New Features

 

Private registry gatekeeper plugins

  1. Docs Library | Snyk
  2. Integrations
  3. Private registry gatekeeper plugins

Artifactory Gatekeeper plugin overview

Feature availability
This feature is available with Enterprise and Pro plans. See Pricing plans for more details.

With the Snyk plugin for Artifactory you can track open source vulnerabilities and license details in your cached artifacts.

Once installed, Snyk plugin runs in the background and automatically:

  1. Blocks devs from downloading packages with vuln / license issues according to a predefined threshold that the admin sets

  2. Adds vuln and license data from Snyk as properties in artifact

Note

This article refers to the Artifactory Plugin, an independent piece of software which is installed on the Artifactory machine and serves as a gatekeeper, blocking vulnerable packages from being downloaded from the Artifactory instance rather than the Artifactory Integration - an internal integration in Snyk app, that allows to configure SCM / CLI scans to use custom package registries.

By scanning artifacts as part of your workflow and then displaying those test results directly from the Artifactory UI, the Snyk plugin enables you to more quickly track and identify issues that risk your application’s security and avoid using those artifacts in your projects.

Artifactory Gatekeeper plugin: supported languages and repos

Our Artifactory plugin is supported for the following:

  • NPM

  • Maven

  • Ruby

  • Gradle

  • SBT

  • PIP

Install the Artifactory Gatekeeper plugin

Install or upgrade the Snyk Security plugin with these steps. Once complete, Snyk automatically scans your artifacts every time you request to download them.

Prerequisites

  • To install our plugin, first, download the archived (.zip) distribution of the Snyk Security Artifactory plugin as described in the steps below.

    This archive contains the following structure, files and folders:

    *plugins
snykSecurityPlugin.groovy—our plugin
snykSecurityPlugin.properties—the configuration file for the plugin
*lib—this is the folder that contains the dependencies for this plugin.
artifactory-snyk-security-core.jar

  • You must sign up for a Pro or Enterprise account with Snyk before you begin.

  • You must have any Artifactory on-premise version between 6.2.0-6.23.3. Currently, Artifactory on-premise version 7 is not supported.

 
How to install the Artifactory Snyk plugin

  1. Go to your Snyk account and navigate to Settings to locate, copy and save the following on the side:

    • service account token or Organization API token:

    • the Organization ID for (any) one of your organizations

    APIToken_OrgID.png

  2. Go to our repo in GitHub and navigate to the Releases.

  3. From the most current release, open the Assets section to download the artifactory-snyk-security-plugin-<version>.zip archive.

  4. Extract the folders and files and move the contents of the plugins folder to /artifactory/etc/plugins

  5. Right-click the snykSecurityPlugin.properties file to open and edit it with any text editor.

  6. The file contents appear as in the image:

    Note

    When a backup file is created for the .properties file, Artifactory cannot recognize the difference between the original and the new file. Therefore, disable any backup features configured for the editor you choose before editing the file.

    image1.png

  7. The following properties can be configured in this file:

    • snyk.api.url—on-prem customers should update the URL of their Snyk API endpoint based on their Snyk deployment; other users need not configure a URL.

    • snyk.api.token—this property is mandatory and must be configured in order for Snyk to authenticate your account, before scanning your artifacts. This is the token you copied in step 1.

    • Snyk.api.organisation—this property is mandatory and must be configured in order for Snyk to authenticate your account, along with your API token. Because this plugin does not import any data to your Snyk account, you can use the ID from any of your organizations. This is the organization ID you copied in step 1.

    • snyk.artifactory.scanner.vulnerability.threshold—default is *low*. Valid values include low, medium, high. Manually update the configuration based on your needs.snyk.artifactory.scanner.license.threshold—default is *low*. Valid values include low, medium, high. Manually update the configuration based on your needs.

  8. Paste the token and the organization ID in place of the sample values for each of the parameters.

  9. Copy and paste the plugin into `${ARTIFACTORY_HOME}/etc/plugins/`

  10. Restart your Artifactory server.

    Note

    Refresh now or Reload is not sufficient. Artifactory must be restarted.

  11. Log in to your Artifactory instance and navigate to the System Logs to double-check Snyk has been installed successfully.

    image2.png
 
 

Artifactory plugin: use Snyk for your artifacts

Snyk runs in the background and whenever a download is requested from the UI or from the CLI, Snyk automatically scans the artifact to evaluate vulnerabilities and license issues.

When the scan ends, results are displayed in the Artifactory UI, in the artifact details.

To view details about download status, open the System Logs:

image2.png

When the scan fails, based on the configurations that were set during installation, the download request is blocked. By reviewing the results, you can evaluate the issues found in your artifact and determine a course of action, before ever using that artifact.

When your setup blocks downloads with issues, you can override this configuration at the artifact level—enabling downloads even when issues are identified, per artifact.

 

Artifactory: understanding the Snyk test results

From the UI, the Snyk properties are displayed similar to the following:

image3.png

Work with Snyk properties from Artifactory as follows:

Property

Description

snyk.issue.url

This is the URL to our database and explanation of the vulnerability, including specific details about vulnerable versions, available upgrades and Snyk patches as well.

snyk.issue.vulnerabilities

Regardless of the thresholds configured, this row displays vulnerability summary scan results.

snyk.issue.vulnerabilities.forceDownload

Default: false

Valid values: true, false

Based on the configured thresholds, if relevant issues are found during the Snyk scan, the download is blocked when set to false.

To configure locally for a single package, click the property link, enter true in place of false and click Save.

Artifactory notifies that the property has updated successfully. For this specific artifact, you can now download regardless of any issues.

snyk.issue.vulnerabilities.forceDownload.info

Explains why this artifact can or cannot be downloaded.

snyk.issue.licenses

Regardless of the thresholds configured, this row displays license summary scan results.

snyk.issue.licenses.forceDownload

Regardless of the thresholds configured, this row displays license summary scan results.

snyk.issue.licenses.forceDownload.info

Explains why this artifact can or cannot be downloaded.