Last updated Jul 22, 2024

Integrate Compass with Snyk

The Snyk app for Compass is currently in early access, if you would like to try it out and give us feedback please hit the "Give feedback" button in Compass.

What is Snyk?

Snyk is a developer security platform allowing you to scan, prioritize, and fix security vulnerabilities in your code, open source dependencies, container images, and Infrastructure as Code (IaC) configurations.

Compass currently supports Snyk as a tool to:

  • capture and visualize security events on the activity feed alongside other events in your environment
  • provide vulnerability metrics for your components and scorecards

Integrate Compass with Snyk

With the Snyk app for Compass, you can associate a Snyk target with a Compass component to get data and events on vulnerabilities directly in Compass. Currently, the app supports watching all Git repository links in Compass that match targets already registered in your Snyk organization. Compass will watch for critical vulnerabilities belonging to the associated Snyk target to plot those on the Compass activity feed and calculate critical and high open vulnerability-related metrics. These metrics can of course be used with Compass scorecards.

To integrate Compass with Snyk, you must first install the Snyk app in Compass. Then, you connect Compass to the Snyk group that contains the organizations you want to track.

We currently support adding only one Snyk organization to your Compass site. We are working on adding support for adding multiple organizations as you read this!

When you integrate an app with Compass, other Compass users can view events and metrics data sent from the app to Compass, even if they don't have access to that data in the underlying app. For example, when you integrate Bitbucket with Compass, someone who doesn't have access to a repository can see the events and metrics related to that repository in Compass. The same applies to data sent from this app to Compass.

Before you begin

Perform the integration

Integrate Compass with Snyk:

  1. Select Apps from the top navigation bar in Compass.
  2. Select Install on the Snyk app card. This installs the Snyk app in Compass.
  3. Select Configure on the Snyk app card.
  4. Create a new Service Account with Group Viewer permission for your Snyk Group and enter it under Group API Key along with your Group id which can be found in Snyk settings.
  5. Select Next.

Connect organizations you want to track

After the group connection, choose the organizations you want to track. Currently, it's possible to connect up to 25 organizations.

Manage group's organizations

To manage your group's organizations:

  1. Click the Configure button that opens the edit view with the list of the organizations and their connection status.
  2. Click Connect/Disconnect to change the status of each organization separately.

Note: metrics and events for connected organizations will begin appearing within a couple of hours after connecting to Snyk.

Anytime you add a repository link to a component, the Snyk app for Compass will see if that target exists in your connected Snyk organization. If it finds a target in Snyk, Compass will create open critical and high vulnerability metrics for your component.

  1. To get Snyk data for a new component in Compass, navigate to the component you want to connect to your Snyk issues information.
  2. On the component’s overview page, you’ll see the Repository section on the right side of the component’s details.
  3. Paste the link to your repository/Snyk target in this section. Make sure that it is the first link in this section.
  4. Select Add.
  5. Reload the page and now metrics for open vulnerabilities should display.
  6. Select Activity and view any critical vulnerability events displayed.

If for some reason you encounter an error after adding a Snyk target, make sure you have entered the right type of link (e.g. https://github.com/yourorganization/yourrepository/).

Events and metrics stay fresh from Snyk

Once an hour, the Snyk app for Compass will retrieve the latest information from Snyk about your components. For each of your components, you will see critical vulnerability events in the activity feed and metrics for open critical and high vulnerabilities. Note: if you have a lot of targets or issues the updating process may take longer than an hour.

Supported metrics

Learn more about Compass metrics.

MetricDescriptionHow it's calculated
Snyk: Open “Critical” vulnerabilitiesTotal number of critical issues.Critical issues from associated Snyk target.
Snyk: Open “High” vulnerabilitiesTotal number of high issues.High issues from associated Snyk target.

If you do not see metrics updating it could be that you have not had any issues recently (hooray!). Make sure you also added the correct Snyk target link to the component.

To see the detailed information about issues in the activity feed:

  1. In Compass, navigate to a component you want to view issues for.
  2. Choose the 'Activity' on the left side of the page.
  3. You should see the details about each critical issue you have.

Disconnect the Snyk group/organization connected with Compass

Disconnecting your Snyk organization/group means issues information will no longer be displayed for related components.

Disconnect the Snyk group

To disconnect a Snyk group from Compass:

  1. In Compass, from the top navigation bar, select Apps.
  2. Select Configure on the Snyk app card.
  3. Select Disconnect. The Snyk group is disconnected from Compass and the page refreshes to its initial state with no group connected.

Uninstall the Snyk app from Compass

If you no longer want to use the Snyk app from Compass you can uninstall it:

  1. In Compass, from the top navigation bar, select Apps.
  2. Select Configure on the Snyk app card.
  3. Select Uninstall on the Snyk app card. The Snyk app uninstalls from Compass.

Troubleshooting

I don't see any Snyk metrics for my component.

Make sure the first repository link for the component in question is an existing target in the Snyk organization that is connected to your Compass site. In other words, the repository should already be getting scanned by Snyk and you should see this data in Snyk. Double-check the repository URL matches the URL in Compass.

I don't see any Snyk events for my component on the activity feed.

Make sure the first repository link for the component in question is an existing target in the Snyk organization that is connected to your Compass site. In other words, the repository should already be getting scanned by Snyk and you should see this data in Snyk. Double-check the repository URL matches the URL in Compass.

Additionally, only critical vulnerability events will be displayed on the activity feed. High, medium, and low severity events will not be displayed.

How often are events and metrics from Snyk refreshed?

We pull data from Snyk once an hour to refresh your metrics and events. Customers with very large numbers of Snyk targets or open issues may notice refreshes occur less frequently than once an hour. Please contact us if you are experiencing this.

Rate this page: