The Snyk app for Compass is currently in early access, if you would like to try it out and give us feedback please hit the "Give feedback" button in Compass.
Snyk is a developer security platform allowing you to scan, prioritize, and fix security vulnerabilities in your code, open source dependencies, container images, and Infrastructure as Code (IaC) configurations.
Compass currently supports Snyk as a tool to:
You must be on a Snyk Enterprise plan to use the Snyk app for Compass. Use of the Snyk API requires a Snyk Enterprise Plan.
With the Snyk app for Compass, you can associate a Snyk target with a Compass component to get data and events on vulnerabilities directly in Compass. Currently, the app supports watching all Git repository links in Compass that match targets already registered in your Snyk organization. Compass will watch for critical vulnerabilities belonging to the associated Snyk target to plot those on the Compass activity feed and calculate critical and high open vulnerability-related metrics. These metrics can of course be used with Compass scorecards.
To integrate Compass with Snyk, you must first install the Snyk app in Compass. Then, you connect Compass to the Snyk group that contains the organizations you want to track.
We currently support adding only one Snyk organization to your Compass site. We are working on adding support for adding multiple organizations as you read this!
When you integrate an app with Compass, other Compass users can view events and metrics data sent from the app to Compass, even if they don't have access to that data in the underlying app. For example, when you integrate Bitbucket with Compass, someone who doesn't have access to a repository can see the events and metrics related to that repository in Compass. The same applies to data sent from this app to Compass.
Integrate Compass with Snyk:
Group Viewer permission for your Snyk Group and enter it under Group API Key along with your Group id which can be found in Snyk settings.After the group connection, choose the organizations you want to track. Currently, it's possible to connect up to 25 organizations.
To manage your group's organizations:
Note: metrics and events for connected organizations will begin appearing within a couple of hours after connecting to Snyk.
Anytime you add a repository link to a component, the Snyk app for Compass will see if that target exists in your connected Snyk organization. If it finds a target in Snyk, Compass will create open critical and high vulnerability metrics for your component.
If for some reason you encounter an error after adding a Snyk target, make sure you have entered the right type of link (e.g. https://github.com/yourorganization/yourrepository/).
Once an hour, the Snyk app for Compass will retrieve the latest information from Snyk about your components. For each of your components, you will see critical vulnerability events in the activity feed and metrics for open critical and high vulnerabilities. Note: if you have a lot of targets or issues the updating process may take longer than an hour.
Learn more about Compass metrics.
| Metric | Description | How it's calculated |
|---|---|---|
| Snyk: Open “Critical” vulnerabilities | Total number of critical issues. | Critical issues from associated Snyk target. |
| Snyk: Open “High” vulnerabilities | Total number of high issues. | High issues from associated Snyk target. |
If you do not see metrics updating it could be that you have not had any issues recently (hooray!). Make sure you also added the correct Snyk target link to the component.
To see the detailed information about issues in the activity feed:
Disconnecting your Snyk organization/group means issues information will no longer be displayed for related components.
To disconnect a Snyk group from Compass:
If you no longer want to use the Snyk app from Compass you can uninstall it:
Make sure the first repository link for the component in question is an existing target in the Snyk organization that is connected to your Compass site. In other words, the repository should already be getting scanned by Snyk and you should see this data in Snyk. Double-check the repository URL matches the URL in Compass.
Make sure the first repository link for the component in question is an existing target in the Snyk organization that is connected to your Compass site. In other words, the repository should already be getting scanned by Snyk and you should see this data in Snyk. Double-check the repository URL matches the URL in Compass.
Additionally, only critical vulnerability events will be displayed on the activity feed. High, medium, and low severity events will not be displayed.
We pull data from Snyk once an hour to refresh your metrics and events. Customers with very large numbers of Snyk targets or open issues may notice refreshes occur less frequently than once an hour. Please contact us if you are experiencing this.
Rate this page: