Snyk Documentation

CircleCI integration overview

Snyk integrates with CircleCI using a Snyk Orb, seamlessly scanning your application dependencies and Docker images for open source security vulnerabilities as part of the continuous integration/continuous delivery (CI/CD) workflow.

CircleCI enables users to easily create CI/CD workflows using a group of ready-to-use commands (Orbs) that can be added to your configuration file.

With the Snyk Orb, you can quickly add Snyk scanning to your CI/CD in order to test and monitor for open source vulnerabilities, based on your configurations. Results are then displayed from the CircleCI output view and can also be monitored from Snyk.io.

How it works

Once the user adds a project to CircleCI and adds the Snyk Orb to the configuration file, every time that a build will run, the Snyk Orb will be used as well

 

Scan

  1. Scans app dependencies or Docker images for vulnerabilities or licensing issues, and lists them.
  2. If Snyk finds vulnerabilities, it does one of the following (based on configuration):
    • Fails the build
    • Lets the build to complete

Monitor

Optionally, if the build continues (the test completes successfully) and if MONITOR is set to True in the configuration file, then Snyk saves a snapshot of the project dependencies on Snyk.io, where you can see the dependency tree with all of the issues, and be alerted to new issues found in the existing app version.

Protect (Optional)

(For Node.js projects only) Optionally, set PROTECT to True and if a .snyk policy file exists, Snyk applies patches specified in the policy file.

Snyk Orb information in CircleCI Registry

From the Orbs registry, CircleCI displays a list of available Orbs customized for you directly, similar to the following image:

 

From this list, find and click Snyk to view the Orb's information with examples, parameters, and values:

Prerequisites

  1. Create a Snyk account and retrieve the Snyk API token from your Account Settings
  2. Import the relevant repo into CircleCI
  3. Go to Settings -> Security -> Orb Security Settings and make you allow to opt-in to third party Orbs
  4. Make sure your configuration (config.yml) file follows version 2.1
  5. Add the required variables to CircleCI (e.g. Snyk API token as API_TOKEN)

Getting Started

Getting started with CircleCI from 0 to a green build with Snyk is simple! You can read all about the Snyk Orb here. The page includes all the info that you need in order to set your CI/CD with Snyk including a list of parameters and samples.