Fill catalog images with Snyk data

Snyk API provides information about scanned container images stored in container registries. This section aims to assist users in populating their software catalog using data obtained from the Snyk API. Follow the steps below to fill your catalog entities with images scanned by Snyk.

Prerequisites

• Ensure you have the Snyk ocean integration installed

Steps

1. Create an Image blueprint using this JSON schema:

Image blueprint (click to expand)

{
  "identifier": "image",
  "description": "This blueprint represents an image",
  "title": "Image",
  "icon": "AWS",
  "schema": {
    "properties": {
      "origin": {
        "type": "string",
        "title": "Registry Origin",
        "description": "The origin of the registry",
        "icon": "DefaultProperty"
      },
      "tags": {
        "type": "array",
        "title": "Image Tags",
        "description": "List of tags for the image",
        "icon": "DefaultProperty"
      },
      "pushedAt": {
        "type": "string",
        "title": "Pushed At",
        "description": "Date and time the image was pushed to the repository",
        "format": "date-time",
        "icon": "DefaultProperty"
      },
      "triggeredBy": {
        "type": "string",
        "icon": "TwoUsers",
        "title": "Triggered By",
        "description": "The user who triggered the run"
      }
    },
    "required": []
  },
  "mirrorProperties": {},
  "calculationProperties": {
  },
  "aggregationProperties": {},
  "relations": {
    "snykProject": {
      "title": "Snyk Project",
      "target": "snykProject",
      "required": false,
      "many": false
    }
  }
}

2. Update the Snyk integration config mapping to fill the Images blueprint with data from Snyk project. For this guide, we filter the integration to ingest images from AWS Container Registry (ECR), Docker Hub, Google Container Registry, GitHub Container Registry and GitLab Registry. In addition, we will filter images that are created using these package managers: deb, apk, rpm:

Integration configuration (click to expand)

JQ Explanation

The JQ filters all scanned projects from these origins [ecr, gcr, docker-hub, github-cr, gitlab-cr] and use these package managers [deb, apk, rpm]

- kind: project
  selector:
    query: .attributes as $attr | ["ecr", "gcr", "docker-hub", "github-cr", "gitlab-cr"] | contains([$attr.origin]) as $origin_check | ["deb", "apk", "rpm"] | contains([$attr.type]) as $type_check | $origin_check and $type_check
  port:
    entity:
      mappings:
        identifier: .attributes.name
        title: .attributes.name
        blueprint: '"image"'
        properties:
          origin: .attributes.origin
          pushedAt: .attributes.created
          triggeredBy: .__importer.email
          tags: .attributes.tags
        relations:
          snykProject: .id

Read more about supported container registry in Snyk and supported package managers

3. Resync the integration and you will see your catalog images filled with data from Snyk: