Backstage integration with the Snyk API

What is Backstage ?

Backstage began life as an internal project at Spotify and was released as an open-source project in 2020. Its original intention was to be a central location where the company had a registry of all software they had in production but has since evolved into a much more advanced platform, including a plugins system that helps users extend the platform. This plugin system is a significant reason for Backstages success and drove adoption within the company. This open and extensible architecture has proved extremely powerful in providing engineering teams with the tools to have visibility across all aspects of the software development lifecycle. Backstage is released under the Apache 2.0 license and is now a CNCF Sandbox project.

Why use Backstage ?

In the cloud-native world, our applications and our infrastructure have become increasingly intertwined – everything is a software development process, and we can’t really separate our workloads from the containers that they are deployed in. 

Combined with modern pipeline driven delivery systems, this has meant that from a development perspective, the scope of what information that we’re interested in as developers have increased dramatically, as has the range of systems we are using in our development pipelines. We really want to be able to get information in a unified way across the whole pipeline from development to production and to have an efficient way of providing that information to our developers to enable them to be as productive as possible as quickly as possible. 

Being able to tie all of these things together into single panes of glass with a single source of truth for configuration is where Backstage comes in – an open API to allow building catalogues and dashboards of all the systems our teams are using, along with a service catalog which gives developers access to documentation, configuration and templates associated with a particular software project.

Security and Backstage

Backstage’s plugin architecture has enabled a wide range of different integrations, with everything from CI systems to monitoring and alerting, and integrating security into Backstage is a logical step. Developers have increasing responsibility for security in the cloud world, often including containers and configuration as well as application code, and surfacing security information as early and often as possible during development is critical.

Integrating with the Snyk API

Snyk’s full-featured API is designed to allow integration into many other systems, and the Snyk Backstage plugin leverages the Snyk API to enable Snyk data to be visualized directly in Backstage, along with all the other data points which our development teams might be interested in around their applications. Being able to surface security information directly into the development workflow, along with prioritization and remediation advice, is one of the key tenets of Snyk’s Developer-first approach to security, and enabling integration with a wide range of systems is the underlying principle behind the Snyk API. 

Let’s take a look at Backstage with the Snyk plugin!

Installing Backstage

To install Backstage, follow the steps outlined in the Backstage documentation.

Installing the Snyk plugin

Once you have backstage installed, you can install the Snyk plugin. To get started, you need an the following items from your Snyk account:

• an API token

• your Organization name

• your Project ID

After locating these items, follow the steps outlined in the Snyk Backstage plugin README in GitHub.

Security scanning throughout the SDLC

After you have completed the installation steps referenced above, Snyk vulnerability data displayed directly in Backstage. This allows you to view real-time security information about your project, empowering developers with visibility and remediation advice on how to fix security related issues. 

In cloud native application development, our developers have increasing responsibility for security — in many cases across applications, containers, and configuration — so integrating security scanning throughout the software development life cycle becomes a key principle of cloud native application security. Integrations like the Snyk Backstage plugin make it easier for developers to access and action security information directly in their workflows.

If you like the idea of Backstage but don’t want the inconvenience of managing Backstage yourself, check out Roadie. Roadie offers Backstage as a service. Want to know more? Visit Roadie.io and sign up for a demo.

Snyk is free to use, although accessing the Snyk API requires a paid tier. This post is part of a series on integrations using the Snyk API, check out the first part on integrating Snyk with Prometheus. Register for an account and try out Snyk today!