Snyk enables security across the Microsoft Azure ecosystem, including for Azure Pipelines, automatically finding and fixing application and container vulnerabilities.
Ready-to-use tasks for Azure Pipelines can be quickly inserted directly from the Azure interface, enabling you to customize and automate your pipelines with no extra coding. Amongst the tasks included is the Snyk task.
You can include the Snyk task in your pipeline to test for security vulnerabilities and licensing issues as part of your routine work; in this way, you can test and monitor your application dependencies and container images for security vulnerabilities. Once tested, you can review and work with results directly from the Azure Pipelines output, as well as from the Snyk interface.
Snyk support
Our Snyk Security Scan task is available for all languages supported by Snyk and Azure DevOps.
After the Snyk Security Scan task is added to a pipeline, then each time the pipeline runs, the Snyk task does the following:
Scan
- Scans application dependencies or container images for vulnerabilities and licensing issues and lists them.
- If Snyk finds vulnerabilities, it does one of the following (based on your configuration):
- Fails the pipeline
- Lets the pipeline complete the build
Monitor
Optionally, if the pipeline continues (the Snyk task completes successfully) and monitorOnBuild is set to true in the task, then Snyk saves a snapshot of the project dependencies on snyk.io, where you can see the dependency tree with all of the issues, and be alerted if and when new issues are found in the dependencies.
To start using our task as part of your pipeline build, first install the extension on your Azure DevOps instance per organization, from the Marketplace.
Prerequisites:
- Create a Snyk account.
- Ensure you are an owner of or an administrator for this account.
Steps:
- Access your Snyk account.
- For free plans, go to your General Account Settings and find, copy and save your personal API authentication token on the side.
-
For paid plans, navigate to the organization you’d like to integrate with, then go to Settings to create a new service account token. Copy and save it on the side.
-
Access your Azure DevOps account and navigate to Extensions -> Browse marketplace.
-
Search for the Snyk Security Scan extension, click Get it free .
-
Create a new Service Connection in your project via Project Settings —> Pipelines —> Service Connections
-
Select "Snyk Authentication" service connection:
- In the Snyk Authentication service connection form, enter the Server URL and the Snyk API Token along with a Service connection name:
- Click on Save, ensuring the new service connection appears in your list of service connections.
Prerequisites
-
Ensure you have a pipeline within the repository for the code you’d like to test.
-
If you created a pipeline with the Azure Repos wizard, this file is called
azure-pipelines.yml. -
If this repository has multiple service connections, check with your Snyk admin which to use for your pipeline.
-
If you want to add your Dockerfile for additional base image data when testing your container, ensure the image has first been built.
Requirements
This extension requires that Node.js and npm be installed on the build agent. These are available by default on all Microsoft-hosted build agents. However, if you are using a self-hosted build agent, you may need to explicitly activate Node.js and npm and ensure they are in your PATH. This can be done using the NodeTool task from Microsoft prior to the SnykSecurityScan task in your pipeline.
Steps:
- Add the Snyk Security Scan task when you create your pipeline or while editing an existing one. See the Azure Pipelines documentation
- From Azure, access the pipeline that you’d like to scan for vulnerabilities, open it for editing and check that the Build step is included just before the point at which you’d like to insert the Snyk task (this is not required but is considered best practice for consistency across projects).
- Open the assistant, search for the Snyk Security Scan task and click it. The configuration panel opens on top of the assistant.
- Complete the fields in the configuration. Find full details about the parameters in this article: Snyk Security Scan task parameters and values.
If the Fail build if Snyk finds issue option is checked, then if the build fails, the pipeline will not be pushed to Snyk even if the Run Snyk monitor after test?
If you remove the checkmark from the Fail build if Snyk finds issue option, the Snyk task tests for vulnerabilities, but does not cause the pipeline job to fail.
When testing a container image, you can specify the path to the Dockerfile with the dockerfilePath property in order to receive additional information about issues in your base image.To add your Dockerfile for additional base image data when testing your container, ensure the image has first been built.
- Place your cursor inside the pipeline, ensuring you place it before a deployment step, such as npm publish or docker push.
You can have multiple instances of the Snyk Security Scan task within your pipeline. This might be useful, for example, if you have multiple project manifest files you want to test or if you want to test both the application and the container images.
-
From the configuration panel, click Add. The task is inserted to your pipeline where your cursor was placed, appearing similar to the following:
- task: SnykSecurityScan@0 inputs: testType: 'app' monitorOnBuild: true failOnIssues: true -
Once included in your pipeline, the task runs each time the pipeline runs, and the results appear in the Azure Pipelines output view:
If the Snyk task fails the build, an error message appears in the results indicating that the build failed due tosnyk test.
This section describes the Snyk task parameters for Azure Pipelines integration, their parallel configuration fields (from the configuration panel in Azure Pipelines) and their valid values:
|
Configuration field |
Description |
Required |
Default |
Type |
|---|---|---|---|---|
|
Snyk API token |
The Azure DevOps service connection endpoint where your Snyk API token is defined. Your admin defines this within your Azure DevOps project settings, assigning it with a unique string in order to differentiate between different connections. The configuration panel displays all available Snyk service connections from a dropdown list like the following: 
If multiple Snyk service connections are available from the dropdown list, ask your administrator which to use for the pipeline you’re working with. |
Yes |
none |
String / Azure Service Connection Endpoint of type SnykAuth / Snyk Authentication |
|
What do you want to test? |
Determines which dynamic fields to display as described in the rest of this table. |
Yes |
"application" |
string: "app" or "container" |
|
Container Image Name |
The name of the container image to test. This dynamic field appears when What do you want to test is set to Container Imager Set to Yes if container image test. |
Yes |
none |
string |
|
Path to Dockerfile |
The path to the Dockerfile corresponding to the This dynamic field appears when What do you want to test is set to Container Imager Set to Yes if container image test. |
Yes |
none |
string |
|
Custom path to manifest file to test |
Applicable to application type tests only. The path to the manifest file to be used by Snyk. Should only be provided if non-standard. This dynamic field appears when What do you want to test is set to Application |
No |
none |
string |
|
Testing severity threshold |
The severity-threshold to use when testing. By default, issues of all severity types will be found. Note: if not cofigured, the default severity is set to Low. |
No |
"low" |
string: "low" or "medium" or "high" |
|
Run Snyk monitor after test? |
Whether or not to capture the dependencies of the application / container image and monitor them within Snyk. |
Yes |
true |
boolean |
|
Fail build if Snyk finds issues (failOnIssues) |
This specifies if builds should be failed or continued based on issues found by Snyk. |
Yes |
true |
boolean |
|
Project name in Snyk |
A custom name for the Snyk project to be created on snyk.io |
No |
none |
string |
|
Organization name (or ID) in Snyk (organization) |
Name of the Snyk organisation name, under which this project should be tested and monitored |
No |
none |
string |
|
Test (Working) Directory |
Alternate working directory. For example, if you want to test a manifest file in a directory other than the root of your repo, you would put in relative path to that directory. |
No |
none |
string |
|
Additional command-line args for Snyk CLI (advanced) (additionalArguments) |
Additional Snyk CLI arguments to be passed in. See CLI reference for details. Tip: add --all-projects as good practice (for example, for .NET), if no project has been found. |
No |
none |
string |
Example of a Snyk task to test a node.js (npm) based application
This section displays examples of Snyk Security Scan task configurations and [parameters when testing a Node.js (npm) application.
The configuration panel appears as follows:
Click add and it is added to your pipeline as follows:
Simple Application Testing Example
- task: SnykSecurityScan@0
inputs:
serviceConnectionEndpoint: 'mySnykToken'
testType: 'app'
monitorOnBuild: true
failOnIssues: true
Example of a Snyktask for a container image pipeline
The following is an example of the Snyk Security Scan task within the script for a container image pipeline.
When populated with the most common settings, the configuration panel in Azure appears similar to the following:
Following is an example of the same configuration once you've added it to your pipeline.
Simple Container Image Testing Example
- task: SnykSecurityScan@0
inputs:
serviceConnectionEndpoint: 'mySnykAuth'
testType: 'container'
dockerImageName: 'my-container-image-name'
dockerfilePath: 'Dockerfile'
monitorOnBuild: true
failOnIssues: true