Snyk pipe parameters and values
This section describes:
- The Snyk pipe parameters and values
- An example of the Snyk pipe for npm
- An example of the Snyk pipe for a Docker image
Parameters and values
Following is the Snyk pipe that should be configured as part of a pipeline YAML file in order to include vulnerability scanning as part your CI/CD workflow:
- pipe: snyk/snyk-scan:0.2.0 variables: SNYK_TOKEN: '<string>' LANGUAGE: '<string>' # IMAGE_NAME: '<string>' # Only required if LANGUAGE set to 'docker' # DONT_BREAK_BUILD: '<boolean>' # Optional. # MONITOR: '<boolean>' # Optional. # SEVERITY_THRESHOLD: '<low|medium|high>' # Optional. # ORGANIZATION: '<string>' # Optional. # PROJECT_FOLDER: '<string>' # Optional. # TARGET_FILE: '<string>' # Optional. # EXTRA_ARGS: '<string>' # Optional. # DEBUG: '<boolean>' # Optional.
The following table describes the Snyk pipe parameters.
|SNYK_TOKEN (*)||Enter the Snyk API token, which you can retrieve from your Snyk Account Settings.
To encrypt the token, you can add it as a predefined variable in a separate part of the Bitbucket pipes directory:
See Bitbucket documentation for more information about predefined variables.
|LANGUAGE (*)||Configure the package manager of the app (for example, npm, rubygems, composer, nuget or docker).
See Dockerhub for a full list of possible tags.
|IMAGE_NAME (*)||For docker language only, configure the image name for which to perform a docker scan.|
This parameter applies the patches specified in your .snyk file to the local file system when set to True.
Default: false. Automatic remediation is disabled.
In order to enable automatic remediation, first run the Snyk Wizard, which creates and adds the .snyk file to your project.
|DONT_BREAK_BUILD||When set to true, continues the build even when vulnerabilities are discovered.
Default: false. The build fails.
|MONITOR||Records a snapshot of the project for the Snyk UI and then continues monitoring the project after the build is run.
If the test succeeds, this records a snapshot of the app’s dependencies in the Snyk app and allows you to see the state of your deployed code, have it monitored and receive alerts when new vulns are found in the code.
Default: false. The project is not monitored after the initial scan.
|SEVERITY_THRESHOLD||Reports issues equal to or higher than the configured level. Possible values: low, med, high
Default: low. All vulnerabilities are reported.
|ORGANIZATION||Configures the organization from your Snyk account to which to associate the repository.
|PROJECT_FOLDER||The folder in which the project resides.
|TARGET_FILE||The package file (for example package.json); equivalent to --file= in the CLI.
For Docker enter the Dockerfile as the value.
|EXTRA_ARGS||Extra arguments to be passed to the Snyk CLI. Use the parameters and arguments as described here.
|DEBUG||Turn on extra debug information.
Example of a Snyk pipe for Docker
Following is an example of the Snyk pipe set up for a Docker image:
Example of a Snyk pipe for npm
Following is an example of the Snyk pipe set up for npm: