Snyk Documentation

Snyk pipe parameters and values

This section describes:

Parameters and values

Following is the Snyk pipe that should be configured as part of a pipeline YAML file in order to include vulnerability scanning as part your CI/CD workflow:


- pipe: snyk/snyk-scan:0.2.0

variables:

SNYK_TOKEN: '<string>'

LANGUAGE: '<string>'

# IMAGE_NAME: '<string>' # Only required if LANGUAGE set to 'docker'

# DONT_BREAK_BUILD: '<boolean>' # Optional.

# MONITOR: '<boolean>' # Optional.

# SEVERITY_THRESHOLD: '<low|medium|high>' # Optional.

# ORGANIZATION: '<string>' # Optional.

# PROJECT_FOLDER: '<string>' # Optional.

# TARGET_FILE: '<string>' # Optional.

# EXTRA_ARGS: '<string>' # Optional.

# DEBUG: '<boolean>' # Optional.

The following table describes the Snyk pipe parameters.

Parameter Description
SNYK_TOKEN (*) Enter the Snyk API token, which you can retrieve from your Snyk Account Settings.

To encrypt the token, you can add it as a predefined variable in a separate part of the Bitbucket pipes directory:

  1. From the build directory, click the cog icon, name the parameter “token” and enter your token as the value.
  2. Click the padlock icon next to the parameter and value and then click Add.
  3. From the YAML file, enter $token as the value for the TOKEN parameter in the Snyk pipe.

See Bitbucket documentation for more information about predefined variables.

LANGUAGE (*) Configure the package manager of the app (for example, npm, rubygems, composer, nuget or docker).

See Dockerhub for a full list of possible tags.

IMAGE_NAME (*) For docker language only, configure the image name for which to perform a docker scan.
PROTECT Supported only for JavaScript (npm) currently.

This parameter applies the patches specified in your .snyk file to the local file system when set to True.

Default: false. Automatic remediation is disabled.

In order to enable automatic remediation, first run the Snyk Wizard, which creates and adds the .snyk file to your project.  

DONT_BREAK_BUILD When set to true, continues the build even when vulnerabilities are discovered.

Default: false. The build fails.

MONITOR Records a snapshot of the project for the Snyk UI and then continues monitoring the project after the build is run.

If the test succeeds, this records a snapshot of the app’s dependencies in the Snyk app and allows you to see the state of your deployed code, have it monitored and receive alerts when new vulns are found in the code.

Default: false. The project is not monitored after the initial scan.

SEVERITY_THRESHOLD Reports issues equal to or higher than the configured level. Possible values: low, med, high

Default: low. All vulnerabilities are reported.

ORGANIZATION Configures the organization from your Snyk account to which to associate the repository.

Default: none.

PROJECT_FOLDER The folder in which the project resides.

Default: ..

TARGET_FILE The package file (for example package.json); equivalent to --file= in the CLI.

For Docker enter the Dockerfile as the value.

Default: none.

EXTRA_ARGS Extra arguments to be passed to the Snyk CLI. Use the parameters and arguments as described here.

Default: none.

DEBUG Turn on extra debug information.

Default: false

 

Example of a Snyk pipe for Docker

Following is an example of the Snyk pipe set up for a Docker image:

Example of a Snyk pipe for npm

Following is an example of the Snyk pipe set up for npm:

Related topics: