Skip to main content

Visualize image vulnerabilities with Snyk data

In this guide, we will configure a mapping to allow visualizing Snyk vulnerabilities in your container registries. This guide assume that you have an existing docker image entity in your software catalog. If you do not have the images ingested already, we recommend using our AWS ECR script, Google Container Registry script, JFrog build script or GitHub packages script to sync data to your catalog.

Prerequisites​

Steps​

For this example, we will connect our AWS ECR images to Snyk project and it's vulnerabilities using the steps below:

  1. Modify the ECR Image blueprint to add relation between the image and Snyk Project. You can use the JSON Schema below:
ECR Image blueprint with relation (click to expand)
{
  "identifier": "image",
  "description": "This blueprint represents an ECR image",
  "title": "ECR Image",
  "icon": "AWS",
  "schema": {
    "properties": {
      "registryId": {
        "type": "string",
        "title": "Registry ID",
        "description": "The ID of the registry"
      },
      "tags": {
        "type": "array",
        "title": "Image Tags",
        "description": "List of tags for the image"
      },
      "size": {
        "type": "number",
        "title": "Image Size",
        "description": "Size of the image in bytes"
      },
      "pushedAt": {
        "type": "string",
        "title": "Pushed At",
        "description": "Date and time the image was pushed to the repository",
        "format": "date-time"
      },
      "manifestMediaType": {
        "type": "string",
        "title": "Manifest Media Type",
        "description": "The media type of the image manifest"
      },
      "artifactMediaType": {
        "type": "string",
        "title": "Artifact Media Type",
        "description": "The media type of the image artifact"
      }
    },
    "required": []
  },
  "mirrorProperties": {},
  "calculationProperties": {},
  "aggregationProperties": {},
  "relations": {
    "snykProject": {
      "title": "Snyk Project",
      "target": "snykProject",
      "required": false,
      "many": false
    }
  }
}
  1. Update the Snyk integration config mapping to establish a relationship between the ECR Image blueprint and Snyk Project:
Integration configuration (click to expand)
JQ Explanation

The JQ filters all projects that are scanned from AWS ECR. In addition, it extract only the projects that were built using these container package managers [deb, apk, rpm]

  - kind: project
    selector:
      query: .attributes as $attr | ["ecr"] | contains([$attr.origin]) as $origin_check | ["deb", "apk", "rpm"] | contains([$attr.type]) as $type_check | $origin_check and $type_check
    port:
      entity:
        mappings:
          identifier: .attributes.name
          title: .attributes.name
          blueprint: '"image"'
          properties: {}
          relations:
            snykProject: .id
  1. Resync the integration and you will see your catalog ECR images connected to Snyk projects: