diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/README.md index b9f53a4eab95..6f09d6ff272c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/README.md @@ -1,34 +1,34 @@ # Snyk API & Web -Snyk API & Web is a cloud-based dynamic application security testing (DAST) solution that identifies security vulnerabilities in your running web applications and APIs. Snyk API & Web simulates real-world attacks against your deployed applications to discover security issues before attackers can exploit them. +Snyk API & Web is a cloud-based dynamic application security testing (DAST) solution that identifies security vulnerabilities in your running web applications and APIs. Snyk simulates real-world attacks against your deployed applications to discover security vulnerabilities before attackers can exploit them. -Modern applications expose complex attack surfaces through web interfaces and API endpoints. Security vulnerabilities in production applications can expose sensitive data, compromise user accounts, and damage the reputation of your organization. Traditional static analysis tools examine code at rest, but many vulnerabilities only appear when code executes in its runtime environment. +Modern applications expose complex attack surfaces through web interfaces and API endpoints. Security vulnerabilities in production applications can expose sensitive data, compromise user accounts, and damage the reputation of your company. Traditional static analysis tools examine code at rest, but many vulnerabilities only appear when code executes in its runtime environment. -Snyk API & Web tests your applications in their running state, finding runtime vulnerabilities such as SQL injection, cross-site scripting (XSS), authentication bypasses, and configuration weaknesses. By integrating DAST throughout the software development lifecycle (SDLC), you can catch and fix vulnerabilities before they reach production. +Snyk tests your applications in their running state, finding runtime vulnerabilities such as SQL injection, cross-site scripting (XSS), authentication bypasses, and configuration weaknesses. By integrating DAST throughout the software development lifecycle (SDLC), you can catch and fix vulnerabilities before they reach production. ## Scan web applications and APIs -Snyk API & Web supports two scanning approaches: +Snyk supports two scanning approaches: -* **Web applications**: The scanner crawls your application, discovers pages and functionality, interacts with forms and buttons, and performs comprehensive security tests across your entire web application. -* **APIs**: The scanner tests all endpoints defined in your API schema, ensuring complete coverage of your API surface. +* Web applications: the scanner crawls your application, discovers pages and functionality, interacts with forms and buttons, and performs comprehensive security tests across your entire web application. +* APIs: the scanner tests all endpoints defined in your API schema to ensure complete coverage of your API surface. -Configure authentication to scan protected areas accessible only to logged-in users. Snyk API & Web supports multiple authentication methods including login forms, login sequences, Basic Auth, API keys, and two-factor authentication (2FA). +Configure authentication to scan protected areas accessible only to logged-in users. Snyk supports multiple authentication methods, including login forms, login sequences, Basic Auth, API keys, and two-factor authentication (2FA). ## Test behind authentication -Snyk API & Web provides flexible authentication options to scan protected application areas: +Snyk provides flexible authentication options to scan protected application areas: -* **Login forms and sequences**: Automate login flows using form selectors or recorded browser interactions. -* **Two-factor authentication**: Support for TOTP-based 2FA (for example, Google Authenticator, Authy) and email/SMS-based OTP. -* **API authentication**: API keys, login endpoints, and token-based authentication. -* **Logout detection**: Automatically re-authenticate if your application logs out mid-scan. +* Login forms and sequences: automate login flows using form selectors or recorded browser interactions. +* Two-factor authentication: TOTP-based 2FA (for example, Google Authenticator, Authy) and email or SMS-based OTP. +* API authentication: API keys, login endpoints, and token-based authentication. +* Logout detection: re-authenticate automatically if your application logs out mid-scan. Comprehensive authentication support ensures security coverage across your entire application, including administrative interfaces and user-specific functionality. ## Scan internal and private applications -For applications not accessible from the public internet, deploy the scanning agent in your private network. The agent creates a secure tunnel between Snyk cloud scanning infrastructure and your internal applications, enabling DAST for: +For applications not accessible from the public internet, deploy the scanning agent in your private network. The agent creates a secure tunnel between Snyk cloud scanning infrastructure and your internal applications to support DAST for: * Development and staging environments on private networks * Internal tools and administrative interfaces @@ -38,22 +38,22 @@ The agent deploys as a Docker container or Kubernetes workload in your infrastru ## Integrate into your development workflow -Snyk API & Web provides multiple interfaces for integrating security testing into your workflow: +Snyk provides multiple interfaces for integrating security testing into your workflow: -* **Web UI**: Configure targets, review findings, and generate reports -* **REST API**: Programmatic access for custom integrations and automation -* **CLI**: Command-line interface for scripting and CI/CD pipelines -* **CI/CD integrations**: Native support for Jenkins, GitHub Actions, GitLab CI, and Azure DevOps +* Web UI: configure targets, review findings, and generate reports. +* REST API: programmatic access for custom integrations and automation. +* CLI: command-line interface for scripting and CI/CD pipelines. +* CI/CD integrations: native support for Jenkins, GitHub Actions, GitLab CI, and Azure DevOps. Trigger scans automatically after deployments, fail builds based on vulnerability thresholds, and sync findings with Jira or other ticketing systems to streamline remediation across your development and security teams. ## Prioritize and fix vulnerabilities -Snyk API & Web detects and reports security vulnerabilities with detailed information including: +Snyk detects and reports security vulnerabilities with detailed information, including: -* **Severity ratings**: Automatically assigned based on vulnerability type, exploitability, impact, and scope, with CVSS scores to prioritize fixes. -* **Affected endpoints**: Specific URLs and API endpoints where vulnerabilities were found -* **Remediation guidance**: Detailed explanations and recommended fixes for each vulnerability type -* **Vulnerability evidence**: Evidence demonstrating how the vulnerability can be exploited +* Severity ratings: Snyk assigns these automatically based on vulnerability type, exploitability, impact, and scope, with CVSS scores to prioritize fixes. +* Affected endpoints: specific URLs and API endpoints where Snyk finds vulnerabilities. +* Remediation guidance: detailed explanations and recommended fixes for each vulnerability type. +* Vulnerability evidence: evidence demonstrating how an attacker can exploit the vulnerability. -Use customizable scan profiles to balance speed and coverage based on your needs, from lightning-fast SSL/TLS checks for CI/CD gates to comprehensive full scans for thorough security assessments. +Use customizable scan profiles to balance speed and coverage based on your needs, from fast SSL/TLS checks for CI/CD gates to comprehensive full scans for thorough security assessments. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-message-level-encryption.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-message-level-encryption.md index eeda3223ec91..4186f0fca5ea 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-message-level-encryption.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-message-level-encryption.md @@ -18,20 +18,20 @@ Additional requirements: If your target requires requests to be encrypted, configure message level encryption in the Encryption tab. -1. In Snyk API & Web, navigate to the **Targets** page. +1. In Snyk, navigate to the **Targets** page. 2. Identify the target you want to configure and click the **gear** icon to access the target settings. 3. Click the **Encryption** tab and configure all fields: * Upload a certificate with the server public key * Upload a certificate with the client private key * Enter the Key ID (KID) to be placed in the JWE header - * (Optional) Limit the set of URLs that should be encrypted + * (Optional) Limit the set of URLs to encrypt 4. Click **Save**.
Encryption settings page showing certificate upload fields and configuration options
## Verify encryption -After you save the configuration, encryption is enabled. The next time you run a scan against this target, Snyk API & Web automatically uses the configured encryption for all requests. +After you save the configuration, encryption is enabled. The next time you run a scan against this target, Snyk automatically uses the configured encryption for all requests. {% hint style="info" %} For your security, all sensitive fields (such as certificates and shared secrets) are obfuscated after they are saved and cannot be viewed or retrieved again. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-postman-collection-targets.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-postman-collection-targets.md index 2f010aeefefb..d732e9d76dd5 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-postman-collection-targets.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-postman-collection-targets.md @@ -2,7 +2,7 @@ Use Postman Collections to define API endpoints for scanning with Snyk API & Web. -This article describes how to configure Snyk API & Web to scan API endpoints using a Postman Collection. The configuration involves three main steps: +Configure Snyk API & Web to scan API endpoints using a Postman Collection. The configuration involves three main steps: 1. Prepare the Postman Collection 2. Configure an API target using the Postman Collection @@ -10,7 +10,7 @@ This article describes how to configure Snyk API & Web to scan API endpoints usi ## Example scenario -This guide uses a Postman Collection example with the following requests: +This example uses a Postman Collection with the following requests: * **Authenticate and obtain an authentication token** - requires a username and password in the request body. * **Get a list of users** - requires the authentication token in the request header. @@ -26,14 +26,14 @@ Prepare the Postman Collection to run the sequence of requests from start to end * `username`: hard-coded value of the username to obtain the token. * `password`: hard-coded value of the password to obtain the token. - * `user_id`: value to get user details by id. You can let the value as null, since it will be set by the script dynamically. + * `user_id`: value to get user details by ID. Leave the value as null because the script sets it dynamically. -

The username and password variables should be set as Shared, so that the exported collection contains their hard-coded values. The user_id variable can be set as Unshared, since the value will be set dynamically by the script.

-2. Navigate to **Environments** to create the variable for storing the authentication token, and other variables that are set in Snyk AI & Web: - * `bearerToken`: variable to store the authentication token. You can let the value as null, since it will be set by the script dynamically. - * `baseUrl`: hard-coded value of the API url. +

Set the username and password variables as Shared, so that the exported collection contains their hard-coded values. Set the user_id variable as Unshared, because the script sets the value dynamically.

