Open

You will learn

How to create Snyk as ThreadFix remote provider, obtain Scan data, as well as how data is parsed.

Prerequisites

Audience: IT Professional or End User
Difficulty: Advanced
Time needed: Approximately 10 minutes
Tools required: User must have Server Manager role

Introduction

Snyk can be used to scan and secure codebase and cloud infrastructure configurations, taking advantage of the Snyk capabilities in Static Application Security Testing (SAST), Software Composition Analysis (SCA), and Infrastructure as Code analysis.

• Snyk Open Source - Find and fix known vulnerabilities and licensing issues in open-source dependencies

• Snyk Code - Scan a codebase for known vulnerabilities and get remediation guidance either inline in an IDE or by importing a code repository to Snyk Web UI

• Snyk IaC - Secure cloud infrastructure configurations before and after deployment

Snyk User Account

During the creation process, users will need to provide a name, API URL, and API Key.

Open

API Usage

Authentication

Snyk requires API tokens for authentication of all API calls. API token is generated using the Authentication API.

Below APIs used to retrieve list of SCA vulnerabilities

Retrieve list of Organizations

Retrieve targets for a given Org Id

Retrieve projects for a given Org Id and for a target id (target id is provided in query-string parameter). And also projects can be filtered by using ‘types’ query-string parameter. Snyk supported projects types can be found here https://docs.snyk.io/snyk-api/using-snyk-api/snyk-api-responses-project-type

Retrieve the SBOM document of a software project for a given Org Id and project id which provides package level details to get issues.

Retrieve the issues for a given package. Need separate request for each package using this API. Package is identified by Package URL (purl)

Note:
If 'GET /orgs/{org_id}/issues' is used to get SCA issues for a given org id and project id if the response does not have enough details to map Snyk vulnerability fields to ThreadFix finding fields like vulnerability details and remediation recommendations. Thus we suggest using the above series of API calls to get SCA vulnerabilities.

Refer GET /orgs/{org_id}/issues response below for reference:
https://apidocs.snyk.io/beta?version=2024-01-04%7Ebeta#get-/orgs/-org_id-/issues

The below APIs are used to retrieve your list of SAST vulnerabilities 

Retrieve list of Organizations

Retrieve targets for a given Org Id

Retrieve projects for a given Org Id and for a target id (target id is provided in query-string parameter). And also projects can be filtered by using ‘types’ query-string parameter. Snyk supported projects types can be found here https://docs.snyk.io/snyk-api/using-snyk-api/snyk-api-responses-project-type

Retrieved issues for a given Org Id and project id (project id is provided in scan_item.id, scan_item.type as 'project' and type as 'code' in query-string parameters)

To retrieve issue details for a specific Issue ID, use the Issue ID from the data:attributes:key field for a particular issue listed in the Rest API "Get Issues by Org" API call. Need separate request for each issue to get issue details using this API.

Note:

GET /orgs/{org_id}/targets - Need to use beta version API to get targets
GET /orgs/{org_id}/issues - Need to use Beta version api to get issues
GET /orgs/{org_id}/issues/detail/code/{issue_id} -- Need to use experimental version api to get issue details

Snyk Data Classification

Container Projects

• deb

• rpm

• linux

• apt

• dockerfile

Cloud Types

• k8sconfig

• armconfig

• cloudformation

• terraformconfig

• terraformplan

• helmconfig

Table of Contents