|
2 | 2 | title: "Snyk" |
3 | 3 | toc_hide: true |
4 | 4 | --- |
5 | | -Snyk output file (snyk test \--json \> snyk.json) can be imported in |
6 | | -JSON format. Only SCA (Software Composition Analysis) report is supported (SAST report not supported yet). |
| 5 | + |
| 6 | +Snyk output file can be imported in JSON format. Snyk is a developer-first |
| 7 | +security platform that identifies vulnerabilities in open source dependencies |
| 8 | +(SCA) and application code (SAST). DefectDojo currently supports the SCA |
| 9 | +report format via the Snyk parser. For SAST findings, use the |
| 10 | +[Snyk Code](../snyk_code) parser instead. |
7 | 11 |
|
8 | 12 | ### Sample Scan Data |
| 13 | + |
9 | 14 | Sample Snyk scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/snyk). |
10 | 15 |
|
11 | | -### Default Deduplication Hashcode Fields |
12 | | -By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/): |
| 16 | +--- |
| 17 | + |
| 18 | +## Supported Report Types |
| 19 | + |
| 20 | +| Report Type | Supported | Parser | |
| 21 | +|---|---|---| |
| 22 | +| Snyk SCA (Open Source) | ✅ Yes | Snyk | |
| 23 | +| Snyk SAST (Code) | ✅ Yes | Snyk Code | |
| 24 | +| Snyk Issue API | ✅ Yes | Snyk Issue API | |
| 25 | + |
| 26 | +This page covers the **Snyk SCA (Open Source)** parser only. |
| 27 | + |
| 28 | +--- |
| 29 | + |
| 30 | +## How to Export from Snyk |
| 31 | + |
| 32 | +### Option 1 — Snyk Web UI (Recommended for Enterprise Use) |
| 33 | + |
| 34 | +1. Log in to your Snyk account at **app.snyk.io** |
| 35 | +2. Navigate to your **Organization** and select the **Project** you want |
| 36 | + to export |
| 37 | +3. Click on the project to open the vulnerability list |
| 38 | +4. Click the **Export** button at the top right of the findings list |
| 39 | +5. Select **JSON** as the export format |
| 40 | +6. Save the exported file |
| 41 | + |
| 42 | +### Option 2 — Snyk CLI |
| 43 | + |
| 44 | +If you prefer to export via the command line: |
| 45 | + |
| 46 | +```bash |
| 47 | +snyk test --json > snyk.json |
| 48 | +``` |
| 49 | + |
| 50 | +For monorepos or projects with multiple package managers, scan all |
| 51 | +projects at once: |
| 52 | + |
| 53 | +```bash |
| 54 | +snyk test --all-projects --json > snyk.json |
| 55 | +``` |
| 56 | + |
| 57 | +For specific package managers: |
| 58 | + |
| 59 | +```bash |
| 60 | +# For npm projects |
| 61 | +snyk test --json --file=package.json > snyk.json |
| 62 | + |
| 63 | +# For Maven projects |
| 64 | +snyk test --json --file=pom.xml > snyk.json |
| 65 | + |
| 66 | +# For Python projects |
| 67 | +snyk test --json --file=requirements.txt > snyk.json |
| 68 | +``` |
| 69 | + |
| 70 | +Once you have the JSON file, upload it into DefectDojo under your chosen |
| 71 | +Engagement using **Import Scan > Snyk Scan**. |
| 72 | + |
| 73 | +--- |
| 74 | + |
| 75 | +## Severity Mapping |
| 76 | + |
| 77 | +Snyk uses its own severity model which maps to DefectDojo as follows: |
| 78 | + |
| 79 | +| Snyk Severity | DefectDojo Severity | |
| 80 | +|---|---| |
| 81 | +| Critical | Critical | |
| 82 | +| High | High | |
| 83 | +| Medium | Medium | |
| 84 | +| Low | Low | |
| 85 | + |
| 86 | +--- |
| 87 | + |
| 88 | +## Recommended Workflow for Enterprise Use |
| 89 | + |
| 90 | +For teams running Snyk across multiple applications and repositories: |
| 91 | + |
| 92 | +1. **Use Reimport** (not Import) for recurring scans on the same target |
| 93 | + to track finding status over time rather than creating duplicate records |
| 94 | +2. **Export at the project level** rather than the organization level |
| 95 | + to maintain clean engagement boundaries in DefectDojo |
| 96 | +3. **Set SLA thresholds** in DefectDojo aligned to Snyk severity levels |
| 97 | + so that Critical and High findings trigger appropriate remediation |
| 98 | + timelines automatically |
| 99 | +4. **Use Snyk's CI/CD integration** to export JSON automatically as part |
| 100 | + of your pipeline and feed results into DefectDojo via the API for |
| 101 | + continuous vulnerability tracking |
| 102 | + |
| 103 | +--- |
| 104 | + |
| 105 | +## Default Deduplication Hashcode Fields |
| 106 | + |
| 107 | +By default, DefectDojo identifies duplicate Findings using these |
| 108 | +[hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/): |
13 | 109 |
|
14 | 110 | - vuln id from tool |
15 | 111 | - file path |
16 | 112 | - component name |
17 | 113 | - component version |
| 114 | + |
| 115 | +### Note on Deduplication |
| 116 | + |
| 117 | +Snyk can report the same vulnerability across multiple projects or |
| 118 | +package versions. When importing findings from multiple Snyk projects |
| 119 | +into the same DefectDojo product, review your deduplication settings |
| 120 | +to avoid over-counting the same underlying vulnerability. |
0 commit comments