+2. Navigate to **Environments** to create the variable for storing the authentication token, and other variables that you set in Snyk API & Web: + * `bearerToken`: variable to store the authentication token. Leave the value as null because the script sets it dynamically. + * `baseUrl`: hard-coded value of the API URL. -The configuration of your collection and environments variables, should be looking like the following example: +Your collection and environment variables look like the following example:
Collection and environment variables showing username, password, user_id, bearerToken and baseUrl variables
@@ -63,9 +63,9 @@ In this example, the request to obtain user details requires the user identifier var jsonData = pm.response.json(); pm.collectionVariables.set('user_id', jsonData.results[0].id); ``` -2. Then, navigate to the request that gets the user details and add the `user_id` variable as a parameter. +2. Navigate to the request that gets the user details and add the `user_id` variable as a parameter. -The request to get the user details, should be looking like the following example: +The request to get the user details looks like the following example:
User details request showing the variables in request and the authorization header configuration
@@ -78,7 +78,7 @@ With all requests configured, run the collection to test it. If there are no iss After the Postman Collection is prepared and exported, add an API target. 1. Navigate to **Targets** and click **Add**. -2. Complete the Add target form: +2. Complete the **Add target** form: * **Name**: Enter a meaningful identifier for your target. * **URL**: Enter the base URL for your API. * **API Type**: Select **API**, then select **Postman Collection**. @@ -88,10 +88,10 @@ After the Postman Collection is prepared and exported, add an API target. ## Configure Postman environment variables -In our example, we added two variables to **Environments**: `baseUrl` and `bearerToken`. Since the `baseUrl` was hard-coded in Postman, we also need to set its value in Snyk API & Web. +This example added two variables to **Environments**: `baseUrl` and `bearerToken`. Because the `baseUrl` was hard-coded in Postman, you must also set its value in Snyk. {% hint style="info" %} -For security reasons you might want to set the `password` variable using the [credentials manager](../configure-authentication/manage-credentials.md). Variables added to **Environments** will take precedence to the variables added in the collection. +For security reasons, set the `password` variable using the [credentials manager](../configure-authentication/manage-credentials.md). Variables added to **Environments** take precedence over the variables added in the collection. {% endhint %} ### Manual configuration @@ -107,9 +107,9 @@ Configure environment variables manually in the user interface: Alternatively, import environment variables using an automated script: 1. In Postman, export the Postman environment to a file. -2. Retrieve the Python script to import Postman environment variables into Snyk API & Web. This script can be found on the [Probely API Scripts GitHub page](https://github.com/Probely/API_Scripts/blob/master/import_postman_env.py). +2. Retrieve the Python script to import Postman environment variables into Snyk. Find this script on the [Probely API Scripts GitHub page](https://github.com/Probely/API_Scripts/blob/master/import_postman_env.py). 3. Run the Python script and enter the following values: - * **Target ID**: The Snyk API & Web identifier of the API target, which can be found in the URL of the API target. For example, the target ID in `https://plus.probely.app/targets/2yzxnYgwmqbd` is `2yzxnYgwmqbd`. + * **Target ID**: The Snyk identifier of the API target, which you find in the URL of the API target. For example, the target ID in `https://plus.probely.app/targets/2yzxnYgwmqbd` is `2yzxnYgwmqbd`. * **Postman collection file**: The file exported from Postman containing the environment variables. 4. Navigate to the **Postman Environment Values** section of the API target to see the newly added environment variables. @@ -118,5 +118,5 @@ Alternatively, import environment variables using an automated script: After configuration is complete, the target is ready to scan. [Test your configuration](../test-target-configuration.md) and then run a scan to verify that all requests in the collection are tested. {% hint style="success" %} -In this example, the auth request to set the `bearerToken` is the first in the list of the collection, therefore the scan will be able to properly run all the requests. For production scenarios, we recommend that you [configure Postman authentication](../configure-authentication/configure-postman-authentication.md) and enable the **API TARGET AUTHENTICATION** and **LOGOUT DETECTION** in Snyk API & Web. +In this example, the authentication request to set the `bearerToken` is the first in the list of the collection, so the scan can run all the requests. For production scenarios, Snyk recommends that you [configure Postman authentication](../configure-authentication/configure-postman-authentication.md) and enable **API TARGET AUTHENTICATION** and **LOGOUT DETECTION** in Snyk. {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-raml-targets.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-raml-targets.md index 52603292c765..8dcec276f8b6 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-raml-targets.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-raml-targets.md @@ -16,7 +16,7 @@ Change the RAML file extension from `.raml` to `.yaml`. After you have the file with the new extension, create the target as an OpenAPI target: 1. Navigate to **Targets** and click **Add**. -2. Complete the Add target form: +2. Complete the **Add target** form: - **Name**: Enter a meaningful identifier for your target - **URL**: Enter the base URL for your API - **API Type**: Select **API**, then select **OpenAPI** @@ -24,4 +24,4 @@ After you have the file with the new extension, create the target as an OpenAPI - **File**: Choose the RAML file with the `.yaml` extension 3. Click **Add**. -Snyk API & Web performs all necessary conversions, creates the target, and you can scan your RAML API. +Snyk performs all necessary conversions and creates the target, and you can then scan your RAML API. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-signed-requests.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-signed-requests.md index 957e7c35d1b1..ab04b08c67f1 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-signed-requests.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-api-targets/configure-signed-requests.md @@ -18,7 +18,7 @@ Additional requirements: If your target requires requests to be signed, configure the signature in the target Signature settings. -1. In Snyk API & Web, navigate to the **Targets** page. +1. In Snyk, navigate to the **Targets** page. 2. Identify the target you want to configure and click the **gear** icon to access the target settings. 3. Click the **Signature** tab and identify the **SIGNATURE** module. 4. Select the **Signature** you want to use and complete the form accordingly. @@ -28,7 +28,7 @@ If your target requires requests to be signed, configure the signature in the ta ## Verify signed requests -After you save the configuration, signed requests are enabled. The next time you run a scan against this target, Snyk API & Web automatically uses the configured signature. +After you save the configuration, signed requests are enabled. The next time you run a scan against this target, Snyk automatically uses the configured signature. {% hint style="info" %} For your security, all sensitive fields (such as certificates and shared secrets) are obfuscated after they are saved and cannot be viewed or retrieved again. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/README.md index de061f1368f0..6e37c1cf1351 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/README.md @@ -2,7 +2,7 @@ Configure authentication to scan protected areas of your web application or API. -Websites and applications can have restricted areas meant for authenticated users only. Configuring authentication allows Snyk API & Web to access these protected areas and identify vulnerabilities within the full scope of your target. +Websites and applications can have restricted areas meant for authenticated users only. Configuring authentication lets Snyk API & Web access these protected areas and identify vulnerabilities within the full scope of your target. Authentication options differ between Web targets and API targets. Configure authentication in the **Authentication** section of your target settings. @@ -38,12 +38,12 @@ Visit [Two-factor authentication](configure-two-factor-authentication.md) and [A API targets use authentication methods tailored for API security testing. Configuration options depend on your API target (OpenAPI, Postman Collection, or GraphQL). -API targets authentication methods include: +API target authentication methods include: - API keys - Bearer tokens -- OAuth authentication flows +- OAuth authentication flows - Login endpoints that return authentication tokens -- Custom Scripts +- Custom scripts Visit the following guides for detailed setup steps: - [OpenAPI authentication](configure-openapi-authentication.md) @@ -56,7 +56,7 @@ Some authentication features apply to both Web targets and API targets. ### Basic authentication -Basic authentication uses HTTP Basic Access Authentication, where credentials are sent in the HTTP header. Configure the username and password for the scanner to include in HTTP requests. +Basic authentication uses HTTP Basic Access Authentication, where the scanner sends credentials in the HTTP header. Configure the username and password for the scanner to include in HTTP requests. Use this method for applications or APIs that implement the HTTP Basic Auth protocol rather than form-based or token-based authentication. @@ -66,13 +66,13 @@ Visit [Basic authentication](configure-basic-authentication.md) for configuratio Logout detection helps the scanner maintain authenticated sessions throughout the scan. Configure indicators that show when the session ends, such as logout URLs, redirects to login pages, or specific page elements that appear only when logged out. -The scanner monitors these indicators and re-authenticates if the session is lost during scanning. +The scanner monitors these indicators and re-authenticates if it loses the session during scanning. Visit [Logout detection](configure-logout-detection.md) for configuration instructions. ### Mutual TLS (mTLS) authentication -Mutual TLS authentication provides enhanced security by requiring both the client and server to authenticate using digital certificates. Unlike standard TLS which only authenticates the server, mTLS ensures bidirectional authentication. +Mutual TLS authentication provides enhanced security by requiring both the client and server to authenticate using digital certificates. Unlike standard TLS, which authenticates only the server, mTLS ensures bidirectional authentication. Upload a client authentication certificate (.p12 or .pfx format) and provide the certificate password. The scanner uses the configured certificate during scans to establish secure mTLS connections with your target. @@ -82,6 +82,6 @@ Visit [Mutual TLS](configure-mutual-tls.md) for configuration instructions. ### Managing credentials -Credential management allows you to create reusable authentication credentials and apply them across multiple targets. This simplifies configuration when you have several targets that share the same authentication credentials. +Credential management lets you create reusable authentication credentials and apply them across multiple targets. This simplifies configuration when you have several targets that share the same authentication credentials. Visit [Manage credentials](manage-credentials.md) for instructions on creating and managing shared credentials. \ No newline at end of file diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/automate-otp-extraction.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/automate-otp-extraction.md index edebd5674556..7a565e2c7bda 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/automate-otp-extraction.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/automate-otp-extraction.md @@ -2,33 +2,33 @@ Automate the extraction of one-time passwords (OTPs) from email and send them to Snyk API & Web for two-factor authentication. -When using alternative OTP for two-factor authentication, you need to send the OTP code to Snyk API & Web during scans. You can automate this process by creating scripts that monitor your email, extract the OTP, and submit it via the Snyk API & Web API. +When using alternative OTP for two-factor authentication, you must send the OTP code to Snyk during scans. You can automate this process by creating scripts that monitor your email, extract the OTP, and submit it using the Snyk API. This article provides examples for automating OTP extraction using: * Google Apps Script (for Gmail) * Microsoft Power Automate (for Outlook) -## Before you begin +## Prerequisites -Ensure you have configured alternative OTP two-factor authentication for your target. Visit [Configure two-factor authentication (2FA)](configure-two-factor-authentication.md) for setup instructions. +Configure alternative OTP two-factor authentication for your target before proceeding. Visit [Configure two-factor authentication (2FA)](configure-two-factor-authentication.md) for setup instructions. -You will need the **UNIQUE 2FA CONFIGURATION URL** from your target's Authentication settings. +You need the **UNIQUE 2FA CONFIGURATION URL** from the Authentication settings of your target. ## Automate OTP extraction from Gmail Use Google Apps Script to automate OTP extraction from Gmail accounts. -The script polls emails from the Gmail account, extracts the OTP using a regular expression, and sends it to Snyk API & Web via the API endpoint. +The script polls emails from the Gmail account, extracts the OTP using a regular expression, and sends it to Snyk through the API endpoint. ### Create the Google Apps Script -1. Navigate to [https://script.google.com](https://script.google.com) and sign in with the Gmail account that receives OTP emails. +1. Navigate to [https://script.google.com](https://script.google.com) and log in with the Gmail account that receives OTP emails. 2. Select **My Projects** and click **CREATE APPS SCRIPT**.
Create Apps Script in Google Script
-3. Click on the project name "Untitled Project" at the top and enter a meaningful name (for example, "Extract OTPs from Email"). +3. Click the project name "Untitled Project" at the top and enter a meaningful name (for example, "Extract OTPs from Email").
Name the Google Apps Script project
@@ -119,7 +119,7 @@ Customize the **runTask** function with your specific configuration: **API\_ENDPOINT** -Replace `` with the URL provided by Snyk API & Web in your target's Authentication settings. +Replace `` with the URL that Snyk provides in the Authentication settings of your target. **SUBJECT\_MATCH** @@ -188,15 +188,13 @@ The trigger executes the **extractOTPFunction** every minute, which runs the **r Use Microsoft Power Automate to automate OTP extraction from Outlook email accounts. -This flow retrieves an OTP from an email and sends it to Snyk API & Web via the API endpoint. +This flow retrieves an OTP from an email and sends it to Snyk through the API endpoint. ### Prerequisites -Before you begin: - * Access to Power Automate (Premium license required for HTTP POST calls) * An email account configured in Power Automate that receives OTP emails -* The **UNIQUE 2FA CONFIGURATION URL** from your target's Authentication settings (see [Configure two-factor authentication (2FA)](configure-two-factor-authentication.md)) +* The **UNIQUE 2FA CONFIGURATION URL** from the Authentication settings of your target. Visit [Configure two-factor authentication (2FA)](configure-two-factor-authentication.md). ### Create a new automated cloud flow @@ -250,7 +248,7 @@ Configure an HTTP action to send the extracted OTP to Snyk API & Web: 3. Configure the HTTP action: * **Method**: Select **POST** -* **URI**: Enter the **UNIQUE 2FA CONFIGURATION URL** from your target's Authentication settings +* **URI**: Enter the **UNIQUE 2FA CONFIGURATION URL** from the Authentication settings of your target * **Headers**: Add a header with: * Name: `Content-Type` * Value: `application/json` @@ -274,9 +272,9 @@ Configure an HTTP action to send the extracted OTP to Snyk API & Web: ### Troubleshooting -**Email filtering**: Double-check your subject filters and email criteria to ensure the flow is triggered by the correct emails. +Email filtering: Double-check your subject filters and email criteria to ensure the correct emails trigger the flow. -**OTP extraction**: Use the "Test Flow" feature in Power Automate with actual email content to debug your OTP extraction expression. Inspect the outputs of each step to see what data is being processed. +OTP extraction: Use the "Test Flow" feature in Power Automate with actual email content to debug your OTP extraction expression. Inspect the outputs of each step to see which data Power Automate processes. ## Related content diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-basic-authentication.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-basic-authentication.md index 7cd6e34c583b..511c1632fe8c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-basic-authentication.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-basic-authentication.md @@ -2,9 +2,9 @@ Configure basic authentication to scan targets protected by HTTP Basic Access Authentication. -Basic authentication is a simple authentication scheme built into the HTTP protocol. When you access a protected resource, the browser prompts you with a dialog to sign in. +Basic authentication is an authentication scheme built into the HTTP protocol. When you access a protected resource, the browser prompts you with a dialog to log in. -This authentication process differs from your application's own authentication system and form-based authentication methods. Basic authentication sends credentials in the HTTP header rather than through form submission. +This authentication process differs from your application's own authentication system and from form-based authentication methods. Basic authentication sends credentials in the HTTP header rather than through form submission. ## Set up basic authentication @@ -14,6 +14,6 @@ This authentication process differs from your application's own authentication s 4. Enter your credentials (username and password). 5. Click **Save and enable**. -The credentials are saved and basic authentication is enabled. Snyk API & Web will use these credentials to access and scan your protected application. +Snyk API & Web saves the credentials and enables basic authentication. Snyk uses these credentials to access and scan your protected application. You can disable or enable basic authentication anytime using the **Off/On** toggle button, or delete the configuration using the **Delete** button. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-graphql-authentication.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-graphql-authentication.md index 9850a136a2a8..529553eee4c9 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-graphql-authentication.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-graphql-authentication.md @@ -2,9 +2,9 @@ Configure authentication to scan an API using a GraphQL schema. -If your GraphQL API requires authentication, Snyk API & Web can be configured to run authenticated requests and scan the API endpoints. +If your GraphQL API requires authentication, you can configure Snyk API & Web to run authenticated requests and scan the API endpoints. -After adding an API target, configure authentication before starting the scan. Setting authentication before starting the scan is especially important when you select the introspection option for your schema, as it is best practice to allow introspection only to authenticated requests. +After adding an API target, configure authentication before starting the scan. This is especially important when you select the introspection option for your schema, because best practice is to allow introspection only for authenticated requests. {% hint style="warning" %} GraphQL Introspection enabled is considered a Low Severity vulnerability. When enabled, restrict access to your GraphQL API using authentication. @@ -20,7 +20,7 @@ The authentication scenarios described in [Configure OpenAPI authentication](con ## Use application/graphql media type -GraphQL also supports `application/graphql` as the authentication media type. This format is supported by GraphQL servers. +GraphQL also supports `application/graphql` as the authentication media type. GraphQL servers support this format. When using `application/graphql` as the authentication media type, the request body contains only the raw GraphQL query or mutation string. @@ -34,11 +34,11 @@ When using `application/graphql` as the authentication media type, the request b 1. Configure the authentication: 1. **AUTHENTICATION MEDIA TYPE**: Select `application/graphql`. 2. **LOGIN URL**: Enter the authentication URL. - 3. **AUTHENTICATION PAYLOAD**: Enter the GraphQL mutation to be sent in the body of the POST request to the login URL. -2. Click **Fetch** to authenticate. The **TOKEN SELECTOR** field populates with fields obtained from the authentication response. If authentication fails, an error is displayed. + 3. **AUTHENTICATION PAYLOAD**: Enter the GraphQL mutation to send in the body of the POST request to the login URL. +2. Click **Fetch** to authenticate. The **TOKEN SELECTOR** field populates with fields from the authentication response. If authentication fails, Snyk displays an error. 3. In the **TOKEN SELECTOR**, choose the field that contains the authentication token. 4. In **PLACE TOKEN IN**, choose where to place the token in API requests (usually **header**, but **cookie** is also available). -5. In **FIELD NAME**, enter the name of the field in the header or cookie that will hold the token. +5. In **FIELD NAME**, enter the name of the field in the header or cookie that holds the token. 6. (Optional) Set a **VALUE PREFIX** for the token value. This is often needed for JWTs. For example, if your API requires a header like `Authorization: JWT `, configure: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-login-form.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-login-form.md index 1a5777754001..125cf181097e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-login-form.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-login-form.md @@ -2,9 +2,9 @@ Configure login form authentication to scan protected areas of your web application that require a username and password login. -Websites and applications can have restricted areas available only to authenticated users. Configuring authentication allows Snyk API & Web to access these protected areas and identify vulnerabilities within the full scope of your target. +Websites and applications can have restricted areas available only to authenticated users. Configuring authentication lets Snyk API & Web access these protected areas and identify vulnerabilities within the full scope of your target. -Create a dedicated user account for testing rather than using a real user account. Snyk API & Web submits forms and clicks buttons during scans, which might create unwanted data in the account. +Create a dedicated user account for testing rather than using a real user account. Snyk submits forms and clicks buttons during scans, which can create unwanted data in the account. ## Prerequisites @@ -67,7 +67,7 @@ If your login form requires additional fields beyond username and password, repe ## Add submit button (optional) -In most cases, Snyk API & Web automatically detects and clicks the correct submit button. However, you may need to specify the submit button if: +In most cases, Snyk automatically detects and clicks the correct submit button. However, you might need to specify the submit button if: * The submit button is outside the `
` tag * The login inputs are not inside a `` tag diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-login-sequence.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-login-sequence.md index 81762a33a371..d12400fa4133 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-login-sequence.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-login-sequence.md @@ -6,7 +6,7 @@ A login sequence handles authentication processes that cannot be managed by simp Snyk API & Web replays the recorded sequence during scans to authenticate successfully and access protected areas of your application. -Create a dedicated user account for testing rather than using a real user account. Snyk API & Web submits forms and clicks buttons during scans, which might create unwanted data in the account. +Create a dedicated user account for testing rather than using a real user account. Snyk submits forms and clicks buttons during scans, which can create unwanted data in the account. ## Prerequisites @@ -19,7 +19,7 @@ Create a dedicated user account for testing rather than using a real user accoun 1. From the **Targets** page, locate your target in the list. 2. Click the **gear icon** to access the target settings. 3. Select the **Authentication** tab. -4. Click the **Login Sequence** radio button to display the configuration form. +4. Select the **Login Sequence** radio button to display the configuration form. 5. In the configuration form, click **Add Login Sequence**. 6. Enter a name for the sequence. 7. Provide the recorded login sequence using one of these methods: @@ -39,14 +39,14 @@ If you have not recorded a login sequence yet, follow these steps using the Snyk 5. Perform all steps to reach the login page: * If the target automatically redirects you to the login page, wait for the redirect * If you need to navigate to the login page, perform those navigation steps -6. Once on the login page, complete the login process: +6. After you reach the login page, complete the login process: * Enter all credentials manually (do not use browser-saved values) * Click all necessary buttons to complete the login 7. Stop recording. 8. Copy or download the login sequence. 9. Use the sequence in the target configuration. -**Important:** While recording, use your mouse and keyboard to perform all actions. Type all values manually so the plugin correctly records each action. +Important: While recording, use your mouse and keyboard to perform all actions. Type all values manually so the plugin correctly records each action. ## Save and enable diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-mutual-tls.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-mutual-tls.md index cf451e8fb12b..615f57594a57 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-mutual-tls.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-mutual-tls.md @@ -2,7 +2,7 @@ Configure mutual TLS (mTLS) authentication for targets that require client-side certificates. -Unlike standard TLS which only authenticates the server, mutual TLS is an enhanced security protocol where both the client and server authenticate using digital certificates. +Unlike standard TLS, which authenticates only the server, mutual TLS is an enhanced security protocol where both the client and server authenticate using digital certificates. ## Prerequisites @@ -22,11 +22,11 @@ Unlike standard TLS which only authenticates the server, mutual TLS is an enhanc ## Verify the configuration -After saving the configuration, mutual TLS authentication is enabled. The next scan against this target automatically uses the configured mTLS certificates. +After you save the configuration, mutual TLS authentication is enabled. The next scan against this target automatically uses the configured mTLS certificates.
Mutual TLS authentication enabled state
-**Important**: For your security, all sensitive fields (certificates and passwords) are obfuscated after saving and cannot be viewed or retrieved again. +Important: For your security, Snyk obfuscates all sensitive fields (certificates and passwords) after saving. You cannot view or retrieve them again. ## Manage the configuration diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-openapi-authentication.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-openapi-authentication.md index 6d22296ea2e8..06541cd61284 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-openapi-authentication.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-openapi-authentication.md @@ -2,7 +2,7 @@ Configure authentication to scan an API using an OpenAPI schema. -If you have an OpenAPI schema for an API with authentication, Snyk API & Web can be configured to run authenticated requests and scan the API endpoints. +If you have an OpenAPI schema for an API with authentication, you can configure Snyk API & Web to run authenticated requests and scan the API endpoints. After adding an API target, configure authentication using one of these scenarios: @@ -27,10 +27,10 @@ This authentication pattern is common on APIs that support web applications: the * `application/x-www-form-urlencoded`: Key-value pairs separated by ampersands (for example, `username=admin&password=pass123`) 2. **LOGIN URL**: Enter the authentication URL. 3. **AUTHENTICATION PAYLOAD**: Enter the authentication content to send in the POST request payload to the login URL. -4. Click **Fetch** to authenticate. The **TOKEN SELECTOR** field populates with fields obtained from the authentication response. If authentication fails, an error is displayed. +4. Click **Fetch** to authenticate. The **TOKEN SELECTOR** field populates with fields from the authentication response. If authentication fails, Snyk displays an error. 5. In the **TOKEN SELECTOR**, choose the field that contains the authentication token. 6. In **PLACE TOKEN IN**, choose where to place the token in API requests (usually **header**, but **cookie** is also available). -7. In **FIELD NAME**, enter the name of the field in the header or cookie that will hold the token. +7. In **FIELD NAME**, enter the name of the field in the header or cookie that holds the token. 8. (Optional) Set a **VALUE PREFIX** for the token value. This is often needed for JWTs. For example, if your API requires a header like `Authorization: JWT `, configure: * **FIELD NAME**: `Authorization` * **VALUE PREFIX**: `JWT` diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-postman-authentication.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-postman-authentication.md index 8770a969cbc0..a52a60d35b46 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-postman-authentication.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-postman-authentication.md @@ -2,7 +2,7 @@ Configure authentication to scan an API using a Postman collection. -You can configure Snyk API & Web to run authenticated requests that use dynamically generated tokens (via script). For scans that can take longer and your token expires, you can also configure Snyk API & Web to detect the logout and generate a new token. +You can configure Snyk API & Web to run authenticated requests that use dynamically generated tokens through a script. For longer scans where your token expires, you can also configure Snyk to detect the logout and generate a new token. ## Example scenario @@ -13,7 +13,7 @@ This guide uses a Postman Collection example with the following requests: 3. **Get user details** - requires the authentication token in the request header and the user identifier as a parameter. 4. **Check token** - requires the authentication token in the request header to check if it is still valid. -For configuring 1,2 and 3 please follow the example in [Configure Postman Collection targets](../configure-api-targets/configure-postman-collection-targets.md). +To configure requests one, two, and three, follow the example in [Configure Postman Collection targets](../configure-api-targets/configure-postman-collection-targets.md). ## Configure your Postman collection for authentication @@ -23,7 +23,7 @@ Create two top-level folders in your Postman Collection, one for authentication
Postman collection showing authentication folder, and the result of the test.
-

Snyk API & WEB will use the result of this test to notify you that the login failed and instruct the scanner to run the logout detection request.

+

Snyk API & Web uses the result of this test to notify you that the login failed and to instruct the scanner to run the logout detection request.

2. Add the check token request to the `logout-detection` folder. Then navigate to the **Scripts** tab of the request and add the following test in the **Post-response** to validate that your token is still valid: ```javascript @@ -64,14 +64,14 @@ After configuring the Postman environment values, configure your target's authen 4. **FIELD NAME**: Enter the name of the header or cookie field (for example, `Authorization`). 5. **VALUE PREFIX**: Enter an optional prefix added before the variable value (for example, `Bearer`). 4. Click **Add Variable**. You can add multiple variables as needed. -5. Optionally you can select the checkbox: **When login fails, fail the scan immediately and notify me**. +5. Optionally, select the **When login fails, fail the scan immediately and notify me** checkbox. 6. Click **Save** and ensure the authentication toggle is set to **On**. ## Configure Postman logout detection (optional) -Adding logout detection, will help Snyk API & Web determine if the session ended, and try to authenticate again to proceed with the scan: +Logout detection helps Snyk determine if the session ended and authenticate again to continue the scan: 1. Locate the **LOGOUT DETECTION** section. -2. Select the folder from the schema file that contains the logout request. For our example scenario, you should select the `logout-detection` folder. +2. Select the folder from the schema file that contains the logout request. For this example scenario, select the `logout-detection` folder. You can turn both the authentication and logout detection on or off anytime using the **Off/On** toggle button, or delete the configuration using the **Delete** button. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-two-factor-authentication.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-two-factor-authentication.md index 454d94be34a5..f765fbbedc72 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-two-factor-authentication.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/configure-two-factor-authentication.md @@ -28,16 +28,16 @@ TOTP uses an authenticator app on your phone to generate random codes that chang ### Obtain the 2FA seed or secret -The seed or secret is obtained when the QR Code is displayed during 2FA setup. +Snyk obtains the seed or secret when the QR Code displays during 2FA setup. Obtain the secret in one of these ways: * The secret is available on the page together with the QR Code (for example, GitHub has a link to show the secret) -* Use a QR Code scanner app on your phone to scan the QR Code. The QR Code link contains the secret in it. +* Use a QR Code scanner app on your phone to scan the QR Code. The QR Code link contains the secret. Example: `otpauth://totp/Example:joe@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Example` -After scanning the QR Code with your authenticator app, it will start providing TOTP codes, allowing you to complete the 2FA configuration for the website or application. +After you scan the QR Code with your authenticator app, the app starts providing TOTP codes, which lets you complete the 2FA configuration for the website or application. ### Configure TOTP with Login Form @@ -100,7 +100,7 @@ Then configure 2FA in Snyk API & Web as follows: 1. Navigate to the **Authentication** tab of the target settings. 2. Scroll down to the **Two-Factor Authentication (2FA)** section. -3. Enable the **My target requires Two-Factor Authentication (2FA)** checkbox. +3. Select the **My target requires Two-Factor Authentication (2FA)** checkbox. 4. Leave the default **Time-based One-Time Password (TOTP)** selected. 5. Enter the **Seed / Secret** obtained from the 2FA configuration. 6. Enter the two **CSS Selectors**: @@ -112,13 +112,13 @@ Then configure 2FA in Snyk API & Web as follows: ### Configure TOTP with Login Sequence -To use the TOTP code in a login sequence, record a new login sequence with 2FA and update the target login sequence. Visit [Configure login sequence authentication](configure-login-sequence.md) for instructions. During the recording, take note of the TOTP code that you used because you will need it for the configuration. +To use the TOTP code in a login sequence, record a new login sequence with 2FA and update the target login sequence. Visit [Configure login sequence authentication](configure-login-sequence.md) for instructions. During the recording, take note of the TOTP code that you used because you need it for the configuration. -Then configure configure 2FA in Snyk API & Web as follows: +Then configure 2FA in Snyk as follows: 1. Navigate to the **Authentication** tab of the target settings. 2. Scroll down to the **Two-Factor Authentication (2FA)** section. -3. Enable the **My target requires Two-Factor Authentication (2FA)** checkbox. +3. Select the **My target requires Two-Factor Authentication (2FA)** checkbox. 4. Leave the default **Time-based One-Time Password (TOTP)** selected. 5. Enter the **Seed / Secret** obtained from the 2FA configuration. 6. Enter the **OTP Code** (the code saved while recording the login sequence). @@ -128,7 +128,7 @@ Then configure configure 2FA in Snyk API & Web as follows: ## Configure alternative OTP -Alternative OTP sends a random code through a communication channel like email or text message. This code is entered during the login process to complete authentication. +Alternative OTP sends a random code through a communication channel like email or text message. You enter this code during the login process to complete authentication. ### Configure OTP with Login Form @@ -137,11 +137,11 @@ When the 2FA form requests the OTP code, obtain the following: 1. **CSS selector for the OTP input field**: This selector depends on whether your site uses a single input field or multiple fields for the authenticator code. 2. **CSS selector for the submit button**: For example, `.2fa-submit-button`. -Then configure configure 2FA in Snyk API & Web as follows: +Then configure 2FA in Snyk as follows: 1. Navigate to the **Authentication** tab of the target settings. 2. Scroll down to the **Two-Factor Authentication (2FA)** section. -3. Enable the **My target requires Two-Factor Authentication (2FA)** checkbox. +3. Select the **My target requires Two-Factor Authentication (2FA)** checkbox. 4. Select **Other OTP**. 5. Enter the two **CSS Selectors**: * CSS selector for the OTP input field @@ -152,13 +152,13 @@ Then configure configure 2FA in Snyk API & Web as follows: ### Configure OTP with Login Sequence -To use the OTP code in a login sequence, record a new login sequence with 2FA and update the target login sequence. Visit [Configure login sequence authentication](configure-login-sequence.md) for instructions. During the recording, take note of the OTP code that you used because you will need it for the configuration. +To use the OTP code in a login sequence, record a new login sequence with 2FA and update the target login sequence. Visit [Configure login sequence authentication](configure-login-sequence.md) for instructions. During the recording, take note of the OTP code that you used because you need it for the configuration. Then configure 2FA in Snyk API & Web as follows: 1. Navigate to the **Authentication** tab of the target settings. 2. Scroll down to the **Two-Factor Authentication (2FA)** section. -3. Enable the **My target requires Two-Factor Authentication (2FA)** checkbox. +3. Select the **My target requires Two-Factor Authentication (2FA)** checkbox. 4. Select **Other OTP**. 5. Enter the **OTP Code** (the code saved while recording the login sequence). 6. Click **Save and enable**. @@ -167,7 +167,7 @@ Then configure 2FA in Snyk API & Web as follows: ### Communicate OTP to Snyk API & Web -With 2FA configured on the target settings, you need to implement communication of the OTP to Snyk API & Web when your 2FA requests it. Send the OTP by calling an endpoint from the Snyk API & Web API where you send the OTP in the request body. +With 2FA configured on the target settings, you must communicate the OTP to Snyk when your 2FA requests it. Send the OTP by calling an endpoint from the Snyk API where you send the OTP in the request body. Curl example: @@ -187,7 +187,7 @@ Where: ### Automate OTP extraction -For automated OTP extraction and submission, see [Automate OTP extraction](automate-otp-extraction.md) for examples using: +For automated OTP extraction and submission, visit [Automate OTP extraction](automate-otp-extraction.md) for examples using: * Google Apps Script * Microsoft Power Automate diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/manage-credentials.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/manage-credentials.md index 726f65f15043..1ee9e8f7c9a0 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/manage-credentials.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-authentication/manage-credentials.md @@ -14,8 +14,8 @@ Using the Credentials Manager simplifies the password rotation process and impro 2. Click **Add Credential**. 3. Configure the credential: - * **Sensitive**: Enable this option to permanently hide credential values from all users. Sensitive credential values can be updated but never viewed after saving. - * **Scope**: Choose whether the credential is available account-wide or restricted to specific teams. Account-wide credentials can be used by everyone in the account. + * **Sensitive**: Select this option to permanently hide credential values from all users. You can update sensitive credential values but never view them after saving. + * **Scope**: Choose whether the credential is available account-wide or restricted to specific teams. Everyone in the account can use account-wide credentials. * **Description** (optional): Add relevant information to help your team understand when to use this credential. 4. Click **Save**. @@ -58,16 +58,16 @@ You can securely store sensitive information in several areas across Snyk API & Access to Credentials depends on your user role and assigned permissions: -* **Update Target Configuration**: Users with this permission can create credentials and use them within their specific targets. -* **Manage Credentials**: Users with this permission can create, view, update, and delete credentials across the account or team, even if the credential was created by someone else. -* **Scoped Credentials**: Credentials can be scoped to the entire account or restricted to users from specific teams. +* Update Target Configuration: Users with this permission can create credentials and use them within their specific targets. +* Manage Credentials: Users with this permission can create, view, update, and delete credentials across the account or team, even if someone else created the credential. +* Scoped Credentials: You can scope credentials to the entire account or restrict them to users from specific teams. -For more information about permissions, see the Snyk API & Web permissions documentation. +For more information about permissions, visit the Snyk API & Web permissions documentation. ## Transitioning from obfuscated values The Credentials Manager replaces the Secret Obfuscation feature: -* **Obfuscation Toggle**: The option to turn obfuscation on or off for account owners is hidden. Centralized management through the Credentials Manager is now the standard for sensitive data. -* **Existing Configurations**: All existing configurations continue to work. You can keep them or replace them with Credentials Manager credentials (recommended). -* **Obfuscated Values**: Previously obfuscated values cannot be retrieved. To create new obfuscated values, use Sensitive Credentials in the Credentials Manager. +* Obfuscation toggle: The option to turn obfuscation on or off for account owners is hidden. Centralized management through the Credentials Manager is now the standard for sensitive data. +* Existing configurations: All existing configurations continue to work. You can keep them or replace them with Credentials Manager credentials. Snyk recommends replacing them. +* Obfuscated values: You cannot retrieve previously obfuscated values. To create new obfuscated values, use Sensitive Credentials in the Credentials Manager. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/configure-extra-hosts.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/configure-extra-hosts.md index 39c12a07a654..16fbe47dde17 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/configure-extra-hosts.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/configure-extra-hosts.md @@ -4,21 +4,21 @@ Include additional domains in the scan scope when your web application uses mult ## What are extra hosts? -When you add a target, Snyk API & Web only scans pages under that target URL. The scanner does not scan pages from different hostnames unless you explicitly add them as extra hosts. +When you add a target, Snyk API & Web scans only pages under that target URL. The scanner does not scan pages from different hostnames unless you add them as extra hosts. -This default behavior can present challenges for Single-Page Applications (SPAs) where the front-end is built with JavaScript and the server-side functionality is invoked via an API. In SPAs, APIs are typically hosted under a different subdomain (such as `api.example.com`) while the front-end resides on `app.example.com`. In some cases, the API can be an entirely separate domain. +This default behavior can present challenges for single-page applications (SPAs) where the front-end is built with JavaScript and the server-side functionality is invoked using an API. In SPAs, APIs are typically hosted under a different subdomain (such as `api.example.com`) while the front-end resides on `app.example.com`. In some cases, the API can be an entirely separate domain. -**Technical behavior:** When you configure extra hosts, Snyk API & Web follows and scans any `XMLHttpRequest` performed to the specified hostnames. If a hostname is in the extra hosts list, the scanner regards it as within the scanning scope and analyzes the API responses for vulnerabilities. +When you configure extra hosts, Snyk follows and scans any `XMLHttpRequest` performed to the specified hostnames. If a hostname is in the extra hosts list, the scanner regards it as within the scanning scope and analyzes the API responses for vulnerabilities. ## When to use extra hosts Use extra hosts when your web application architecture includes: -* **Separate API domains**: Front-end on `app.example.com` accessing an API on `api.example.com`. -* **Multiple subdomains**: Different subdomains serving various application functions. -* **Content delivery networks**: Assets served from different domains that need security testing. +* Separate API domains: front-end on `app.example.com` accessing an API on `api.example.com`. +* Multiple subdomains: different subdomains serving various application functions. +* Content delivery networks: assets served from different domains that need security testing. -If Snyk API & Web only scans the front-end domain, it might miss critical security tests in the API that drives much of your application's functionality. Adding extra hosts ensures complete coverage of your application's security surface. +If Snyk scans only the front-end domain, it can miss critical security tests in the API that drives much of your application's functionality. Adding extra hosts ensures complete coverage of your application's security surface. ## Add extra hosts diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/use-navigation-sequences.