Integrate Compass with Snyk
Snyk is a developer security platform allowing you to scan, prioritize, and fix security vulnerabilities in your code, open source dependencies, container images, and Infrastructure as Code (IaC) configurations.
Compass currently supports Snyk as a tool to:
capture and visualize security events on the activity feed alongside other events in your environment
provide vulnerability metrics for your components and scorecards (derived from events)
Integrate Compass with Snyk
You must be on a Snyk Enterprise plan to use the Snyk app for Compass. Use of the Snyk API requires a Snyk Enterprise Plan.
With the Snyk app for Compass, you can associate a Snyk target with a Compass component to get data and events on vulnerabilities directly in Compass. Currently, the app supports watching all Git repository links in Compass that match targets already registered in your Snyk organization. Compass will watch for critical and high vulnerabilities belonging to the associated Snyk target to plot those on the Compass activity feed and calculate critical and high open vulnerability-related metrics. These metrics can of course be used with Compass scorecards.
To integrate Compass with Snyk, you must first install the Snyk app in Compass. Then, you connect Compass to the Snyk group that contains the organizations you want to track.
When you integrate an app with Compass, other Compass users can view events and metrics data sent from the app to Compass, even if they don't have access to that data in the underlying app.
For example, when you integrate Bitbucket with Compass, someone who doesn't have access to a repository can see the events and metrics related to that repository in Compass. The same applies to data sent from this app to Compass.
Before you begin
Ensure you have a Snyk Enterprise plan. Use of the Snyk API requires a Snyk Enterprise Plan.
Ensure that you’re a group admin on the Snyk group you want connect to or work with your group admin to install this Snyk app.
Ensure that you’re an admin on your Compass instance.
Perform the integration
Integrate Compass with Snyk:
Select Apps from the top navigation bar in Compass.
Select Install on the Snyk app card. This installs the Snyk app in Compass.
Select Configure on the Snyk app card.
Create a new Service Account with
Group Viewerpermission for your Snyk Group and enter it under Group API Key along with your Group id, which can be found in Snyk settings.Select Next.
Connect organizations you want to track
After the group connection, choose the organizations you want to track. Currently, it's possible to connect up to 25 organizations.
Manage a group's organizations
To manage your group's organizations:
Select Configure, which opens the edit view with the list of the organizations and their connection status.
Select Connect or Disconnect to change the status of each organization separately.
Note: Metrics and events for connected organizations will begin appearing within a couple of hours after connecting to Snyk.
Ongoing discovery when repository links are added
Any time you add a repository link to a component, the Snyk app for Compass will see if that target exists in your connected Snyk organization. If it finds a target in Snyk, Compass will create open critical and high vulnerability metrics for your component.
To get Snyk data for a new component in Compass, navigate to the component you want to connect to your Snyk issues information.
On the component’s overview page, you’ll see the Repository section on the right side of the component’s details.
Paste the link to your repository/Snyk target in this section. Make sure that it is the first link in this section.
Select Add.
Reload the page and now metrics for open vulnerabilities should display.
Select Activity and view any critical vulnerability events displayed.
If for some reason you encounter an error after adding a Snyk target, make sure you have entered the right type of link (For example, http://github.com/yourorganization/yourrepository/).
Events and metrics stay fresh from Snyk
Once an hour, the Snyk app for Compass will retrieve the latest information from Snyk about your components. For each of your components, you will see critical and high vulnerability events in the activity feed and metrics for open critical and high vulnerabilities.
If you have a lot of targets or issues the updating process may take longer than an hour.
Supported metrics
Metric | Description | How it's calculated |
|---|---|---|
Open critical security vulnerabilities | The amount of open critical severity vulnerabilities for a component derived from vulnerability events. | Derived from vulnerability events for critical severity issues from associated Snyk target. |
Open high security vulnerabilities | The amount of open critical severity vulnerabilities for a component derived from vulnerability events. | Derived from vulnerability events for high severity issues from associated Snyk target. |
Mean time to remediate critical severity vulnerabilities | The time it takes to fully remediate a critical severity vulnerability, from when it was first discovered to when it was remediated. Averaged over the last 10 vulnerabilities. | Derived from vulnerability events for critical severity issues from associated Snyk target. |
Mean time to remediate high severity vulnerabilities | The time it takes to fully remediate a high severity vulnerability, from when it was first discovered to when it was remediated. Averaged over the last 10 vulnerabilities. | Derived from vulnerability events for high severity issues from associated Snyk target. |
Read more about derived metrics
Legacy custom metrics
A previous version of the Snyk app created and populated two custom metrics. These have been replaced by the predefined metrics above, but they are documented here for completeness:
Metric | Description | How it's calculated |
|---|---|---|
Snyk: Open “Critical” vulnerabilities | Total number of critical issues. | Critical issues from associated Snyk target. |
Snyk: Open “High” vulnerabilities | Total number of high issues. | High issues from associated Snyk target |
If you do not see metrics updating, it could be that you have not had any issues recently (hooray!). Make sure you also added the correct Snyk target link to the component.
To see the detailed information about issues in the activity feed:
In Compass, navigate to a component you want to view issues for.
Choose the 'Activity' on the left side of the page.
You should see the details about each critical issue you have.
Disconnect the Snyk group/organization connected with Compass
Disconnecting your Snyk organization/group means issues information will no longer be displayed for related components.
Disconnect the Snyk group
To disconnect a Snyk group from Compass:
In Compass, from the top navigation bar, select Apps.
Select Configure on the Snyk app card.
Select Disconnect. The Snyk group is disconnected from Compass and the page refreshes to its initial state with no group connected.
Uninstall the Snyk app from Compass
If you no longer want to use the Snyk app from Compass you can uninstall it:
In Compass, from the top navigation bar, select Apps.
Select Configure on the Snyk app card.
Select Uninstall on the Snyk app card. The Snyk app uninstalls from Compass.
Troubleshooting
I don't see any Snyk metrics for my component.
Make sure the first repository link for the component in question is an existing target in the Snyk organization that is connected to your Compass site. In other words, the repository should already be getting scanned by Snyk and you should see this data in Snyk. Double-check the repository URL matches the URL in Compass.
I don't see any Snyk events for my component on the activity feed.
Make sure the first repository link for the component in question is an existing target in the Snyk organization that is connected to your Compass site. In other words, the repository should already be getting scanned by Snyk and you should see this data in Snyk. Double-check the repository URL matches the URL in Compass.
Additionally, only critical and high vulnerability events will be displayed on the activity feed. Medium and low severity events will not be displayed.
There is no backfill for events; only vulnerabilities that were opened after the connection was established will appear on the feed or count towards metric values.
How often are events and metrics from Snyk refreshed?
We pull data from Snyk once an hour to refresh your metrics and events. Customers with very large numbers of Snyk targets or open issues may notice refreshes occur less frequently than once an hour. Please contact us if you are experiencing this.
Was this helpful?