Snyk Documentation

How it works

Use the Snyk plugin with your TeamCity projects to test and monitor your code for vulnerabilities on an ongoing basis, breaking builds when newly disclosed vulnerabilities related to your project are announced and receiving relevant notifications—all based on your configurations.

  1. The admin selects the Snyk plugin for installation in their TeamCity account.
    TeamCity installs the plugin on the server in the Plugin directory.
  2. The admin enables the plugin.
  3. The user creates a project or updates an existing project, adding Snyk Security as a build step.
  4. The user configures build, including configuration of the Snyk Security step (API token, policy changes, etc.).
  5. Snyk authenticates your account using the API token you configured in the build.
  6. The user runs a build.
  7. During the build, before scanning for vulnerabilities, your Snyk installation is verified and/or updated as necessary in the background (if necessary, and as based on your policy configuration).
  8. Snyk then analyzes the manifest file of your project, automatically detecting project type to find direct and transitive dependencies and test your project against the Snyk vulnerability database for known vulnerabilities.
    From TeamCity in the Build details, the tab Snyk Security Report displays the test results, indicating the number of known issues and the number of associated dependency paths identified.
  9. Based on the Monitor project on build configuration setting for this project:
    1. If the user did not choose the option when configuring the step, then Snyk displays all vulnerability results and details from the Snyk Security Report tab in TeamCity.
      If the severity threshold was defined for a severity that is assigned to any vulnerability identified in your project, TeamCity breaks the build.
      Otherwise, TeamCity continues to run the build to completion (success or failure) and Snyk activity ends.
    2. If the user configured the Monitor project on build option, Snyk now runs the snyk monitor command and proceeds with the remainder of the steps as described here.
  10. Snyk takes a snapshot of the project, analyzes the manifest file of your project to find its direct and transitive dependencies and tests your project against the Snyk vulnerability database for known vulnerabilities.
  11. Snyk pushes the snapshot, displaying the project details and the dependency hierarchy from the Snyk UI as well as vulnerability results and remediation advice.
  12. If the severity threshold was defined for a severity that is assigned to any vulnerability in your project, TeamCity breaks the build.
  13. Once the snapshot is pushed to the Snyk UI, Snyk continues to monitor your project as new vulnerabilities are disclosed. Based on your configurations, if vulnerabilities are found, Snyk notifies you via email or Slack so that you can take immediate remediation action.