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/use-navigation-sequences.md index d19bfe8abb0b..3d3aef148838 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/use-navigation-sequences.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/use-navigation-sequences.md @@ -10,7 +10,7 @@ For example, if your application has a shopping cart flow, admin panels, or dyna ## Record a navigation sequence -Before configuring a navigation sequence in Snyk API & Web, you need to record it using the Snyk API & Web Sequence Recorder browser plugin. +Before configuring a navigation sequence in Snyk API & Web, you must record it using the Snyk API & Web Sequence Recorder browser plugin. Visit the [Use sequence recorder](use-sequence-recorder.md) article for detailed instructions on installing the plugin and recording sequences. @@ -37,4 +37,4 @@ After adding a navigation sequence, Snyk API & Web displays it in the Navigation
Navigation sequences list showing configured sequences
-Run a scan to verify the navigation sequence works correctly and allows the scanner to reach the intended areas of your application. +Run a scan to verify the navigation sequence works correctly and the scanner reaches the intended areas of your application. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/use-sequence-recorder.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/use-sequence-recorder.md index c587a0ea480f..4f7a0513ada4 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/use-sequence-recorder.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/configure-web-targets/use-sequence-recorder.md @@ -8,47 +8,45 @@ The Snyk API & Web Sequence Recorder is a browser plugin that records sequences A sequence is a set of actions and values that the scanner follows to access specific areas of your application. Use sequences for: -* **Login sequences**: Record authentication flows, including complex multi-step logins or two-factor authentication -* **Navigation sequences**: Record workflows to reach specific application states or sections that require user interactions +* Login sequences: record authentication flows, including complex multi-step logins or two-factor authentication +* Navigation sequences: record workflows to reach specific application states or sections that require user interactions ## Install the sequence recorder The Snyk API & Web Sequence Recorder is available for Chrome, Firefox, and Edge browsers. -**Chrome installation:** Install the plugin from the [Chrome Web Store](https://chrome.google.com/webstore/detail/probely-recorder/hldkejmiceccmcfgicnfbgminlidgkph). - -**Firefox installation:** Install the plugin from the [Firefox Add-ons store](https://addons.mozilla.org/en-US/firefox/addon/probely-recorder/). - -**Edge installation:** Install the plugin from the [Edge Add-ons store](https://microsoftedge.microsoft.com/addons/detail/snyk-api-web-sequence-r/bgdnfkliglfichfflhlgfpifnfbdgdgm/). +* Chrome: install the plugin from the [Chrome Web Store](https://chrome.google.com/webstore/detail/probely-recorder/hldkejmiceccmcfgicnfbgminlidgkph). +* Firefox: install the plugin from the [Firefox Add-ons store](https://addons.mozilla.org/en-US/firefox/addon/probely-recorder/). +* Edge: install the plugin from the [Edge Add-ons store](https://microsoftedge.microsoft.com/addons/detail/snyk-api-web-sequence-r/bgdnfkliglfichfflhlgfpifnfbdgdgm/). ## Record a sequence After installing the Snyk API & Web Sequence Recorder plugin, follow these steps to record a sequence: -1. **Open your browser in incognito mode** to ensure a clean session without cached data or existing authentication. -2. **Click the plugin icon** in your browser toolbar. A popup window appears. -3. **Enter your target URL** and click **Start recording**. +1. Open your browser in incognito mode to ensure a clean session without cached data or existing authentication. +2. Click the plugin icon in your browser toolbar. A pop-up window appears. +3. Enter your target URL and click **Start recording**. -Important notes before recording: +Note the following before recording: -* If you are recording a **login sequence**, ensure you are **logged out** from your target before starting -* If you are recording a **navigation sequence** that requires authentication, ensure you are **logged in** to your target before starting +* If you are recording a login sequence, ensure you are **logged out** of your target before starting. +* If you are recording a navigation sequence that requires authentication, ensure you are **logged in** to your target before starting. -4. **Perform the necessary steps** for your sequence. Click links and buttons using your mouse cursor, simulating how a user would interact with your application. +4. Perform the necessary steps for your sequence. Click links and buttons using your mouse cursor, simulating how a user would interact with your application. -Avoid adding unnecessary steps that are not part of the workflow you want to record. The plugin registers each action you make within the page. +Avoid adding unnecessary steps that are not part of the workflow you want to record. The plugin registers each action you make in the page. -5. **Stop the recording** when you have completed all steps. Click the plugin icon again and select **Stop recording**. -6. **Review and edit your sequence** on the Review page. The plugin provides advanced features to modify your sequence if needed. -7. **Copy or download your sequence** for later use. You can copy the sequence to your clipboard or download it as a file. +5. Stop the recording after you complete all steps. Click the plugin icon again and select **Stop recording**. +6. Review and edit your sequence on the Review page. The plugin provides advanced features to modify your sequence if needed. +7. Copy or download your sequence for later use. You can copy the sequence to your clipboard or download it as a file. ## Use the recorded sequence After recording a sequence, import it into Snyk API & Web: -**For login sequences:** Navigate to your target's **Authentication** settings and configure the login sequence. Visit [Configure login sequence authentication](../configure-authentication/configure-login-sequence.md) for detailed instructions. +For login sequences: navigate to your target's **Authentication** settings and configure the login sequence. Visit [Configure login sequence authentication](../configure-authentication/configure-login-sequence.md) for detailed instructions. -**For navigation sequences:** Navigate to your target's **Scanner** settings and add the navigation sequence. Visit [Use navigation sequences](use-navigation-sequences.md) for detailed instructions. +For navigation sequences: navigate to your target's **Scanner** settings and add the navigation sequence. Visit [Use navigation sequences](use-navigation-sequences.md) for detailed instructions. ## Source code diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/import-targets.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/import-targets.md index 8cc4fc03f4ae..030e3c7b935e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/import-targets.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/import-targets.md @@ -32,7 +32,7 @@ Availability of these settings varies depending on the target type. For complete ## Import targets -1. Log in to Snyk API & Web. +1. Log in to Snyk. 2. On the **Targets** list, click the vertical ellipsis next to **Add**. 3. Select **Import** from the menu. 4. Upload your file containing the target information. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/test-target-configuration.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/test-target-configuration.md index 3c97a255978b..8025a9403f76 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/test-target-configuration.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/test-target-configuration.md @@ -2,13 +2,13 @@ Test your target configuration before running a scan to avoid common issues that lead to failed scans or incomplete results. -Testing configuration allows you to: +Test the configuration to: * Confirm Snyk API & Web can access your target. * Verify login credentials work as expected. -* Identify if a web application firewall (WAF) or other security measures block traffic. +* Identify whether a web application firewall (WAF) or other security measures block traffic. * Verify the validity of your API schema or collection. -* Discover extra hosts that might need to be added to your target. +* Discover extra hosts that you need to add to your target. ## Prerequisites @@ -36,10 +36,10 @@ After starting the test, a side panel opens to display test progress in real tim Snyk API & Web provides feedback on these areas: * **Connectivity**: Confirms Snyk API & Web can reach the URL -* **WAF Detection**: Alerts if a firewall might interfere with the DAST scan +* **WAF Detection**: Alerts you if a firewall can interfere with the DAST scan * **Authentication**: Validates that credentials successfully grant access to the target * **Schema Validity**: Verifies the schema provided for API targets -* **Extra Hosts**: Identifies additional domains the web application relies on that might need to be added to target settings +* **Extra Hosts**: Identifies additional domains the web application relies on that you need to add to the target settings If a check fails or requires further configuration, the side panel provides a call to action to help resolve the issue. You can also review connectivity details and, if applicable, a video of the login attempt. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/use-seeds-and-reject-lists.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/use-seeds-and-reject-lists.md index 691aa950e285..4217364c467d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/use-seeds-and-reject-lists.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/use-seeds-and-reject-lists.md @@ -4,9 +4,9 @@ Control scan behavior by including or excluding specific areas of your target us ## Understanding seeds and reject lists -**Seeds list**: Add areas of the target that would otherwise be hidden and not discovered during scans. This ensures scans cover everything within the target scope. For example, add administrative areas only accessible through direct links. The **seeds list applies only to Web targets**. +Seeds list: Add areas of the target that would otherwise be hidden and not discovered during scans. This ensures scans cover everything within the target scope. For example, add administrative areas only accessible through direct links. The seeds list applies only to Web targets. -**Reject list**: Limit what the scanner visits on the target. This is a collection of URLs the crawler is instructed to avoid. Use this to exclude unnecessary or sensitive content such as logout options, private user data, or repetitive structures like paginated lists. +Reject list: Limit what the scanner visits on the target. This is a collection of URLs the crawler avoids. Use this list to exclude unnecessary or sensitive content such as logout options, private user data, or repetitive structures like paginated lists. {% hint style="info" %} The reject list takes precedence over the seeds list. Areas in the seeds list are ignored if they match areas in the reject list. @@ -16,8 +16,8 @@ The reject list takes precedence over the seeds list. Areas in the seeds list ar ## Add paths to the seeds list 1. Navigate to **Targets** and find the target in the list. -2. Click the **gear icon** to edit the target settings. -3. Go to the **Scanner** tab. +2. Click the **gear** icon to edit the target settings. +3. Navigate to the **Scanner** tab. 4. In the **Seeds list** section, enter the path to include in **Add path**. 5. Click **Add**. @@ -28,7 +28,7 @@ Scans follow these paths and explore them, expanding the scan reach across the t ## Add URLs to the reject list 1. Navigate to **Targets** and find the target in the list. -2. Click the **gear icon** to edit the target settings. +2. Click the **gear** icon to edit the target settings. 3. Navigate to the **Scanner** tab. 4. In the **Reject list** section, enter the area to exclude in **Add URL**. 5. Click **Add**. @@ -41,4 +41,4 @@ Scans do not follow these paths, avoiding these areas during target scans. To remove an entry from either list, locate the entry and click the trash icon next to it. -This tailored approach ensures hidden areas are thoroughly tested while sensitive or unnecessary areas are excluded, optimizing your scanning process. +This approach ensures Snyk thoroughly tests hidden areas while excluding sensitive or unnecessary areas, optimizing your scanning process. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-dns-txt.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-dns-txt.md index a593907dbc1a..c7700c33687c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-dns-txt.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-dns-txt.md @@ -37,7 +37,7 @@ DNS records can take time to propagate across all DNS servers. If verification f ### CNAME limitations -If your domain FQDN is a CNAME record, this verification method will not work due to DNS limitations. CNAMEs cannot have TXT records. +If your domain FQDN is a CNAME record, this verification method does not work because of DNS limitations. CNAMEs cannot have TXT records. Use one of these alternative methods instead: - [TXT file verification](verify-with-txt-file.md) diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-meta-tag.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-meta-tag.md index bffcab91c1cf..1eaf5911171d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-meta-tag.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-meta-tag.md @@ -33,9 +33,9 @@ This verification method is quick and straightforward for websites where you can 1. Confirm the meta tag is visible in your website's source code by viewing the page source in a browser. 1. Return to the verification dialog in Snyk API & Web. -1. Click **VERIFY**. +1. Click **Verify**. -After successful verification, you can remove the meta tag if desired, though it's harmless to leave it in place. +After successful verification, you can remove the meta tag if desired, though it is harmless to leave it in place. ## Troubleshooting diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-txt-file.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-txt-file.md index e1387c687f77..990cc92c9df3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-txt-file.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/verify-domain-ownership/verify-with-txt-file.md @@ -29,7 +29,7 @@ After successful verification, you can remove the `.txt` file from your website. ### File not accessible -Snyk API & Web might not be able to access the file if it is: +Snyk cannot access the file if it is: - In the wrong location (must be in root directory) - Protected by authentication or access restrictions - Blocked by firewall rules diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/what-is-a-target.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/what-is-a-target.md index edb10d3da48a..620244a52cb8 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/what-is-a-target.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/configure-targets/what-is-a-target.md @@ -12,7 +12,7 @@ Targets define what Snyk API & Web scans. Examples of targets include: The target URL sets the boundaries for scanning. The scanner only tests URLs that begin with the target base URL and never scans outside this scope. -For example, if the target is `https://example.com`, the scanner will not test `https://www.example.com` or any other hosts. Only URLs prefixed by `example.com` are included in the scan. +For example, if the target is `https://example.com`, the scanner does not test `https://www.example.com` or any other hosts. The scan includes only URLs prefixed by `example.com`. ## Organize applications with targets @@ -29,11 +29,11 @@ Snyk API & Web supports two types of targets: ### Web targets -Web targets enable full security scans of web applications, including single-page applications and web applications that interact with APIs. Choose this option to assess the security of user-facing web interfaces. +Web targets provide full security scans of web applications, including single-page applications and web applications that interact with APIs. Choose this option to assess the security of user-facing web interfaces. ### API targets -API targets enable detailed security assessments of standalone APIs without a supporting web application. Choose this option to test REST APIs, GraphQL endpoints, or other API implementations. +API targets provide detailed security assessments of standalone APIs without a supporting web application. Choose this option to test REST APIs, GraphQL endpoints, or other API implementations. To scan an API, Snyk API & Web needs the API specification (schema). Define the schema with a URL pointing to the schema file, upload it directly, or use schema introspection for GraphQL. When you select URL or introspection, Snyk API & Web fetches the schema before every scan, ensuring the most up-to-date version. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/configure-automatic-asset-archiving.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/configure-automatic-asset-archiving.md index 4aeb8225e2de..0f4dbada7fef 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/configure-automatic-asset-archiving.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/configure-automatic-asset-archiving.md @@ -6,18 +6,18 @@ This guide explains how to configure the automatic archiving settings for your a ## Prerequisites -To access this feature, your Snyk API & Web plan must include the Asset Discovery entitlement. +To access this feature, your Snyk plan must include the Asset Discovery entitlement. ## Configure automatic archiving 1. In your Snyk API & Web account, navigate to **Settings** > **Scan Settings** and locate the **Archive discovered assets** module. -2. Use the toggle to enable or disable the automatic archiving feature. By default, this feature is enabled. -3. In the input field, enter the number of days (from one to 365) an asset should be undetected before it is automatically archived. The default is 30 days. +2. Use the toggle to turn the automatic archiving feature on or off. By default, this feature is on. +3. In the input field, enter the number of days (from one to 365) an asset can be undetected before Snyk automatically archives it. The default is 30 days. 4. Click **Save** to apply your changes. ## Verify the outcome -Once configured, Snyk API & Web automatically moves any asset to an **Archived** state if it is not detected in any discovery scan for the number of days you specified. +After you configure the feature, Snyk automatically moves any asset to an **Archived** state if it is not detected in any discovery scan for the number of days you specified. You can view your archived assets at any time: @@ -27,4 +27,4 @@ You can view your archived assets at any time: ## Manage archived assets -You do not need to manually reactivate assets. If a previously archived asset is detected again in a new discovery scan, Snyk API & Web automatically returns it to the **Active** state. +You do not need to manually reactivate assets. If a discovery scan detects a previously archived asset again, Snyk automatically returns it to the **Active** state. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/overview-asset-discovery.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/overview-asset-discovery.md index 5f2bc72f8058..18b006bce617 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/overview-asset-discovery.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/overview-asset-discovery.md @@ -8,24 +8,24 @@ Snyk API & Web identifies assets through a multi-step process that discovers dom ### Step 1: Discover domains and subdomains -Snyk API & Web uses the following techniques to find domains and subdomains: +Snyk uses the following techniques to find domains and subdomains: 1. **Cloud provider connections** - Snyk API & Web connects to your configured cloud providers to discover web assets. The type of assets accessed depends on the provider you have configured. + Snyk connects to your configured cloud providers to discover web assets. The type of assets accessed depends on the provider you have configured. - * **Cloudflare or AWS**: Snyk API & Web connects to select the configured DNS zones and retrieves domains and subdomains from those zones. - * **Akamai**: Snyk API & Web connects to obtain the configured APIs and domains. + * **Cloudflare or AWS**: Snyk connects to select the configured DNS zones and retrieves domains and subdomains from those zones. + * **Akamai**: Snyk connects to obtain the configured APIs and domains. 2. **Certificate Transparency** - Snyk API & Web searches Certificate Transparency, an Internet security standard for monitoring and auditing the issuance of digital certificates, to identify additional domains. + Snyk searches Certificate Transparency, an Internet security standard for monitoring and auditing the issuance of digital certificates, to identify additional domains. 3. **Domain guessing** - Snyk API & Web makes informed guesses about possible domains based on known domains. For example, if `www.example.com` exists, Snyk API & Web tries `admin.example.com` or `api.example.com`. + Snyk makes informed guesses about possible domains based on known domains. For example, if `www.example.com` exists, Snyk tries `admin.example.com` or `api.example.com`. ### Step 2: Analyze infrastructure -With the initial list of domains, Snyk API & Web performs the following analysis: +With the initial list of domains, Snyk performs the following analysis: 1. Identifies the IP address (or addresses) to which each domain resolves. 2. Performs a network and port scan for each IP address to identify open services and their type. @@ -33,16 +33,16 @@ With the initial list of domains, Snyk API & Web performs the following analysis ### Step 3: Gather asset information -The discovered domains and subdomains for web applications and APIs become assets. Snyk API & Web gathers more detailed information about them: +The discovered domains and subdomains for web applications and APIs become assets. Snyk gathers more detailed information about them: 1. Captures screenshots of web applications. 2. Runs [Security Headers](https://securityheaders.com/) to generate a security score. -Assets are listed in the **Discovery** page of Snyk API & Web. The following sections describe key concepts and common actions available on that page. +Snyk lists assets on the **Discovery** page. The following sections describe key concepts and common actions available on that page. ## Discovery sources -When you add a source to your account, Snyk API & Web starts performing regular discovery scans to identify assets in the source's attack surface. +When you add a source to your account, Snyk starts performing regular discovery scans to identify assets in the source's attack surface. There are four ways to add a source: @@ -53,15 +53,15 @@ There are four ways to add a source: ## Discovery assets -The assets resulting from discovery scans are listed in the **Discovery** page of Snyk API & Web. +Snyk lists the assets resulting from discovery scans on the **Discovery** page. -At the top of the page, Snyk API & Web provides valuable information that you can use as quick filters to manage your assets and focus on the ones that matter most: +At the top of the page, Snyk provides valuable information that you can use as quick filters to manage your assets and focus on the ones that matter most: * **Found**: The total number of assets found so far. Click to show all assets. * **New**: The total number of newly found assets. Click to filter the list to show only newly found assets. -* **Scanned**: The percentage of assets that were already added as targets to your Snyk API & Web account and were scanned, meaning they have a risk level associated. Click to filter the list to show only scanned assets. +* **Scanned**: The percentage of assets that were already added as targets to your Snyk account and were scanned, meaning they have a risk level associated. Click to filter the list to show only scanned assets. * **Low score**: The percentage of assets with a Security Headers score of C or less. Click to filter the list to show assets with a score within this range. -* **High risk**: The percentage of assets already added as targets to your Snyk API & Web account that were scanned and identified as high risk. Click to filter the list to show only high-risk assets. +* **High risk**: The percentage of assets already added as targets to your Snyk account that were scanned and identified as high risk. Click to filter the list to show only high-risk assets. In addition to the quick filters, use the search box and generic filters to navigate the list. @@ -71,7 +71,7 @@ To view the details of a specific asset, click its name in the list. This opens For more detailed guidance, visit [Interpret target scan results](../review-and-fix/interpret-target-scan-results.md). -The panel shows the asset's name and URL and has three tabs with useful information to help you manage your assets: +The panel shows the asset's name and URL and has three tabs with information to help you manage your assets: * **Overview** * **Redirect And IPs** @@ -113,25 +113,25 @@ You can switch between a small side panel and a full page by clicking the button ### Add target and scan -If you decide to, you can add assets as targets to your Snyk API & Web account to scan them for vulnerabilities. Use the **Add target** button in the asset's row. +You can add assets as targets to your Snyk account to scan them for vulnerabilities. Use the **Add target** button in the asset's row. -After adding an asset as a target, the **Add target** button changes to a **Scan** button, which you can click to start scanning for vulnerabilities. +After you add an asset as a target, the **Add target** button changes to a **Scan** button, which you can click to start scanning for vulnerabilities. -After the target scan finishes, the **Risk** label of the corresponding asset is updated with the risk identified during the target scan. +After the target scan finishes, Snyk updates the **Risk** label of the corresponding asset with the risk identified during the target scan. -To access a target's details, click the three vertical dots next to the **Scan** button to display the overflow menu and choose **View target**. From there, you can analyze its vulnerabilities (findings) and begin fixing them. Visit [Interpret target scan results](../review-and-fix/interpret-target-scan-results.md) to learn more. +To access a target's details, click the three vertical dots next to the **Scan** button to display the overflow menu and select **View target**. From there, you