Use this information to onboard your colleagues with the Snyk on the Team plan, allowing your team to make the best use of Snyk to find and fix project vulnerabilities by:
- Developing rollout strategies for best adoption of Snyk to multiple users in your company,
- Making best use of reports, prioritizations and remediations to get quick results from Snyk adoption.
This documentation assumes you have used Snyk, and are familiar with core Snyk functions.
- Introduction to the Snyk Team plan
- Getting started with Snyk products
- Quick start guide and general overview (video)
These good practice suggestions help you design your rollout plan to align to your team’s success criteria and targets.
Work with early adopters
Consider initially working with early-adopter teams and users, testing and monitoring their projects using the CLI. This should give you some quick results; you can then repeat the process with other teams and users.
Starting with a few users avoids issues you may encounter if you try to roll Snyk out all at once across your company.
Integrate with an SCM integration
Assuming these integrations are valid for your company, we recommend setting up early adopters with a Source Code Management (SCM) integration such as GitHub.
Starting with this integration makes it easy for developers to find and fix vulnerabilities, and to get alerted when new vulnerabilities have been discovered. After this is successful, these users can be used as internal advocates and can demonstrate the benefits of using Snyk.
Note: This approach works for projects using Node, Java, Python and Ruby. If support is needed for Go, PHP or .Net, the CLI should be used as the primary method of testing and monitoring projects.
** For Scala & Gradle (only) we recommend scanning the projects only in the CLI or CI/CD, to get accurate results.
Integrate into your CI/CD pipeline
A further step in rollout is to integrate Snyk into your CI/CD pipeline across all teams and projects, to add Snyk to your build system.
This approach allows you to get coverage of your codebase quickly, as CI/CD pipelines are often common and usually maintained by relatively few people. This will give you visibility into the state of your Open Source Vulnerability exposure.
You can also decide if you want to simply report on the vulnerabilities, or break the build when a vulnerability is discovered. A typical approach is to start with reporting, and then once you have visibility, you can roll out the next phase of addressing the vulnerabilities.
With Snyk adopted in your team, you can then view and manage the results of vulnerability scans.
Prioritizing vulnerabilities and misconfiguration for your IaC files
You can use Snyk prioritization functions to focus on fixing the most important and risky vulnerabilities first. This ensures your developers are not swamped with large numbers of vulnerabilities, helping adoption of Snyk as a remediation tool.
You can filter issues in the Snyk UI:
- Prioritizing Snyk issues
- Evaluating and prioritizing vulnerabilities
- How to prioritize your vulnerabilities in the Snyk UI (video)
Snyk allows you to ignore vulnerabilities in the UI, using the Ignore button:
- Using Ignore in the CLI
- Use Snyk policy file to add ignores for the project
- For bulk ignore you can use the python sdk.
Remediation of vulnerabilities can be carried out:
- Using automatic pull/merge requests in your SCM integration.
- Using the CLI snyk wizard command (node only).
- Following the remediation advice and updating the dependencies manually.
- With Snyk Containers base image remediation + fix PRs.
- Using Snyk IaC remediation advice.
- Using Snyk Code remediation advice.
- Starting to fix vulnerabilities
- Remediate your vulnerabilities
- How to view and start addressing your vulnerabilities (video).
Using Snyk patches
Patches are code execution that Snyk security team creates for issues without fixes. Snyk will add a dependency to your projects and a pre-publish script to execute the patch.
Snyk automatically notifies you when new issues are found in the projects you're monitoring, to help make you aware of new risks:
You can customize the emails all your organization’s members receive, and individual users can set defaults in their own account settings.