Integrate Compass with Snyk

The Snyk app for Compass is currently in early access, if you would like to try it out and give us feedback please hit the "Give feedback" button in Compass.

What is Snyk?

Snyk is a developer security platform allowing you to scan, prioritize, and fix security vulnerabilities in your code, open source dependencies, container images, and Infrastructure as Code (IaC) configurations.

Compass currently supports Snyk as a tool to:

capture and visualize security events on the activity feed alongside other events in your environment
provide vulnerability metrics for your components and scorecards

Integrate Compass with Snyk

You must be on a Snyk Enterprise plan to use the Snyk app for Compass. Use of the Snyk API requires a Snyk Enterprise Plan.

With the Snyk app for Compass, you can associate a Snyk target with a Compass component to get data and events on vulnerabilities directly in Compass. Currently, the app supports watching all Git repository links in Compass that match targets already registered in your Snyk organization. Compass will watch for critical vulnerabilities belonging to the associated Snyk target to plot those on the Compass activity feed and calculate critical and high open vulnerability-related metrics. These metrics can of course be used with Compass scorecards.

To integrate Compass with Snyk, you must first install the Snyk app in Compass. Then, you connect Compass to the Snyk organization that contains the targets that you want to track.

We currently support adding only one Snyk organization to your Compass site. We are working on adding support for adding multiple organizations as you read this!

Before you begin

Ensure you have a Snyk Enterprise plan. Use of the Snyk API requires a Snyk Enterprise Plan.
Ensure that you’re an organization admin of the Snyk organization that you want Compass to connect to.
Ensure that you’re an admin on your Compass instance.

Perform the integration

Integrate Compass with Snyk:

Select Apps from the top navigation bar in Compass.
Select Install on the Snyk app card. This installs the Snyk app in Compass.
Select Configure on the Snyk app card.
Create a new API key in Snyk and enter it under Organization API key along with your Organization id which can be found in [Snyk settings](https://docs.snyk.io/snyk-admin/manage-settings/organization-general-settings.
Select Connect organization.

Automatic discovery after setup

In a few minutes after connecting your organization, the metrics for the number of open critical and high vulnerabilities will be automatically created for all your components with an existing Git repository (e.g. Bitbucket, GitHub, GitLab) link added in the repository links section. Note that the repository link also needs to already be an existing Snyk target in your connected Snyk organization.

In Compass, navigate to a component you want to view vulnerability events or metrics for.
View the metric section of the component's details
Select Activity and view any critical vulnerability events displayed.

Ongoing discovery when repository links are added

Anytime you add a repository link to a component, the Snyk app for Compass will see if that target exists in your connected Snyk organization. If it finds a target in Snyk, Compass will begin ingesting vulnerability events and create open critical and high vulnerability metrics for your component.

To get Snyk data for a new component in Compass, navigate to the component you want to connect to your Snyk issues information.
On the component’s overview page, you’ll see the Repository section on the right side of the component’s details.
Paste the link to your repository/Snyk target in this section. Make sure that it is the first link in this section.
Select Add.
Reload the page and now metrics for open vulnerabilities should display.
Select Activity and view any critical vulnerability events displayed.

If for some reason you encounter an error after adding a Snyk target, make sure you have entered the right type of link (e.g. https://github.com/yourorganization/yourrepository/).

Events and metrics stay fresh from Snyk

Once an hour, the Snyk app for Compass will retrieve the latest information from Snyk about your components. For each of your components, you will see critical vulnerability events in the activity feed and metrics for open critical and high vulnerabilities. Note: if you have a lot of targets or issues the updating process may take longer than an hour.

Supported metrics

Learn more about Compass metrics.

Metric	Description	How it's calculated
Snyk: Open “Critical” vulnerabilities	Total number of critical issues.	Critical issues from associated Snyk target.
Snyk: Open “High” vulnerabilities	Total number of high issues.	High issues from associated Snyk target.

If you do not see metrics updating it could be that you have not had any issues recently (hooray!). Make sure you also added the correct Snyk target link to the component.

Disconnect the Snyk organization connected with Compass

Disconnecting your Snyk organization means issues information will no longer be displayed for your components.

Before you begin

Ensure that you’re admin on your Compass instance.

Disconnect the Snyk organization

To disconnect a Snyk organization from Compass:

In Compass, from the top navigation bar, select Apps.
Select Configure on the Snyk app card.
Select Disconnect. The Snyk organization is disconnected from Compass and the page refreshes to its initial state with no organization connected.

Uninstall the Snyk app from Compass

If you no longer want to use the Snyk app from Compass you can uninstall it.

Before you begin

Ensure that you’re an admin on your Compass instance.

Uninstall the Snyk app

To uninstall the Snyk app from Compass:

In Compass, from the top navigation bar, select Apps.
Select Configure on the Snyk app card.
Select Uninstall on the Snyk app card. The Snyk app uninstalls from Compass.

Troubleshooting

Can I connect more than one Snyk organization?

Not yet but the team is working on adding this right now!

I don't see any Snyk metrics for my component.

Make sure the first repository link for the component in question is an existing target in the Snyk organization that is connected to your Compass site. In other words, the repository should already be getting scanned by Snyk and you should see this data in Snyk. Double-check the repository URL matches the URL in Compass.

I don't see any Snyk events for my component on the activity feed.

Additionally, only critical vulnerability events will be displayed on the activity feed. High, medium, and low severity events will not be displayed.

How often are events and metrics from Snyk refreshed?

We pull data from Snyk once an hour to refresh your metrics and events. Customers with very large numbers of Snyk targets or open issues may notice refreshes occur less frequently than once an hour. Please contact us if you are experiencing this.