk-integration.yml workflow file:
name: Snyk Exporter Workflow
on:
workflow_dispatch:
schedule:
- cron: '0 */1 * * *' # Determines the scheduled interval for this workflow. This example runs every hour.
jobs:
run-integration:
runs-on: ubuntu-latest
timeout-minutes: 30 # Set a time limit for the job
steps:
- uses: port-labs/ocean-sail@v1
with:
type: 'snyk'
port_client_id: ${{ secrets.OCEAN__PORT__CLIENT_ID }}
port_client_secret: ${{ secrets.OCEAN__PORT__CLIENT_SECRET }}
port_base_url: https://api.getport.io
config: |
token: ${{ secrets.OCEAN__INTEGRATION__CONFIG__TOKEN }}
Your Jenkins agent should be able to run docker commands.
Make sure to configure the following Jenkins Credentials
of Secret Text type:
| Parameter | Description | Required |
|---|---|---|
OCEAN__INTEGRATION__CONFIG__TOKEN | The Snyk API token | ✅ |
OCEAN__INTEGRATION__CONFIG__ORGANIZATION_ID | The Snyk organization ID. Provide this parameter to limit access to a specific organization | ❌ |
OCEAN__INTEGRATION__CONFIG__GROUPS | A comma-separated list of Snyk group ids to filter data for. Provide this parameter to limit access to all organizations within specific group(s) | ❌ |
OCEAN__INTEGRATION__CONFIG__API_URL | The Snyk API URL. If not specified, the default will be https://api.snyk.io | ❌ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true, When set to false the integration will not create default blueprints and the port App config Mapping | ❌ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
OCEAN__INTEGRATION__IDENTIFIER | Change the identifier to describe your integration, if not set will use the default one | ❌ |
OCEAN__PORT__CLIENT_ID | Your port client id (How to get the credentials) | ✅ |
OCEAN__PORT__CLIENT_SECRET | Your port client (How to get the credentials) secret | ✅ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
Here is an example for Jenkinsfile groovy pipeline file:
pipeline {
agent any
stages {
stage('Run Snyk Integration') {
steps {
script {
withCredentials([
string(credentialsId: 'OCEAN__INTEGRATION__CONFIG__TOKEN', variable: 'OCEAN__INTEGRATION__CONFIG__TOKEN'),
string(credentialsId: 'OCEAN__PORT__CLIENT_ID', variable: 'OCEAN__PORT__CLIENT_ID'),
string(credentialsId: 'OCEAN__PORT__CLIENT_SECRET', variable: 'OCEAN__PORT__CLIENT_SECRET'),
]) {
sh('''
#Set Docker image and run the container
integration_type="snyk"
version="latest"
image_name="ghcr.io/port-labs/port-ocean-${integration_type}:${version}"
docker run -i --rm --platform=linux/amd64 \
-e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
-e OCEAN__INITIALIZE_PORT_RESOURCES=true \
-e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
-e OCEAN__INTEGRATION__CONFIG__TOKEN=$OCEAN__INTEGRATION__CONFIG__TOKEN \
-e OCEAN__PORT__CLIENT_ID=$OCEAN__PORT__CLIENT_ID \
-e OCEAN__PORT__CLIENT_SECRET=$OCEAN__PORT__CLIENT_SECRET \
-e OCEAN__PORT__BASE_URL='https://api.getport.io' \
$image_name
exit $?
''')
}
}
}
}
}
}
Your Azure Devops agent should be able to run docker commands.
Make sure to configure the following variables using Azure Devops variable groups. Add them into in a variable group named port-ocean-credentials:
| Parameter | Description | Required |
|---|---|---|
OCEAN__INTEGRATION__CONFIG__TOKEN | The Snyk API token | ✅ |
OCEAN__INTEGRATION__CONFIG__ORGANIZATION_ID | The Snyk organization ID. Provide this parameter to limit access to a specific organization | ❌ |
OCEAN__INTEGRATION__CONFIG__GROUPS | A comma-separated list of Snyk group ids to filter data for. Provide this parameter to limit access to all organizations within specific group(s) | ❌ |
OCEAN__INTEGRATION__CONFIG__API_URL | The Snyk API URL. If not specified, the default will be https://api.snyk.io | ❌ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true, When set to false the integration will not create default blueprints and the port App config Mapping | ❌ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
OCEAN__INTEGRATION__IDENTIFIER | Change the identifier to describe your integration, if not set will use the default one | ❌ |
OCEAN__PORT__CLIENT_ID | Your port client id (How to get the credentials) | ✅ |
OCEAN__PORT__CLIENT_SECRET | Your port client (How to get the credentials) secret | ✅ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
Here is an example for snyk-integration.yml pipeline file:
trigger:
- main
pool:
vmImage: "ubuntu-latest"
variables:
- group: port-ocean-credentials # OCEAN__PORT__CLIENT_ID, OCEAN__PORT__CLIENT_SECRET, OCEAN__INTEGRATION__CONFIG__TOKEN
steps:
- script: |
echo Add other tasks to build, test, and deploy your project.
# Set Docker image and run the container
integration_type="snyk"
version="latest"
image_name="ghcr.io/port-labs/port-ocean-$integration_type:$version"
docker run -i --rm \
-e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
-e OCEAN__INITIALIZE_PORT_RESOURCES=true \
-e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
-e OCEAN__INTEGRATION__CONFIG__TOKEN=$(OCEAN__INTEGRATION__CONFIG__TOKEN) \
-e OCEAN__PORT__CLIENT_ID=$(OCEAN__PORT__CLIENT_ID) \
-e OCEAN__PORT__CLIENT_SECRET=$(OCEAN__PORT__CLIENT_SECRET) \
-e OCEAN__PORT__BASE_URL='https://api.getport.io' \
$image_name
exit $?
displayName: 'Ingest Synk Data into Port'
Make sure to configure the following GitLab variables:
| Parameter | Description | Required |
|---|---|---|
OCEAN__INTEGRATION__CONFIG__TOKEN | The Snyk API token | ✅ |
OCEAN__INTEGRATION__CONFIG__ORGANIZATION_ID | The Snyk organization ID. Provide this parameter to limit access to a specific organization | ❌ |
OCEAN__INTEGRATION__CONFIG__GROUPS | A comma-separated list of Snyk group ids to filter data for. Provide this parameter to limit access to all organizations within specific group(s) | ❌ |
OCEAN__INTEGRATION__CONFIG__API_URL | The Snyk API URL. If not specified, the default will be https://api.snyk.io | ❌ |
OCEAN__INITIALIZE_PORT_RESOURCES | Default true, When set to false the integration will not create default blueprints and the port App config Mapping | ❌ |
OCEAN__SEND_RAW_DATA_EXAMPLES | Enable sending raw data examples from the third party API to port for testing and managing the integration mapping. Default is true | ❌ |
OCEAN__INTEGRATION__IDENTIFIER | Change the identifier to describe your integration, if not set will use the default one | ❌ |
OCEAN__PORT__CLIENT_ID | Your port client id (How to get the credentials) | ✅ |
OCEAN__PORT__CLIENT_SECRET | Your port client (How to get the credentials) secret | ✅ |
OCEAN__PORT__BASE_URL | Your Port API URL - https://api.getport.io for EU, https://api.us.getport.io for US | ✅ |
Here is an example for .gitlab-ci.yml pipeline file:
default:
image: docker:24.0.5
services:
- docker:24.0.5-dind
before_script:
- docker info
variables:
INTEGRATION_TYPE: synk
VERSION: latest
stages:
- ingest
ingest_data:
stage: ingest
variables:
IMAGE_NAME: ghcr.io/port-labs/port-ocean-$INTEGRATION_TYPE:$VERSION
script:
- |
docker run -i --rm --platform=linux/amd64 \
-e OCEAN__EVENT_LISTENER='{"type":"ONCE"}' \
-e OCEAN__INITIALIZE_PORT_RESOURCES=true \
-e OCEAN__SEND_RAW_DATA_EXAMPLES=true \
-e OCEAN__INTEGRATION__CONFIG__TOKEN=$OCEAN__INTEGRATION__CONFIG__TOKEN \
-e OCEAN__PORT__CLIENT_ID=$OCEAN__PORT__CLIENT_ID \
-e OCEAN__PORT__CLIENT_SECRET=$OCEAN__PORT__CLIENT_SECRET \
-e OCEAN__PORT__BASE_URL='https://api.getport.io' \
$IMAGE_NAME
rules: # Run only when changes are made to the main branch
- if: '$CI_COMMIT_BRANCH == "main"'
The baseUrl, port_region, port.baseUrl, portBaseUrl, port_base_url and OCEAN__PORT__BASE_URL parameters are used to select which instance or Port API will be used.
