Adding Snyk to VSTS

Snyk is an open source tool for checking project packages for vulnerabilities. It currently checks the main package sources like npm and Nuget. While it has many integrations with source control (github, bitbucket, etc), there’s no VSTS build pipeline integration yet.
As such, I’ve gone and used the API instead! It was fairly straightforward to set up, which is good for the safety of our clients.

tl;dr


Snyk setup

EDIT: As noted by a colleague, there are different pricing plans and the free may not suit all situations.


Pipeline setup

Output

Safe

Snyk output for safe project
Snyk output for safe project

Vulnerable

Snyk output for vulnerability
Snyk output for vulnerability

Some Explanations

Snyk requires authentication, but if the environment variable SNYK_TOKEN is present, it’s used automatically as the authentication key. As such, ALL commands you want to run with Snyk will require this environment variable set.
The snyk test command must be run from a directory containing a package manangement file (package.json, packages.config, etc)
The full list of supported package managers is on their website, but it’s quite extensive.

Some other things to note:

Happy Snyking!!

Tags: azure