Snyk Connector Guide
Summary: How to set up and use the Snyk connector in Ivanti Neurons.
Overview
Snyk OSS is an open-source security platform that allows developers to identify, prioritize, and automatically fix open-source vulnerabilities throughout the development process. Ivanti Neurons ASPM offers an API-based connector that integrates Snyk OSS vulnerability information into the Ivanti Neurons ASPM platform for further prioritization and accessibility. This connector does not ingest Snyk Code vulnerability information.
Snyk Configuration
- An account with Snyk and the Standard or Pro plan are required.
- Add one or more Project(s) to Snyk.
- View the Snyk Data Export Guide for more information on how to add project(s) and download issues in a CSV format.
Snyk User Permissions
Go to Settings in the Navigation Bar and select the Members tab on the left-hand side. Members can be invited and assigned a role on this page.
Visit the Snyk Knowledge Center for more information on managing groups and organizations.
Connector Configuration in Ivanti Neurons
Setting Up the Snyk Connector
Navigate to the Automate > Integrations page.
Using the search bar in the upper-right corner of the Integrations page, type Snyk to find the connector. Locate the Snyk card under Applications and click Configuration.
In the new window under Connection, complete the required fields, as described below.
-
Name: The connector’s name, e.g., “My Snyk Connector”.
-
URL: Snyk URL, e.g., https://api.snyk.io/.
-
API Key: The API token that has access to the Snyk Reporting API.
-
Network: Ivanti Neurons network name (ingested applications associated with this network).
Click Test Credentials to verify the credentials are correct and have access to make API calls to the Snyk instance.
Configure the desired schedule for the connector to retrieve results from the Snyk instance and optionally turn on Enable auto URBA (Update Remediation by Assessment). User may specify the oldest scan data pull from the following options: 30 days, 60 days, 90 days, 6 months, or 1 year.
Click Save to create the connector.
Once saved, the connector is now visible on the Integrations page under Currently Configured Integrations.
On the Configuration (
) > Uploads page, Snyk data is parsed from the scan file and displayed on the Applications and Application Findings pages.
Snyk OSS Data Mapping in Ivanti Neurons ASPM
The Scanner Name associated with these scans is SNYK, which can be used as a filter on both the Applications and Application Findings pages in Ivanti Neurons ASPM.
Applications Page
Application data extracted from the Snyk scan file is shown on the Applications page as an asset.
- Address
- URLs
- Vulnerability Counts by Severity
- Last Scan Date
- Source
- Package Manager
- Affected Files
- Last Discovered on
- First Discovered on
- Project ID
- Project Origin
- Test Frequency
- Project Type
- Business Criticality
- Environment
- Lifecycle
- Status
Application Findings Page
All finding data extracted from the Snyk scan file is shown on the Application Findings page in Ivanti Neurons ASPM.
- Findings that are Fixed or Ignored will not be displayed on the Application Findings page
- Affected File is listed under Detailed Information
- Additional Metadata Fields:
- Risk Type (License, Security)
- Module Name
- Semantic Versioning
- Published On
- Language
- Exploit Level
- OSVDB
- GHSA ID
- NSP
- First Discovered On
- Last Discovered On
- Package
- Version
Severity Mapping
The Snyk scan file contains the following severity levels: high, medium, and low. Based on the type of plugin, Ivanti Neurons mapped these levels to Severity using the CHMLI scale as follows:
|
Snyk Severity |
Mapping to Ivanti Neurons Severity |
|---|---|
|
Security Issue Types |
|
|
High |
9 |
|
Medium |
5 |
|
Low |
3 |
|
License Issue Types |
|
|
High |
9 |
|
Medium |
5 |
|
Low |
3 |