Integrate the Snyk Security plugin with JetBrains’ continuous integration (CI) tool, TeamCity, to embed open source vulnerability scanning directly into your automated build chain. The TeamCity project builds as an additional build step to check for vulnerabilities as part of your build, and thereafter you can easily push your project to Snyk for continuous monitoring.
By scanning as part of your build and then displaying those test results directly from the TeamCity UI, the Snyk plugin enables you to more quickly track, identify and remediate issues that risk your application’s security posture over time, as fixes are made available for vulnerabilities or new vulnerabilities are disclosed.
Snyk supports all TeamCity projects regardless of which Git repo is used.
All languages supported by both TeamCity and Snyk can be scanned for vulnerabilities by this plugin.
Use the Snyk plugin with your TeamCity projects to test and monitor your code for vulnerabilities on an ongoing basis, breaking builds when newly disclosed vulnerabilities related to your project are announced and receiving relevant notifications—all based on your configurations.
The admin selects the Snyk plugin for installation in their TeamCity account.
TeamCity installs the plugin on the server in the Plugin directory.
The admin enables the plugin.
The user creates a project or updates an existing project, adding Snyk Security as a build step.
The user configures build, including the configuration of the Snyk Security step (API token, policy changes, etc.).
Snyk authenticates your account using the API token you configured in the build.
The user runs a build.
During the build, before scanning for vulnerabilities, your Snyk installation is verified and/or updated as necessary in the background (if necessary, and as based on your policy configuration).
Snyk then analyzes the manifest file of your project, automatically detecting project type to find direct and transitive dependencies and test your project against the Snyk vulnerability database for known vulnerabilities.
From TeamCity in the Build details, the tab Snyk Security Report displays the test results, indicating the number of known issues and the number of associated dependency paths identified.
Based on the Monitor project on build configuration setting for this project:
If the user did not choose the option when configuring the step, then Snyk displays all vulnerability results and details from the Snyk Security Report tab in TeamCity.
If the severity threshold was defined for a severity that is assigned to any vulnerability identified in your project, TeamCity breaks the build.
Otherwise, TeamCity continues to run the build to completion (success or failure) and Snyk activity ends.
If the user configured the Monitor project on build option, Snyk now runs the
snyk monitor
command and proceeds with the remainder of the steps as described here.Snyk takes a snapshot of the project, analyzes the manifest file of your project to find its direct and transitive dependencies and tests your project against the Snyk vulnerability database for known vulnerabilities.
Snyk pushes the snapshot, displaying the project details and the dependency hierarchy from the Snyk UI as well as vulnerability results and remediation advice.
If the severity threshold was defined for a severity that is assigned to any vulnerability in your project, TeamCity breaks the build.
Once the snapshot is pushed to the Snyk UI, Snyk continues to monitor your project as new vulnerabilities are disclosed. Based on your configurations, if vulnerabilities are found, Snyk notifies you via email or Slack so that you can take immediate remediation action.
For any project, you can add Snyk to your build to scan the code while you build and to fail the build for vulnerabilities, based on your configurations.
We recommend running a build with the Snyk Security step before deployment, to ensure excellent security posture.
For additional information with TeamCity and its features, refer to their documentation.
-
Add the step to a new or existing project:
For new projects, after configuring the Git repo from which to create the build, activate the auto-detect feature to automatically identify relevant steps for your project build.
-
For existing projects, navigate to edit the project build steps. When complete, Snyk Security appears in the list of suggested steps and the current test policy appears in the Parameters Description column:
-
Navigate to configure the Snyk Security step as follows:
Click anywhere on the Snyk Security row to access the configuration screen, or
-
for existing projects, click Add build step to access the configuration screen.
Configure the TeamCity fields (Runner type, Step name and Execute Step).
-
Optionally, click Show advanced options. Additional Snyk parameters are revealed:
Configure Snyk Settings and Snyk Tool Settings. For more information see TeamCity configuration parameters.
-
Once configured, run the build. When the Snyk Security step ends successfully, you can navigate to the Snyk Security Report tab to view results within TeamCity and to navigate seamlessly to the Snyk UI for further action:
From the top of the report, click View on Snyk.io to view the snapshot and vulnerability information directly from our app.
Install or upgrade the Snyk Security plugin with these steps. Once complete, you’re all set to add a Snyk step to your projects.
Warning
You must sign up for an account with Snyk before you begin.
Log in to your TeamCity instance to install the Snyk Security plugin. Configure the Plugins list to Periodically check for plugin updates, in order to ensure regular automatic upgrades in the background.
Navigate to the JetBrains Plugins Repository, search for Snyk and from the Get dropdown list, select to install the plugin for your TeamCity installation.
-
When the following prompt appears, click Install.
When the installation ends, the Administration Plugins List loads, notifying the plugin has been uploaded.
Ensure the plugin is enabled.
Parameters |
Description and values |
||
---|---|---|---|
Snyk settings |
|||
Severity threshold |
Default: low For the first vulnerability found in your build with the threshold as configured, the build fails. |
||
Monitor project on build |
Default: ON Snyk runs the snyk monitor command during the build, sending a project snapshot to the Snyk app and continuing to monitor the project for vulnerabilities even after this build. |
||
File |
Optional. If the manifest file is not on the root level, enter the relative path to that file. |
||
Organization |
Optional. The ID of the Snyk organization to which this project should be associated when imported to the UI. Copy the Organization ID from the Snyk UI in the Settings area.
|
||
Project name |
Optional. Enter any unique name for this project to recognize it when viewing from the Snyk UI. |
||
Additional parameters |
Optional. Enter additional CLI arguments as necessary. See our CLI documentation and cheat sheet for additional information. |
||
Snyk tool settings |
|||
Snyk API token |
From the Settings area in the Snyk UI, copy the Org or Personal API token or create a service account. This is the token used to authenticate your Snyk account when connecting to TeamCity.
|
||
Snyk version |
Default: the most recent version Select the plugin version to be used in your build if you would like an older Snyk CLI version to support the plugin. We recommend configuring automatic upgrades and using the most recent version. |
||
Use custom build tool path |
Specify which tool instance in your local environment is to be used for this build by Snyk. Otherwise Snyk auto-detects the tool and locates it in your environment based on project type. |