Port exposes two API instances, one for the EU region of Port, and one for the US region of Port.
- If you use the EU region of Port (https://app.getport.io), your API URL is
https://api.getport.io. - If you use the US region of Port (https://app.us.getport.io), your API URL is
https://api.us.getport.io.
For advanced configuration such as proxies or self-signed certificates, click here.
Configuration
Port integrations use a YAML mapping block to ingest data from the third-party api into Port.
The mapping makes use of the JQ JSON processor to select, modify, concatenate, transform and perform other operations on existing fields and values from the integration API.
Examples
Examples of blueprints and the relevant integration configurations:
Organization
Organization blueprint
{
"identifier": "snykOrganization",
"title": "Snyk Organization",
"icon": "Snyk",
"schema": {
"properties": {
"url": {
"type": "string",
"title": "URL",
"format": "url",
"icon": "Snyk"
},
"slug": {
"type": "string",
"title": "Slug"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"aggregationProperties": {},
"relations": {}
}
Integration configuration
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: organization
selector:
query: 'true'
port:
entity:
mappings:
identifier: .id
title: .name
blueprint: '"snykOrganization"'
properties:
slug: .slug
url: ("https://app.snyk.io/org/" + .slug | tostring)
Target
Target blueprint
{
"identifier": "snykTarget",
"title": "Snyk Target",
"icon": "Snyk",
"schema": {
"properties": {
"criticalOpenVulnerabilities": {
"icon": "Vulnerability",
"type": "number",
"title": "Open Critical Vulnerabilities"
},
"highOpenVulnerabilities": {
"icon": "Vulnerability",
"type": "number",
"title": "Open High Vulnerabilities"
},
"mediumOpenVulnerabilities": {
"icon": "Vulnerability",
"type": "number",
"title": "Open Medium Vulnerabilities"
},
"lowOpenVulnerabilities": {
"icon": "Vulnerability",
"type": "number",
"title": "Open Low Vulnerabilities"
},
"origin": {
"title": "Target Origin",
"type": "string",
"enum": [
"artifactory-cr",
"aws-config",
"aws-lambda",
"azure-functions",
"azure-repos",
"bitbucket-cloud",
"bitbucket-server",
"cli",
"cloud-foundry",
"digitalocean-cr",
"docker-hub",
"ecr",
"gcr",
"github",
"github-cr",
"github-enterprise",
"gitlab",
"gitlab-cr",
"google-artifact-cr",
"harbor-cr",
"heroku",
"ibm-cloud",
"kubernetes",
"nexus-cr",
"pivotal",
"quay-cr",
"terraform-cloud",
"bitbucket-connect-app",
"acr",
"api"
]
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {
"snyk_organization": {
"title": "Snyk Organization",
"target": "snykOrganization",
"required": false,
"many": false
}
}
}
Integration configuration
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: target
selector:
query: 'true'
port:
entity:
mappings:
identifier: .id
title: .attributes.display_name
blueprint: '"snykTarget"'
properties:
origin: .relationships.integration.data.attributes.integration_type
highOpenVulnerabilities: '[.__projects[].meta.latest_issue_counts.high] | add'
mediumOpenVulnerabilities: '[.__projects[].meta.latest_issue_counts.medium] | add'
lowOpenVulnerabilities: '[.__projects[].meta.latest_issue_counts.low] | add'
criticalOpenVulnerabilities: '[.__projects[].meta.latest_issue_counts.critical] | add'
relations:
snyk_organization: '.relationships.organization.data.id'
Project
Project blueprint
{
"identifier": "snykProject",
"title": "Snyk Project",
"icon": "Snyk",
"schema": {
"properties": {
"url": {
"type": "string",
"title": "URL",
"format": "url",
"icon": "Snyk"
},
"businessCriticality": {
"title": "Business Criticality",
"type": "array",
"items": {
"type": "string",
"enum": [
"critical",
"high",
"medium",
"low"
]
},
"icon": "DefaultProperty"
},
"environment": {
"items": {
"type": "string",
"enum": [
"frontend",
"backend",
"internal",
"external",
"mobile",
"saas",
"onprem",
"hosted",
"distributed"
]
},
"icon": "Environment",
"title": "Environment",
"type": "array"
},
"lifeCycle": {
"title": "Life Cycle",
"type": "array",
"items": {
"type": "string",
"enum": [
"development",
"sandbox",
"production"
]
},
"icon": "DefaultProperty"
},
"highOpenVulnerabilities": {
"icon": "Vulnerability",
"type": "number",
"title": "Open High Vulnerabilities"
},
"mediumOpenVulnerabilities": {
"icon": "Vulnerability",
"type": "number",
"title": "Open Medium Vulnerabilities"
},
"lowOpenVulnerabilities": {
"icon": "Vulnerability",
"type": "number",
"title": "Open Low Vulnerabilities"
},
"tags": {
"type": "array",
"title": "Tags",
"icon": "DefaultProperty"
},
"targetOrigin": {
"type": "string",
"title": "Target Origin"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"aggregationProperties": {},
"relations": {
"snyk_target": {
"title": "Snyk Target",
"target": "snykTarget",
"required": false,
"many": false
}
}
}
Integration configuration
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: project
selector:
query: 'true'
port:
entity:
mappings:
identifier: .id
title: .attributes.name
blueprint: '"snykProject"'
properties:
url: ("https://app.snyk.io/org/" + .relationships.organization.data.id + "/project/" + .id | tostring)
businessCriticality: .attributes.business_criticality
environment: .attributes.environment
lifeCycle: .attributes.lifecycle
highOpenVulnerabilities: .meta.latest_issue_counts.high
mediumOpenVulnerabilities: .meta.latest_issue_counts.medium
lowOpenVulnerabilities: .meta.latest_issue_counts.low
criticalOpenVulnerabilities: .meta.latest_issue_counts.critical
tags: .attributes.tags
targetOrigin: .origin
relations:
snyk_target: '.relationships.target.data.id'
Vulnerability
Vulnerability blueprint
{
"identifier": "snykVulnerability",
"title": "Snyk Vulnerability",
"icon": "Snyk",
"schema": {
"properties": {
"score": {
"icon": "Star",
"type": "number",
"title": "Score"
},
"packageName": {
"type": "string",
"title": "Package Name",
"icon": "DefaultProperty"
},
"packageVersions": {
"icon": "Package",
"title": "Package Versions",
"type": "array"
},
"type": {
"type": "string",
"title": "Type",
"enum": [
"vuln",
"license",
"configuration"
],
"icon": "DefaultProperty"
},
"severity": {
"icon": "Alert",
"title": "Issue Severity",
"type": "string",
"enum": ["low", "medium", "high", "critical"],
"enumColors": {
"low": "green",
"medium": "yellow",
"high": "red",
"critical": "red"
}
},
"url": {
"icon": "Link",
"type": "string",
"title": "Issue URL",
"format": "url"
},
"language": {
"type": "string",
"title": "Language",
"icon": "DefaultProperty"
},
"publicationTime": {
"type": "string",
"format": "date-time",
"title": "Publication Time",
"icon": "DefaultProperty"
},
"isPatched": {
"type": "boolean",
"title": "Is Patched",
"icon": "DefaultProperty"
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {
"project": {
"title": "Project",
"target": "snykProject",
"required": false,
"many": false
}
}
}
Integration configuration
createMissingRelatedEntities: true
deleteDependentEntities: true
resources:
- kind: issue
selector:
query: '.issueType == "vuln"'
port:
entity:
mappings:
identifier: .issueData.id
title: .issueData.title
blueprint: '"snykVulnerability"'
properties:
score: .priorityScore
packageName: .pkgName
packageVersions: .pkgVersions
type: .issueType
severity: .issueData.severity
url: .issueData.url
language: .issueData.language // .issueType
publicationTime: .issueData.publicationTime
isPatched: .isPatched
relations:
project: '.links.paths | split("/") | .[8]'
Let's Test It
This section includes a sample response data from Snyk. In addition, it includes the entity created from the resync event based on the Ocean configuration provided in the previous section.
Payload
Here is an example of the payload structure from Snyk:
Organization response data
{
"name": "My Other Org",
"id": "a04d9cbd-ae6e-44af-b573-0556b0ad4bd2",
"slug": "my-other-org",
"url": "https://api.snyk.io/org/my-other-org",
"group": {
"name": "ACME Inc.",
"id": "a060a49f-636e-480f-9e14-38e773b2a97f"
}
}
Target response data
{
"attributes": {
"created_at": "2022-09-01T00:00:00Z",
"display_name": "snyk-fixtures/goof",
"is_private": false,
"url": "http://github.com/snyk/local-goof"
},
"id": "55a348e2-c3ad-4bbc-b40e-9b232d1f4121",
"relationships": {
"integration": {
"data": {
"attributes": {
"integration_type": "gitlab"
},
"id": "7667dae6-602c-45d9-baa9-79e1a640f199",
"type": "integration"
}
},
"organization": {
"data": {
"id": "e661d4ef-5ad5-4cef-ad16-5157cefa83f5",
"type": "organization"
}
}
},
"type": "target"
}
Project response data
{
"name": "snyk/goof",
"id": "af137b96-6966-46c1-826b-2e79ac49bbd9",
"created": "2018-10-29T09:50:54.014Z",
"origin": "github",
"type": "maven",
"readOnly": false,
"testFrequency": "daily",
"totalDependencies": 42,
"issueCountsBySeverity": {
"low": 13,
"medium": 8,
"high": 1,
"critical": 3
},
"imageId": "sha256:caf27325b298a6730837023a8a342699c8b7b388b8d878966b064a1320043019",
"imageTag": "latest",
"imageBaseImage": "alpine:3",
"imagePlatform": "linux/arm64",
"imageCluster": "Production",
"hostname": null,
"remoteRepoUrl": "https://github.com/snyk/goof.git",
"lastTestedDate": "2019-02-05T08:54:07.704Z",
"browseUrl": "https://app.snyk.io/org/4a18d42f-0706-4ad0-b127-24078731fbed/project/af137b96-6966-46c1-826b-2e79ac49bbd9",
