Snyk

Snyk

Overview

The Snyk integration allows Datadog Continuous Profiler to report on vulnerabilities in your Java libraries. The CVE Analysis (Common Vulnerabilities and Exposures) is performed using Snyk’s Intel Vulnerability DB.

Setup

Installation

  1. Sign up for a Snyk account.

  2. Enable the Datadog Continuous Profiler by following the setup guide. The integration is only available for Datadog Continues Profiler customers.

  3. Install datadog-ci and snyk:

npm install --save-dev @datadog/datadog-ci snyk
  1. In your build, authenticate the Snyk CLI:
snyk auth ”$YOUR_SNYK_TOKEN

Configuration

  1. In your build, generate a dependency graph file:
snyk test --print-deps --json > deps.json

If you have a repo with multiple projects, add --file=<package file> to the Snyk command. For example, --file=<pom.xml>. See the Snyk documentation for more information.

  1. For the most accurate analysis, add version and service tags on your deployment. See Unified Service Tagging for more information.

  2. Finally, upload the dependency graph to Datadog:

datadog-ci dependencies upload deps.json --source snyk --service <SERVICE> --release-version <VERSION>

By default, this command sends requests to Datadog US. To use Datadog EU, set the DATADOG_SITE environment variable to datadoghq.eu.

A minute or two after you deploy your service, the “Vulnerability” column on the Profiles page is populated with the highest classification of vulnerability for that service. Details about the CVE vulnerabilities for the service can be found in the Analysis tab on the sidebar (detailed view of the service).

Troubleshooting

Need help? Contact Datadog support.

Further Reading

Additional helpful documentation, links, and articles: