Snyk
Snyk provides tools and services to help developers find and fix security vulnerabilities in their software applications by identifying vulnerabilities in open-source libraries and containers, which developers commonly use to build their applications.
This is a licensed feature.
Snyk scanner files can be imported into PlexTrac via API for use in a PlexTrac report. PlexTrac integrates with the following Snyk products:
Snyk Code (SAST)
Snyk Open Source (SCA)
Snyk Container
Snyk Infrastructure as Code
When a file is imported in PlexTrac, the source of the scanner file is retained and tracked in the "Source" field on the findings details page.
Field Mappings
Below are the field mappings from Snyk to PlexTrac, broken up by tool. The mappings are broken up in the tool sections by findings and assets.
Tables include the following columns:
Snyk Field: this is the field name that appears in Snyk
PlexTrac Field: this is the field name that appears in PlexTrac
Direction: this displays the direction that the flow of data is occurring for the integration (a value of "x" means that the value is not imported)
Required: this denotes if a value is required for the import to be successful
Notes: additional information
An asterisk indicates the field is required.
Snyk Open Source, Container, and IaC Mappings
Below are the mappings for the following Snyk products:
Snyk Open Source (SCA)
Snyk Container
Snyk Infrastructure as Code (IaC)
Finding Fields
Snyk Field | Direction | PlexTrac Field | Notes |
---|---|---|---|
Issue Title | --> | Finding Title* | required |
Issue Description | --> | Finding Description* | required |
Issue Description | --> | References | |
Issue Description | --> | Recommendations | |
Disclosure Time | --> | Created at | |
Publication Time | x | (not ingested) | |
CVE Identifier | --> | CVE Identifier | |
CWE Identifier | --> | CWE Identifier | |
Severity Score Value | --> | Score Value | |
Severity Score Calculation | --> | Severity Score Calculation | |
Severity Score Type | --> | Score Type | |
(no equivalent field in Snyk) | --> | Finding Status* | required; assigned a value of "Open" |
Issue Severity | --> | Finding Severity* | required; the five severity value mappings are listed below in italics |
| --> |
| |
| --> |
| |
| --> |
| |
| --> |
| |
| --> |
| |
Nearest Fixed In Version | --> | Custom Field "Nearest Fixed In Version | |
Fix Info | --> | Custom Field "Fix Info" | |
Organization Name | --> | Custom Field "Organization Name" | |
Organization ID | --> | Custom Field "Categorical Id" | |
Package Name | --> | Custom Field "Package Name" | |
Issue Type | --> | Custom Field "Issue Type" | |
Violated Policy Public Id | --> | Custom Field "Violated Policy Public Id" | |
Exploit Maturity | --> | Custom Field "Exploit Maturity" | |
Patches | --> | Custom Field "Patches" | |
Issue URL | --> | References |
Asset Fields
Snyk Field | Direction | PlexTrac Field | Notes |
---|---|---|---|
Project Name | --> | Affected Asset Name |
Deduplication Logic
If a duplicate finding title is found during import, the finding title in PlexTrac is appended with the Snyk Organization ID
and Issue Id
in parenthesis at the end of the title value.
Snyk Code Mappings
Below are the mappings for Snyk Code (SAST).
Findings
Snyk Field | Direction | PlexTrac Field | Notes |
---|---|---|---|
Aggregate Title | --> | Finding Title* | required |
Detail Title | --> | Finding Description* | required |
Product | --> | Tags | |
Product | --> | Source | |
Priority Score | --> | Score Type General | |
CVE | --> | CVE | |
CWE ID | --> | CWE | |
Issue URL | --> | References | |
Severity Mapping | required; the five severity value mappings are listed below in italics | ||
| --> |
| |
| --> |
| |
| --> |
| |
| --> |
| |
| --> |
| |
Primary Region | --> | Custom Field: "Source Location" | |
Priority Score Factors | --> | Custom Field: "Snyk Priority Score Factors" |
Asset Mappings
Snyk Field | Direction | PlexTrac Field | Notes |
---|---|---|---|
Project Name | --> | Parent Asset* | required |
Primary File Path | --> | Child Asset* | required |
Primary File Path | --> | Affected Asset(s)* | required |
Setting up Integration with Snyk
Step 1: From the Admin Dashboard, click Integrations under "Tools & Integrations."
Step 2: Click Connect within the Snyk box.
Step 3: Click New Connection.
Step 4: On the Configuration Details tab, enter a name for the integration and the Snyk API key. Click Continue.
Visit Snyk Support for information on generating an API key.
Step 5: On the Mapping tab, review the mappings and select the fields in Snyk to import by validating that the checkbox next to the field is set. To ignore a field on import, uncheck the box. Required fields (checkbox is greyed out) cannot be configured. Scroll to the bottom and click Save.
Step 6: A message on the First Synch tab will confirm if the synch was successful. If successful, click Got It.
The connection is now listed.
Editing Existing Connections
Connections are edited by clicking Edit under the "Actions" column.
Connections can be turned off by clicking the toggle bar under the "Enabled" column.
Connections can be manually synchronized by clicking Sync under the "Actions" column.
Connections can be deleted by clicking the three dots under the "Actions" column and then Delete. A modal will appear, asking for confirmation of the action.
Once set up, findings can be imported into a report, and instructions on this process can be found here.
Last updated