Snyk Developer Security
Overview
Snyk platform for finding and fixing vulnerabilities in code, dependencies, containers, and IaC.
Products
| Product | Scans | Use Case |
|---|---|---|
| Snyk Code | SAST | Source code vulnerabilities |
| Snyk Open Source | SCA | Dependency vulnerabilities |
| Snyk Container | Container images | Image vulnerabilities |
| Snyk IaC | Terraform, K8s, CloudFormation | Misconfigurations |
Authentication
python
import requests
SNYK_API_URL = "https://api.snyk.io/v1"
SNYK_REST_URL = "https://api.snyk.io/rest"
def snyk_headers(token: str) -> dict:
return {"Authorization": f"token {token}", "Content-Type": "application/json"}
def snyk_rest_headers(token: str) -> dict:
return {"Authorization": f"token {token}", "Content-Type": "application/vnd.api+json"}
CLI Usage
bash
# Authenticate snyk auth <token> # Test for vulnerabilities snyk test # Current project snyk test --all-projects # Monorepo snyk test --severity-threshold=high # Filter by severity # Code analysis (SAST) snyk code test # Container scanning snyk container test <image>:<tag> snyk container test --file=Dockerfile # IaC scanning snyk iac test # Current directory snyk iac test terraform/ # Specific path snyk iac test --rules=snyk-rules/ # Custom rules # Monitor (upload to Snyk dashboard) snyk monitor snyk container monitor <image>:<tag> snyk iac test --report # Generate SBOM snyk sbom --format=cyclonedx1.4+json snyk sbom --format=spdx2.3+json
Organization & Projects
python
def get_orgs(token: str) -> list:
"""List organizations."""
return requests.get(
f"{SNYK_API_URL}/orgs",
headers=snyk_headers(token)
).json().get("orgs", [])
def get_projects(token: str, org_id: str) -> list:
"""List projects in organization."""
return requests.get(
f"{SNYK_API_URL}/org/{org_id}/projects",
headers=snyk_headers(token)
).json().get("projects", [])
def get_project_issues(token: str, org_id: str, project_id: str,
severity: list = None) -> dict:
"""Get issues for a project."""
body = {"filters": {}}
if severity:
body["filters"]["severity"] = severity # ["critical", "high", "medium", "low"]
return requests.post(
f"{SNYK_API_URL}/org/{org_id}/project/{project_id}/aggregated-issues",
headers=snyk_headers(token),
json=body
).json()
Vulnerability Analysis
python
def test_package(token: str, org_id: str, package_manager: str,
package_name: str, version: str) -> dict:
"""Test a single package for vulnerabilities."""
return requests.get(
f"{SNYK_API_URL}/test/{package_manager}/{package_name}/{version}",
headers=snyk_headers(token),
params={"org": org_id}
).json()
def test_requirements(token: str, org_id: str, requirements_content: str) -> dict:
"""Test Python requirements.txt content."""
return requests.post(
f"{SNYK_API_URL}/test/pip",
headers=snyk_headers(token),
params={"org": org_id},
json={"files": {"target": {"contents": requirements_content}}}
).json()
def test_package_json(token: str, org_id: str, package_json: dict,
package_lock: dict = None) -> dict:
"""Test npm package.json."""
files = {"target": {"contents": package_json}}
if package_lock:
files["additional"] = [{"contents": package_lock}]
return requests.post(
f"{SNYK_API_URL}/test/npm",
headers=snyk_headers(token),
params={"org": org_id},
json={"files": files}
).json()
Container Scanning
python
def test_container_image(token: str, org_id: str, image: str,
dockerfile: str = None) -> dict:
"""Test container image for vulnerabilities."""
body = {"image": image}
if dockerfile:
body["dockerfile"] = dockerfile
return requests.post(
f"{SNYK_API_URL}/test/docker",
headers=snyk_headers(token),
params={"org": org_id},
json=body
).json()
# Parse container scan results
def parse_container_vulns(result: dict) -> list:
"""Extract vulnerabilities from container scan."""
vulns = []
for issue in result.get("issues", {}).get("vulnerabilities", []):
vulns.append({
"id": issue.get("id"),
"title": issue.get("title"),
"severity": issue.get("severity"),
"cvss_score": issue.get("cvssScore"),
"package": issue.get("packageName"),
"version": issue.get("version"),
"fixed_in": issue.get("fixedIn"),
"description": issue.get("description")
})
return vulns
IaC Scanning
python
def test_iac(token: str, org_id: str, files: dict) -> dict:
"""Test IaC files for misconfigurations."""
return requests.post(
f"{SNYK_API_URL}/test/iac",
headers=snyk_headers(token),
params={"org": org_id},
json={"files": files}
).json()
# IaC issue severities and categories
IAC_CATEGORIES = [
"access_control",
"encryption",
"logging",
"network_security",
"secrets_management",
"configuration"
]
Reporting & Export
python
def get_org_issues(token: str, org_id: str, severity: str = None,
issue_type: str = None) -> list:
"""Get all issues across organization."""
params = {"version": "2024-04-22"}
filters = []
if severity:
filters.append(f"severity={severity}")
if issue_type:
filters.append(f"type={issue_type}") # vuln, license, configuration
return requests.get(
f"{SNYK_REST_URL}/orgs/{org_id}/issues",
headers=snyk_rest_headers(token),
params=params
).json().get("data", [])
def export_sbom(token: str, org_id: str, project_id: str,
format: str = "cyclonedx1.4+json") -> dict:
"""Export SBOM for a project."""
return requests.get(
f"{SNYK_REST_URL}/orgs/{org_id}/projects/{project_id}/sbom",
headers=snyk_rest_headers(token),
params={"version": "2024-04-22", "format": format}
).json()
Ignoring & Policy
python
def ignore_issue(token: str, org_id: str, project_id: str, issue_id: str,
reason: str, expires: str = None) -> dict:
"""Ignore a vulnerability."""
body = {
"ignorePath": "",
"reason": reason,
"reasonType": "not-vulnerable" # not-vulnerable, wont-fix, temporary-ignore
}
if expires:
body["expires"] = expires # ISO date
return requests.post(
f"{SNYK_API_URL}/org/{org_id}/project/{project_id}/ignore/{issue_id}",
headers=snyk_headers(token),
json=body
).json()
CI/CD Integration
yaml
# GitHub Actions
- name: Snyk Security Scan
uses: snyk/actions/node@master
with:
args: --severity-threshold=high
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# GitLab CI
snyk_scan:
image: snyk/snyk:node
script:
- snyk auth $SNYK_TOKEN
- snyk test --severity-threshold=high
- snyk monitor