"importingUser": {
"id": "e713cf94-bb02-4ea0-89d9-613cce0caed2",
"name": "example-user@snyk.io",
"username": "exampleUser",
"email": "example-user@snyk.io"
},
"isMonitored": false,
"branch": null,
"targetReference": null,
"tags": [
{
"key": "example-tag-key",
"value": "example-tag-value"
}
],
"attributes": {
"criticality": ["high"],
"environment": ["backend"],
"lifecycle": ["development"]
},
"remediation": {
"upgrade": {},
"patch": {},
"pin": {}
}
}
Vulnerability response data
{
"id": "npm:ms:20170412",
"issueType": "vuln",
"pkgName": "ms",
"pkgVersions": ["1.0.0"],
"issueData": {
"id": "npm:ms:20170412",
"title": "Regular Expression Denial of Service (ReDoS)",
"severity": "low",
"originalSeverity": "high",
"url": "https://snyk.io/vuln/npm:ms:20170412",
"description": "`## Overview\\r\\n[`ms`](https://www.npmjs.com/package/ms) is a tiny millisecond conversion utility.\\r\\n\\r\\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to an incomplete fix for previously reported vulnerability [npm:ms:20151024](https://snyk.io/vuln/npm:ms:20151024). The fix limited the length of accepted input string to 10,000 characters, and turned to be insufficient making it possible to block the event loop for 0.3 seconds (on a typical laptop) with a specially crafted string passed to `ms",
"identifiers": {
"CVE": [],
"CWE": ["CWE-400"],
"OSVDB": []
},
"credit": ["Snyk Security Research Team"],
"exploitMaturity": "no-known-exploit",
"semver": {
"vulnerable": [">=0.7.1 <2.0.0"],
"unaffected": ""
},
"publicationTime": "2017-05-15T06:02:45Z",
"disclosureTime": "2017-04-11T21:00:00Z",
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"cvssScore": 3.7,
"language": "js",
"patches": [
{
"id": "patch:npm:ms:20170412:0",
"urls": [
"https://snyk-patches.s3.amazonaws.com/npm/ms/20170412/ms_100.patch"
],
"version": "=1.0.0",
"comments": [],
"modificationTime": "2019-12-03T11:40:45.863964Z"
}
],
"nearestFixedInVersion": "2.0.0",
"path": "[DocId: 1].input.spec.template.spec.containers[snyk2].securityContext.privileged",
"violatedPolicyPublicId": "SNYK-CC-K8S-1",
"isMaliciousPackage": true
},
"introducedThrough": [
{
"kind": "imageLayer",
"data": {}
}
],
"isPatched": false,
"isIgnored": false,
"ignoreReasons": [
{
"reason": "",
"expires": "",
"source": "cli"
}
],
"fixInfo": {
"isUpgradable": false,
"isPinnable": false,
"isPatchable": false,
"isFixable": false,
"isPartiallyFixable": false,
"nearestFixedInVersion": "2.0.0",
"fixedIn": ["2.0.0"]
},
"priority": {
"score": 399,
"factors": [{}, "name: `isFixable`", "description: `Has a fix available`"]
},
"links": {
"paths": ""
}
}
Alternative installation via webhook
While the Ocean integration described above is the recommended installation method, you may prefer to use a webhook to ingest data from Snyk. If so, use the following instructions:
Webhook installation (click to expand)
In this example you are going to create a webhook integration between Snyk and Port, which will ingest Snyk code and infrastructure vulnerability entities into Port.
Port configuration
Create the following blueprint definition:
Snyk vulnerability blueprint
{
"identifier": "snykVulnerability",
"description": "This blueprint represents a Snyk vulnerability in our software catalog",
"title": "Snyk Vulnerability",
"icon": "Snyk",
"schema": {
"properties": {
"organizationUrl": {
"type": "string",
"format": "url",
"title": "Organization URL"
},
"organizationName": {
"type": "string",
"title": "Organization Name"
},
"projectName": {
"type": "string",
"title": "Project Name"
},
"projectOrigin": {
"type": "string",
"title": "Project Origin"
},
"branchName": {
"type": "string",
"title": "Branch Name"
},
"pkgName": {
"type": "string",
"title": "Package Name"
},
"issueType": {
"type": "string",
"title": "Issue Type"
},
"issueSeverity": {
"type": "string",
"title": "Issue Severity"
},
"issueURL": {
"type": "string",
"format": "url",
"title": "Issue URL"
},
"issueStatus": {
"type": "string",
"title": "Issue Status",
"enum": ["added", "removed"],
"enumColors": {
"added": "red",
"removed": "green"
}
}
},
"required": []
},
"mirrorProperties": {},
"calculationProperties": {},
"relations": {}
}
Create the following webhook configuration using Port UI
Snyk vulnerability webhook configuration
-
Basic details tab - fill the following details:
- Title :
Snyk Mapper; - Identifier :
snyk_mapper; - Description :
A webhook configuration to map Snyk vulnerability to Port; - Icon :
Snyk;
- Title :
-
Integration configuration tab - fill the following JQ mapping:
[
{
"blueprint": "snykVulnerability",
"itemsToParse": ".body.newIssues",
"filter": ".body.newIssues | length > 0",
"entity": {
"identifier": ".item.id",
"title": ".item.issueData.title",
"properties": {
"organizationUrl": ".body.org.url",
"organizationName": ".body.org.name",
"projectName": ".body.project.name",
"projectOrigin": ".body.project.origin",
"branchName": ".body.project.branch",
"issueType": ".item.issueType",
"pkgName": ".item.pkgName",
"issueSeverity": ".item.issueData.severity",
"issueURL": ".item.issueData.url",
"issueStatus": "'added'"
}
}
},
{
"blueprint": "snykVulnerability",
"itemsToParse": ".body.removedIssues",
"filter": ".body.removedIssues | length > 0",
"entity": {
"identifier": ".item.id",
"title": ".item.issueData.title",
"properties": {
"organizationUrl": ".body.org.url",
"organizationName": ".body.org.name",
"projectName": ".body.project.name",
"projectOrigin": ".body.project.origin",
"branchName": ".body.project.branch",
"issueType": ".item.issueType",
"pkgName": ".item.pkgName",
"issueSeverity": ".item.issueData.severity",
"issueURL": ".item.issueData.url",
"issueStatus": "'removed'"
}
}
}
] -
Scroll down to Advanced settings and input the following details:
- secret:
WEBHOOK_SECRET; - Signature Header Name :
x-hub-signature; - Signature Algorithm : Select
sha256from dropdown option; - Signature Prefix :
sha256= - Click Save at the bottom of the page.
- secret:
Remember to replace the WEBHOOK_SECRET with the real secret you specify when creating the webhook in Snyk.
Create a webhook in Snyk
- Go to Snyk and select an account you want to configure the webhook for;
- Click on Settings at the left of the page and copy your organization ID under the Organization ID section;
- Navigate to your Snyk accounts page and copy your API token. You will use this value to authorize the REST API;
- Open any REST API client such as POSTMAN and make the following API call to create your webhook:
API URL- use https://api.snyk.io/v1/org/`YOUR_ORG_ID`/webhooks;Method- select POSTAuthorization- The API token should be supplied in an Authorization header asAuthorization: token YOUR_API_KEY;Request Body- The body of your request should be in a JSON format. Past the following information in the body text
{
"url": "https://ingest.getport.io/<YOUR_PORT_WEBHOOK_KEY>",
"secret": "WEBHOOK_SECRET"
} - Click Send to create your Snyk webhook;
You can also create the Snyk webhook using the curl command below:
curl -X POST \
-H "Authorization: token YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"url": "https://ingest.getport.io/<YOUR_PORT_WEBHOOK_KEY>", "secret": "WEBHOOK_SECRET"}' \
https://api.snyk.io/v1/org/<YOUR_ORG_ID>/webhooks
Done! Any vulnerability detected on your source code will trigger a webhook event to the webhook URL provided by Port. Port will parse the events according to the mapping and update the catalog entities accordingly.