Snyk Documentation

Jenkins integration overview

Integrate the Snyk plugin with Jenkins to test and monitor your automated freestyle projects and pipelines directly from your Jenkins setup.

Installing the Snyk plugin within Jenkins enables you to more quickly track, identify and remediate issues that could jeopardize your application’s security posture over time, by suggesting fixes that are made available for vulnerabilities or as new vulnerabilities are disclosed.

This document describes installation, configuration and use of the Snyk plugin v2 for Jenkins. Due to important changes in this plugin and within Jenkins such as different pipeline syntax and the deprecation of certain parameters, you should remove the v1 plugin and freshly install v2.

The remainder of this page describes:

How it works

Use the Snyk plugin with your Jenkins projects to test and monitor your code for vulnerabilities on an ongoing basis, breaking builds when newly disclosed vulnerabilities related to your project are announced and receiving relevant notifications—all based on your configurations.

  1. From a Jenkins user account, the admin selects the Snyk plugin for installation.
  2. Jenkins installs the plugin on the server in the Plugin directory.
  3. The user creates a project, configuring the Source Control  Management parameters (the plugin fails when None is selected for SCM) or pipeline in Jenkins and configures the plugin for that specific project/pipeline.
  4. The user builds the pipeline/project, including the Snyk Security task.
  5. Snyk authenticates your account using the API token you stored in Jenkins.
  6. The user runs a Jenkins build, including the snyk test command.
  7. During the build, before scanning for vulnerabilities, your Snyk installation is verified and/or updated as necessary in the background (if necessary, and as based on your policy configuration).
  8. Snyk then analyzes the manifest file of your project to find its direct and transitive dependencies and testing your pipeline against the Snyk vulnerability database for known vulnerabilities.
  9. From the Jenkins Console Output, the test results summary is displayed, indicating the number of known issues and the number of associated dependency paths identified.
  10. Based on the Monitor project on build configuration option for this project:
    • If the user did not choose the option in Jenkins, then Snyk displays all vulnerability results and details from the Snyk Security Report area of the Project menu.
    • If a severity threshold was defined for a severity that is assigned to any vulnerability in your project, Jenkins breaks the build.
  11. Otherwise, Jenkins continues to run the build to completion (success or failure) and Snyk activity ends.
  12. If the user checkmarked the Monitor project on build option, Snyk now runs the snyk monitor command and proceeds with the remainder of the steps as described here.
  13. Snyk takes a snapshot of the project, analyzes the manifest file of your project to find its direct and transitive dependencies and tests your pipeline against the Snyk vulnerability database for known vulnerabilities.
  14. Snyk pushes the snapshot, displaying the project details and the dependency hierarchy from the Snyk UI as well as vulnerability results and remediation advice.
  15. The Snyk Security Report for the specific build displays vulnerabilities and their details.
  16. If a severity threshold was defined for a severity that is assigned to any vulnerability in your project, Jenkins breaks the build.
  17. Thereafter, Snyk continues to monitor the snapshot of your project as new vulnerabilities that affect your project are disclosed. Based on your configurations, if vulnerabilities are found, Snyk notifies you via email or Slack so that you can take immediate remediation action.

Supported languages and repos

Snyk supports:

  • all Jenkins freestyle projects and pipelines regardless of which Source Code Management is configured.
  • all languages supported by Jenkins.