Resources
Resources

Snyk SCA

Snyk is a platform for testing software code. The Uleska Snyk tool supports vulnerability checking using Snyk's platform and their repository of vulnerable open-source libraries.

Security Stage SCA (Software Composition Analysis)
Type Proprietary
Frameworks Source code
Site https://snyk.io

 

Pre-requisites

1 You'll need a Snyk account and an API token for that account

How do I set it up?

Adding Snyk to your set of security tests is simple. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

Create a connection to Snyk using your API token

You will need to add Snyk as a New Connection in your Uleska system:

  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'Generic Api Connection'
  • Add the URL for Snyk to your connection (https://snyk.io/)
  • Add your API token as an "Access Token"
    snyk-connection
  • No further details are required.
  • Click 'Save'

Setting your application and version to run Snyk

  • Navigate to the version you would like to test
  • Click the "Test tools" tab to open it
  • Find the Snyk tool

snyk-tool

  • Click the blue cog and select your Snyk connection from the "Connection name" drop-down. You can also specify a number of other optional configuration values here such as:

    • Package File: The file that Snyk should inspect for package information. If this is left blank, Snyk will try to automatically detect which package/manifest file to scan.
    • Organisation: Specify a name to run Snyk commands tied to a specific organisation
    • Policy path: Manually pass a path to a Snyk policy file contained in the application's source code

    snky-config

  • Click 'Save'
  • Click "Add tool"
  • Click "Save" at the bottom of the page

Now, any time you click 'Test Now' for that version, or make a request over the Uleska API or CLI for that stage, the Snyk tool will be included to test your code and add any results to your vulnerabilities list.