This feature is available with Enterprise plans. See pricing plans for more details.
With the Snyk plugin for Artifactory, you can track open source vulnerabilities and license details in your cached artifacts.
Once installed, the Snyk plugin runs in the background and automatically:
-
Blocks devs from downloading packages with vuln/license issues according to a predefined threshold that the admin sets
-
Adds vuln and license data from Snyk as properties in artifact
Note
This article refers to the Artifactory Plugin, an independent piece of software that is installed on the Artifactory machine and serves as a gatekeeper, blocking vulnerable packages from being downloaded from the Artifactory instance rather than the Artifactory Integration - an internal integration in Snyk app, that allows configuring SCM / CLI scans to use custom package registries.By scanning artifacts as part of your workflow and then displaying those test results directly from the Artifactory UI, the Snyk plugin enables you to more quickly track and identify issues that risk your application’s security and avoid using those artifacts in your projects.
Our Artifactory plugin is supported for the following:
-
NPM
-
Maven
-
Ruby
-
Gradle
-
SBT
-
PIP
Install or upgrade the Snyk Security plugin with these steps. Once complete, Snyk automatically scans your artifacts every time you request to download them.
-
To install our plugin, first, download the archived (.zip) distribution of the Snyk Security Artifactory plugin as described in the steps below.
This archive contains the following structure, files, and folders:
*plugins snykSecurityPlugin.groovy—our plugin snykSecurityPlugin.properties—the configuration file for the plugin *lib—this is the folder that contains the dependencies for this plugin. artifactory-snyk-security-core.jar
-
You must sign up for an Enterprise account with Snyk before you begin.
- Up to (but not including) version 1.0.0, the plugin is compatible with any Artifactory on-premises version between 6.2.0 - 6.23.3.
- From version 1.0.0 and onward, the plugin is compatible with any Artifactory on-premises version from 7.0.3 and higher.
-
Log in to your Snyk account.
-
Click on settings
> General to locate, copy and save the following on the side:-
service account token or Organization API token:
-
the Organization ID for (any) one of your organizations
-
-
Go to our repo in GitHub and navigate to the Releases.
-
From the most current release, open the Assets section to download the artifactory-snyk-security-plugin-<version>.zip archive.
-
Extract the folders and files and move the contents of the plugins folder to /artifactory/etc/plugins
-
Right-click the snykSecurityPlugin.properties file to open and edit it with any text editor.
-
The file contents appear as the code snippet below:
Note
When a backup file is created for the .properties file, Artifactory cannot recognize the difference between the original and the new file. Therefore, disable any backup features configured for the editor you choose before editing the file.
# ======= # General # ======= # The base URL for all API endpoints (https://snyk.docs.apiary.io/#introduction/api-url). # Default value: https://snyk.io/api/v1/ #snyk.api.url=https://snyk.io/api/v1/ # The API token from Snyk account. snyk.api.token= # This ID uniquely identifies your organization (see Snyk account). snyk.api.organization= # Path to the ssl certificate for Snyk API in the PEM format. #snyk.api.sslCertificatePath= # If set to "true", automatically trusts all certificates of Snyk API. # Default value: "false" #snyk.api.trustAllCertificates=false # ===================== # Scanner configuration # ===================== # By default, if Snyk API becomes unavailable for any reason, all artifact downloads are blocked. # Setting this property to "false" allows download of artifacts. # Default value: "true" snyk.scanner.block-on-api-failure=true # Global threshold for vulnerability issues. Valid values include "none", "low", "medium", "high", "critical". # Default value: "low" snyk.scanner.vulnerability.threshold=low # Global threshold for license issues. Valid values include "none", "low", "medium", "high", "critical". # Default value: "low" snyk.scanner.license.threshold=low
-
The following properties can be configured in this file:
-
snyk.api.url—on-prem customers should update the URL of their Snyk API endpoint based on their Snyk deployment; other users need not configure a URL.
-
snyk.api.token—this property is mandatory and must be configured in order for Snyk to authenticate your account, before scanning your artifacts. This is the token you copied in step 1.
-
snyk.api.organisation—this property is mandatory and must be configured in order for Snyk to authenticate your account, along with your API token. Because this plugin does not import any data to your Snyk account, you can use the ID from any of your organizations. This is the organization ID you copied in step 1.
-
snyk.artifactory.scanner.vulnerability.threshold—default is *low*. Valid values include none, low, medium, high, and critical. Manually update the configuration based on your needs.
-
snyk.artifactory.scanner.license.threshold—default is *low*. Valid values include none, low, medium, high, and critical. Manually update the configuration based on your needs.
-
-
Paste the token and the organization ID in place of the sample values for each of the parameters.
-
Copy and paste the plugin into ${ARTIFACTORY_HOME}/etc/plugins/
-
Restart your Artifactory server.
Note
Refresh now or Reload is not sufficient. Artifactory must be restarted.
-
Log in to your Artifactory instance and navigate to the System Logs to double-check Snyk has been installed successfully.
Snyk runs in the background and whenever a download is requested from the UI or from the CLI, Snyk automatically scans the artifact to evaluate vulnerabilities and license issues.
When the scan ends, results are displayed in the Artifactory UI, in the artifact details.
To view details about download status, open the System Logs:
|
When the scan fails, based on the configurations that were set during installation, the download request is blocked. By reviewing the results, you can evaluate the issues found in your artifact and determine a course of action, before ever using that artifact.
When your setup blocks downloads with issues, you can override this configuration at the artifact level—enabling downloads even when issues are identified, per artifact.
From the UI, the Snyk properties are displayed similar to the following:
 |
Work with Snyk properties from Artifactory as follows:
|
Property |
Description |
|
snyk.issue.url |
This is the URL to our database and explanation of the vulnerability, including specific details about vulnerable versions, available upgrades and Snyk patches as well. |
|
snyk.issue.vulnerabilities |
Regardless of the thresholds configured, this row displays vulnerability summary scan results. |
|
snyk.issue.vulnerabilities.forceDownload |
Default: false Valid values: true, false Based on the configured thresholds, if relevant issues are found during the Snyk scan, the download is blocked when set to false. To configure locally for a single package, click the property link, enter true in place of false and click Save. Artifactory notifies that the property has updated successfully. For this specific artifact, you can now download regardless of any issues. |
|
snyk.issue.vulnerabilities.forceDownload.info |
Explains why this artifact can or cannot be downloaded. |
|
snyk.issue.licenses |
Regardless of the thresholds configured, this row displays license summary scan results. |
|
snyk.issue.licenses.forceDownload |
Regardless of the thresholds configured, this row displays license summary scan results. |
|
snyk.issue.licenses.forceDownload.info |
Explains why this artifact can or cannot be downloaded. |