How to add a Snyk pipe
To enable Snyk to test and monitor your code as an integral part of your CI/CD workflow in Bitbucket, add the Snyk pipe into your bitbucket-pipelines.yml (YAML) file. The bitbucket-pipelines.yml file should be located in the root of your repository, and it is this file that defines all your build configurations (pipelines for your CI/CD workflow).
- Add the Snyk pipe while originally creating your pipeline, or while editing an existing pipeline. See the Bitbucket documentation for more information about pipelines and pipes. When adding the Snyk pipe, follow these guidelines:
- Use the Bitbucket pipeline editor to update the .yml file configuration, select the correct language and use the Bitbucket Pipes build directory when adding the Snyk pipe.
- Paste the Snyk pipe into the Bitbucket editor interface, after all build steps. Build steps are commands such as these: npm install / composer install / bundle install / dotnet restore / docker build
- Ensure you paste the pipe before a deployment step, such as npm publish or docker push.
- Configure the LANGUAGE, choose whether to fail the pipeline on vulnerabilities found with DONT_BREAK_BUILD (you can also use SEVERITY_THRESHOLD), and consider enabling MONITOR and PROTECT (Protect for Node.js projects only). See Snyk pipe parameters and values for more information.
- Once included in your pipeline commands, Snyk looks for the manifest files in that repository (package.json, package-lock.json) and performs the scan.
- Results appear in the Bitbucket Pipelines output interface, similar to the following:
Note: if the build fails, even if MONITOR is set to True, Snyk does not continue to the Monitor stage (because no projects are deployed until the build succeeds). To enable monitoring on Snyk.io of projects with vulnerabilities, set DONT_BREAK_BUILD to True. You can also use SEVERITY_THRESHOLD to tell the pipe the severity threshold from which to fail the pipe at the scanning stage. See Snyk pipe parameters and values for more information.