Snyk-Watcher: keep Snyk in sync

Welcome to Snyk API Wednesdays! This is our newest blog series that highlights the different ways the Snyk API is leveraged by our customers. Snyk’s extensibility and API enable developers to tune Snyk’s security automation to their specific workflows, ensuring consistency in both developer experience and platform governance. We’re proud to start the series with a new open source tool called Snyk-Watcher, built by the Product Security team at Twilio to help them automate the process of importing projects into Snyk, at scale.

This article was originally published on the Twilio Blog.

The product security team at Twilio is responsible for securing all applications built by Twilio. We work with Engineering teams to help secure Twilio and our customers. We use Snyk, a cloud native application security platform, to make sure our code is secure at all stages of design and deployment.

Automation is the key to building security at scale, because it eliminates human error. When we automate, we catch more vulnerabilities. Snyk scans repositories automatically — that is, as long as you’ve told Snyk which ones to scan.

We needed a way to automate the process of keeping Snyk up to date with projects in our SCM, detecting when repositories are added, deleted, or renamed, and configuring Snyk automatically.

We created Snyk-Watcher, a GitHub App that listens to webhooks on the main branch for repository changes and pull requests. When a pull request is merged to main, Snyk-Watcher imports the project into Snyk for scanning. When a repository is created, deleted, or renamed, Snyk-Watcher triggers the appropriate actions in Snyk. These automated actions are facilitated by the Snyk API which can be used to integrate and automate Snyk's various security functions.

Once Snyk-Watcher is installed in GitHub, you can test it by adding a new repository, then check in the app’s advanced settings to see if the request was successful. Keep in mind, Snyk needs a manifest file to scan your project and its dependencies — for example, MANIFEST.MF in Maven, or package.json in JavaScript projects. Snyk supports a growing number of languages along with their manifest file formats. When Snyk detects a valid manifest file in your project, you’ll see the project appear in Snyk.

With Snyk-Watcher, you don't have to remember to add and remove projects from Snyk. It just happens. Today, we are open sourcing the tool, so you can automate the process of importing projects to keep your SCM and Snyk in sync.

To get started with Snyk-Watcher, check out the README here.