can analyze its vulnerabilities (findings) and begin fixing them. Visit [Interpret target scan results](../review-and-fix/interpret-target-scan-results.md) to learn more. ### Mark as new or not new -Clicking the three vertical dots next to the main action button (**Add target**, **Scan**, or **Stop**) shows an overflow menu. The first two options, **Mark as new** and **Mark as not new**, let you identify the asset as new or not new, respectively. This action, along with the **State** filter, lets you organize and prioritize your list of assets. +Click the three vertical dots next to the main action button (**Add target**, **Scan**, or **Stop**) to show an overflow menu. The first two options, **Mark as new** and **Mark as not new**, identify the asset as new or not new, respectively. This action, along with the **State** filter, helps you organize and prioritize your list of assets. ### Hide or show -Clicking the three vertical dots next to the main action button shows an overflow menu. The **Hide** option lets you organize and prioritize your list of assets by hiding the ones you are not interested in at the moment. These assets do not disappear; they are filtered out of the default view. You can always filter them by choosing the **Hidden** option in the **State** filter. If you decide those assets are relevant again, click the **Show** option to restore visibility. +Click the three vertical dots next to the main action button to show an overflow menu. The **Hide** option helps you organize and prioritize your list of assets by hiding the ones you are not interested in at the moment. These assets do not disappear. Snyk filters them out of the default view. You can always filter them by selecting the **Hidden** option in the **State** filter. If you decide those assets are relevant again, click the **Show** option to restore visibility. ### Rename -Clicking the three vertical dots next to the main action button shows an overflow menu. The **Rename** option opens a modal that allows you to update the asset name. +Click the three vertical dots next to the main action button to show an overflow menu. The **Rename** option opens a modal where you update the asset name. Because assets and targets are synced together, updating an asset name also updates its matching target's name. The opposite is also true: updating the target name also updates the asset name automatically. @@ -153,9 +153,9 @@ In the expanded view of the side panel, you can search for specific log messages ## Bulk actions on discovery assets -To improve your asset management, you can take certain actions in bulk. Check the checkboxes of the assets that interest you, and the bulk actions become available at the top of the list. +To improve your asset management, you can take certain actions in bulk. Select the check boxes of the assets that interest you, and the bulk actions become available at the top of the list. -You can choose to: +You can: -* **Set labels**: Apply labels to assets to help you filter and manage them. For example, you can set a **CRITICAL** label on assets that are most critical to protect in your organization, bringing attention to them. Labels assigned to assets are also synced to the respective targets. +* **Set labels**: Apply labels to assets to help you filter and manage them. For example, you can set a **CRITICAL** label on assets that are most critical to protect in your organization, bringing attention to them. Snyk also syncs labels assigned to assets to the respective targets. * **Change state**: Change the state of a group of assets. For example, you can hide assets that are not important so you can focus on the ones that matter most. If you change your mind, you can show them again at any time. You can also set assets as new so you do not miss them, or as not new if you have completed all necessary actions. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/resynchronize-connected-sources.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/resynchronize-connected-sources.md index fcc99e974130..f299c2fc0bd0 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/resynchronize-connected-sources.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/resynchronize-connected-sources.md @@ -2,13 +2,13 @@ You can scan a Cloudflare or AWS connection for asset discovery by setting up the respective integration on the **Integrations** page. Visit [Scan a Cloudflare connection for asset discovery](scan-cloudflare-connection-asset-discovery.md) and [Scan an AWS connection for asset discovery](scan-aws-connection-asset-discovery.md) to learn more. -When you have one of these integrations in place, you may notice that changes made in those platforms are not immediately reflected in Snyk API & Web. While Snyk API & Web runs periodic checks to ensure information is up to date, you may want to speed up the synchronization with your connections at any time. +When you have one of these integrations in place, changes made in those platforms are not immediately reflected in Snyk API & Web. Snyk runs periodic checks to keep information up to date, but you can speed up the synchronization with your connections at any time. ## Manually resynchronize with connected sources To manually resynchronize with your connected sources: -1. Access the **Domains** page on your Snyk API & Web account by clicking the **Domains** tab that appears under the **Targets** list title. +1. Access the **Domains** page on your Snyk account by clicking the **Domains** tab that appears under the **Targets** list title. 2. On the **Domains** page, click the **Refresh** icon that appears next to the **Add domain** button. -This enables Snyk API & Web to resynchronize with your connected sources, fetch zones (domains) and DNS records from Cloudflare, and import the Route 53 domains set up at AWS. The results load shortly after. +Snyk then resynchronizes with your connected sources, fetches zones (domains) and DNS records from Cloudflare, and imports the Route 53 domains set up at AWS. The results load shortly after. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-akamai-connection-asset-discovery.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-akamai-connection-asset-discovery.md index b946d8e08cc5..9b19e5d34eec 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-akamai-connection-asset-discovery.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-akamai-connection-asset-discovery.md @@ -2,15 +2,15 @@ APIs often operate without the direct oversight of security teams, making them difficult to track and protect. To run a security scan on an API, you first need its specification file (schema), but finding the correct, up-to-date schema for every API in your organization can be a significant challenge. -This guide shows you how to connect your Akamai account to Snyk API & Web. This integration automatically discovers the APIs managed in your Akamai account and imports their schemas, allowing you to add them as targets in Snyk API & Web with a single click. +This guide shows you how to connect your Akamai account to Snyk API & Web. This integration automatically discovers the APIs managed in your Akamai account and imports their schemas, so you can add them as targets in Snyk with a single click. ## Prerequisites -Before you start, you need administrator access to your organization's Akamai API Security portal to retrieve the required API credentials. +Before you start, you must have administrator access to your organization's Akamai API Security portal to retrieve the required API credentials. ## Get your Akamai API credentials -To allow Snyk API & Web to access your assets, you need to obtain API credentials from your Akamai API Security tenant. +To allow Snyk to access your assets, obtain API credentials from your Akamai API Security tenant. 1. Log in to the Akamai API Security portal. 1. From your account's main navigation menu, select **Settings**. @@ -23,12 +23,12 @@ To allow Snyk API & Web to access your assets, you need to obtain API credential * `Client Secret` {% hint style="warning" %} -The `Client Secret` is shown only once. Ensure you copy it before leaving the page. You will need these credentials for the next step. +The `Client Secret` is shown only once. Copy it before leaving the page. You need these credentials for the next step. {% endhint %} ## Add the Akamai connection in Snyk API & Web -Use the credentials you created to connect your Akamai account in Snyk API & Web. You can do this from either the global **Integrations** page or the **Discovery** page. +Use the credentials you created to connect your Akamai account in Snyk. You can do this from either the global **Integrations** page or the **Discovery** page. ### From the Integrations page @@ -53,13 +53,13 @@ Use the credentials you created to connect your Akamai account in Snyk API & Web ## View your discovered assets -After a successful connection, Snyk API & Web immediately begins importing your domains from Akamai. This process runs periodically to keep your inventory up to date. +After a successful connection, Snyk immediately begins importing your domains from Akamai. This process runs periodically to keep your inventory up to date. -You can view these domains by navigating to **Targets** > **Domains**. Once your domains are imported, Snyk API & Web automatically runs a discovery scan on them to find the associated APIs. After this scan completes, your discovered assets are listed under the **Discovery** page. For each API, a **{...}** icon is displayed to indicate that its schema is available. +You can view these domains by navigating to **Targets** > **Domains**. After Snyk imports your domains, it automatically runs a discovery scan on them to find the associated APIs. After this scan completes, Snyk lists your discovered assets on the **Discovery** page. For each API, a **{...}** icon indicates that its schema is available. ## Add a discovered API as a target -Once your API assets appear in the **Discovery** list, you can add them as targets. +After your API assets appear in the **Discovery** list, you can add them as targets. 1. Navigate to the **Discovery** page. 1. To find API assets, use the following filters: @@ -67,4 +67,4 @@ Once your API assets appear in the **Discovery** list, you can add them as targe * Filter by **Source** > **Akamai** to display assets imported from this integration. 1. Click **Add Target** on the corresponding row. -Snyk API & Web automatically configures the API as a new target with its schema pre-populated, making it ready for security testing. Once you add the asset as a target, click **Scan** to get started. +Snyk automatically configures the API as a new target with its schema pre-populated, making it ready for security testing. After you add the asset as a target, click **Scan** to get started. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-aws-connection-asset-discovery.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-aws-connection-asset-discovery.md index 65680ca31134..4a55baffae22 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-aws-connection-asset-discovery.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-aws-connection-asset-discovery.md @@ -11,15 +11,15 @@ Scanning an AWS Route 53 connection for asset discovery involves two steps: To add an AWS Route 53 connection, you need an AWS access key and secret access key. To obtain them, follow these steps: -1. Sign in to the **AWS Management Console** with your credentials. +1. Log in to the **AWS Management Console** with your credentials. 2. Navigate to the **Identity and Access Management** (IAM) service: 1. Type **iam** in the search box. 2. Select the **IAM** service. 3. In the **Users** section, click **Create User**. 4. Type the **User name** (in this example, it is `test-user`) and click **Next**. -5. Select **Attach policies directly**, choose the desired policies to apply to the user, and click **Next**. +5. Select **Attach policies directly**, select the desired policies to apply to the user, and click **Next**. - If you have not created the policy yet, click **Create policy** and use the example below to configure a policy to allow listing zones and resources from Route 53. After that, refresh the **Permissions policies** list. + If you have not created the policy yet, click **Create policy** and use the following example to configure a policy to allow listing zones and resources from Route 53. After that, refresh the **Permissions policies** list. ```json { @@ -52,4 +52,4 @@ In Snyk API & Web, add the AWS connection for asset discovery: 3. Select **Connect with AWS Route 53** and click **Next**. 4. On the next screen, enter the **AWS access key** and **AWS secret access key** with the values obtained in the previous step and click **Connect**. -After successfully connecting with AWS, Snyk API & Web starts running regular discovery scans automatically on your account. In Snyk API & Web, check the **Discovery** page. Once the asset discovery is finished, all newly found assets are added to the list. At the top of the page, information about the number of newly found assets is displayed. Click on it to filter the list. +After successfully connecting with AWS, Snyk starts running regular discovery scans automatically on your account. In Snyk, check the **Discovery** page. After the asset discovery finishes, Snyk adds all newly found assets to the list. At the top of the page, Snyk displays information about the number of newly found assets. Click it to filter the list. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-cloudflare-connection-asset-discovery.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-cloudflare-connection-asset-discovery.md index bc6eb7ea5e6f..4f0abcc0096d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-cloudflare-connection-asset-discovery.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-cloudflare-connection-asset-discovery.md @@ -13,12 +13,12 @@ To add a Cloudflare connection, you need the Cloudflare API Token. To obtain it, 1. Navigate to your Cloudflare account, click **My Profile**, and then click **API Tokens** to access the **User API Tokens** tab. -

Account API Tokens will not work in this scenario.

+

Account API Tokens do not work in this scenario.

2. Click **Create Token** and then click **Get Started** in the **Create Custom Token** configuration. -3. Under the **Permissions** section, choose the **Zone** permission group, the item **Zone**, and the **Read** access permission. Then, add another **Zone** permission with the item **DNS** and the **Read** access permission as well. -4. Under the **Zone Resources** section, select the zones you want to include in the scan. Snyk recommends choosing **All zones** to include current and future zones from your Cloudflare account. +3. Under the **Permissions** section, select the **Zone** permission group, the item **Zone**, and the **Read** access permission. Then, add another **Zone** permission with the item **DNS** and the **Read** access permission as well. +4. Under the **Zone Resources** section, select the zones you want to include in the scan. Snyk recommends selecting **All zones** to include current and future zones from your Cloudflare account. 5. Click **Continue to summary** to review the details and then click **Create Token**. -6. After the token is created, you are presented with the token value. Copy the token and store it securely, as you will not be able to view it again. You will need this token value in the next step. +6. After Cloudflare creates the token, it displays the token value. Copy the token and store it securely, because you cannot view it again. You need this token value in the next step. ## Add the Cloudflare connection @@ -28,6 +28,6 @@ In Snyk API & Web, add a Cloudflare connection for asset discovery: 2. Select **Connect with Cloudflare** and click **Next**. 3. Paste the Cloudflare API Token (obtained in the previous step) into the **Cloudflare API Token** field and click **Connect**. -After successfully connecting with Cloudflare, Snyk API & Web starts running regular discovery scans automatically on your Cloudflare account. In Snyk API & Web, check the **Discovery** page. Once the asset discovery is finished, all newly found assets are added to the list. At the top of the page, information about the number of newly found assets is displayed. Click on it to filter the list. +After successfully connecting with Cloudflare, Snyk starts running regular discovery scans automatically on your Cloudflare account. In Snyk, check the **Discovery** page. After the asset discovery finishes, Snyk adds all newly found assets to the list. At the top of the page, Snyk displays information about the number of newly found assets. Click it to filter the list. -If you wish to update or remove Snyk API & Web's connection to Cloudflare, navigate to the **Integrations** page in Snyk API & Web. +To update or remove the Snyk connection to Cloudflare, navigate to the **Integrations** page in Snyk. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-domain-asset-discovery.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-domain-asset-discovery.md index 3f953560c9a4..bfcf956ca098 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-domain-asset-discovery.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/discover-new-targets/scan-domain-asset-discovery.md @@ -18,8 +18,8 @@ In Snyk API & Web, add a domain for asset discovery: ## Verify the domain -After adding a domain, you must verify it by following the instructions on the screen so the scan is complete. For more information, visit [Verify domain ownership](../configure-targets/verify-domain-ownership/README.md). +After adding a domain, you must verify it by following the instructions on the screen to complete the scan. For more information, visit [Verify domain ownership](../configure-targets/verify-domain-ownership/README.md). -Once the domain is added and verified, Snyk API & Web starts running regular discovery scans automatically on your account. +After the domain is added and verified, Snyk API & Web starts running regular discovery scans automatically on your account. -In Snyk API & Web, check the **Discovery** page. Once the asset discovery is finished, all newly found assets are added to the list. At the top of the page, information about the number of newly found assets is displayed. Click on it to filter the list. +In Snyk, check the **Discovery** page. After the asset discovery finishes, Snyk adds all newly found assets to the list. At the top of the page, Snyk displays information about the number of newly found assets. Click it to filter the list. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/README.md index 605595b9e977..99b061a102a5 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/README.md @@ -24,7 +24,7 @@ Create your account in Snyk API & Web to start scanning: ## Complete the onboarding flow -After creating your account, Snyk API & Web displays [best practices for deploying dynamic application security testing (DAST)](best-practices-for-deploying-dast.md) and guides you through the initial setup: +After creating your account, Snyk displays [best practices for deploying dynamic application security testing (DAST)](best-practices-for-deploying-dast.md) and guides you through the initial setup: 1. Click **Next** to begin. @@ -34,11 +34,11 @@ After creating your account, Snyk API & Web displays [best practices for deployi 4. Add your first target: * **Target name**: Enter a descriptive name (for example, "Example") * **Target URL**: Enter the URL to scan (for example, `https://example.com`) -5. When you add a target, Snyk API & Web verifies that you own the domain. Snyk API & Web performs extensive security tests that can appear as malicious attacks. Domain verification proves that you own the domain and are authorized to run security tests. +5. When you add a target, Snyk verifies that you own the domain. Snyk performs extensive security tests that can appear as malicious attacks. Domain verification proves that you own the domain and are authorized to run security tests. 1. The onboarding flow automatically verifies ownership when possible. If automatic verification is not available, you must prove ownership manually through the guided process. Alternatively, you can install a scanning agent to reach internal targets. For more information, see how to [verify domain ownership](../configure-targets/verify-domain-ownership/README.md) and [how to install a scanning agent](../start-scanning/overview-scanning-agent/install-scanning-agent.md). 6. Click **Next** after configuring domain verification or the scanning agent. 7. Click **Scan** to start scanning your target. -8. A success page confirms that your scan has started. +8. A success page confirms that your scan started. ## Review scan coverage @@ -60,11 +60,11 @@ The **Scan Findings** page displays all security vulnerabilities identified duri
Findings list showing discovered vulnerabilities
-Click on a finding in the findings list to view its CVSS score, vulnerability description, remediation guidance, and additional context. +Click a finding in the findings list to view its CVSS score, vulnerability description, remediation guidance, and additional context.
Detailed vulnerability view with CVSS score and remediation steps
-This information helps you understand the severity and impact of each vulnerability, enabling you to prioritize and plan remediation work. +This information helps you understand the severity and impact of each vulnerability so you can prioritize and plan remediation work. ## Next steps diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/best-practices-for-deploying-dast.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/best-practices-for-deploying-dast.md index 604e1b40a73a..55bc05735a9a 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/best-practices-for-deploying-dast.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/best-practices-for-deploying-dast.md @@ -4,7 +4,7 @@ Learn how to optimize your dynamic application security testing (DAST) deploymen ## Overview -DAST simulates real-world attacks on your web applications and APIs to identify security vulnerabilities. While DAST provides valuable security insights, it performs invasive scans that can affect application performance and behavior. +DAST simulates real-world attacks on your web applications and APIs to identify security vulnerabilities. DAST provides valuable security insights, but it performs invasive scans that can affect application performance and behavior. During a scan, Snyk API & Web: @@ -25,10 +25,10 @@ Avoid scanning production back offices where administrators manage content, user * Inject test data that becomes visible to users and potential attackers {% hint style="warning" %} -When testing for Cross-site Scripting or SQL Injection vulnerabilities, the scanner attempts to inject data into your application. If a vulnerability exists, this test data can appear in your production environment. +When testing for cross-site scripting or SQL injection vulnerabilities, the scanner attempts to inject data into your application. If a vulnerability exists, this test data can appear in your production environment. {% endhint %} -Use production-like test environments that include web servers and databases that can be easily restored if needed. +Use production-like test environments that include web servers and databases you can restore if needed. ## Use test data that replicates real application behavior @@ -40,19 +40,19 @@ Using production data in test environments can: * Violate data privacy regulations * Create data leakage risks -Create dedicated test data in a controlled, isolated environment using a separate test organization or user account. This approach enables thorough testing without putting sensitive information at risk. +Create dedicated test data in a controlled, isolated environment using a separate test organization or user account. This approach supports thorough testing without putting sensitive information at risk. ## Configure authentication with test accounts -Many applications restrict access to authenticated users only. Configuring authentication allows Snyk API & Web to scan deeper into your application scope and identify more vulnerabilities. +Many applications restrict access to authenticated users only. Configure authentication so Snyk can scan deeper into your application scope and identify more vulnerabilities. Use dedicated test credentials to prevent mixing test activities with real user data. -To learn more about authentication configuration, see [Configure authentication](../configure-targets/configure-authentication/README.md). +To learn more about authentication configuration, visit [Configure authentication](../configure-targets/configure-authentication/README.md). ## Exclude features that trigger external actions -During scans, Snyk API & Web interacts with every discovered element, including forms and buttons. These interactions can: +During scans, Snyk interacts with every discovered element, including forms and buttons. These interactions can: * Send email messages * Create support tickets @@ -66,4 +66,4 @@ Configure your reject list to exclude URLs and features that trigger unwanted ac * Payment processing endpoints * External API calls -For more information, see [Use seeds and reject lists](../configure-targets/use-seeds-and-reject-lists.md). +For more information, visit [Use seeds and reject lists](../configure-targets/use-seeds-and-reject-lists.md). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/can-i-scan-a-production-site.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/can-i-scan-a-production-site.md index 4d03902a2332..285ef4dd19a1 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/can-i-scan-a-production-site.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/getting-started-with-snyk-api-web/can-i-scan-a-production-site.md @@ -38,6 +38,6 @@ In these applications: - Data added or changed by users is visible only to users from the same entity - Test accounts can be isolated from real user data -For example, in a customer relationship management (CRM) application where each organization has multiple users, create a testing organization and a testing user account specifically for the Snyk API and Web. This isolates test data and minimizes risk. +For example, in a customer relationship management (CRM) application where each organization has multiple users, create a testing organization and a testing user account specifically for Snyk. This isolates test data and minimizes risk. Even in low-risk scenarios, use dedicated test accounts and configure authentication to ensure scans stay within isolated test environments. Visit [Best practices for deploying DAST](best-practices-for-deploying-dast.md) for additional guidance. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/cli-key-features.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/cli-key-features.md index 3cf2f303ef53..04bf4cbc37bd 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/cli-key-features.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/cli-key-features.md @@ -4,38 +4,38 @@ Learn about the CLI key features of Snyk API & Web. ## Overview -The features provided by the CLI allow you to execute faster and automated operations with Snyk API & Web independently of the platform you're working on (Windows, macOS, or Linux), or if integrating with your CI/CD pipelines. +The CLI lets you run faster, automated operations with Snyk API & Web, independently of the platform you work on (Windows, macOS, or Linux) or when integrating with your CI/CD pipelines. -The CLI allows you to execute operations on your targets, scans, and findings. You can do it one by one or in bulk by providing the identifiers or applying a filter. For example, you can pause a single scan or a group of scans given by specific criteria (for example, all scans that are running). +You can run operations on your targets, scans, and findings one by one or in bulk by providing the identifiers or applying a filter. For example, you can pause a single scan or a group of scans that match specific criteria, such as all running scans. ## Targets -For your targets, you can learn the available operations using the command `probely targets -h`. They are basically the following: +To learn the available operations for your targets, run the command `probely targets -h`. The operations are the following: -* **List targets in your account.** To indicate the targets to list, you can provide the identifiers or apply a filter. Use `probely targets get -h` to see all the possible options. -* **Add targets to your account.** Use `probely targets add -h` to see all the possible options. -* **Update targets in your account.** To indicate the targets to update, you can provide the identifiers or apply a filter. Use `probely targets update -h` to see all the possible options. -* **Delete targets from your account.** To indicate the targets to delete, you can provide the identifiers or apply a filter. Use `probely targets delete -h` to see all the possible options. -* **Start scans on your targets.** To indicate the targets to start the scan, you can provide the identifiers or apply a filter. Use `probely targets start-scan -h` to see all the possible options. +* List targets in your account. To indicate the targets to list, provide the identifiers or apply a filter. Run `probely targets get -h` to see all the options. +* Add targets to your account. Run `probely targets add -h` to see all the options. +* Update targets in your account. To indicate the targets to update, provide the identifiers or apply a filter. Run `probely targets update -h` to see all the options. +* Delete targets from your account. To indicate the targets to delete, provide the identifiers or apply a filter. Run `probely targets delete -h` to see all the options. +* Start scans on your targets. To indicate the targets to scan, provide the identifiers or apply a filter. Run `probely targets start-scan -h` to see all the options. ## Scans -For your scans, you can learn the available operations using the command `probely scans -h`. They are basically the following: +To learn the available operations for your scans, run the command `probely scans -h`. The operations are the following: -* **List scans in your account.** To indicate the scans to list, you can provide the identifiers or apply a filter. Use `probely scans get -h` to see all the possible options. -* **Pause running scans.** To indicate the scans to pause, you can provide the identifiers or apply a filter. Use `probely scans pause -h` to see all the possible options. -* **Cancel running scans.** To indicate the scans to cancel, you can provide the identifiers or apply a filter. Use `probely scans cancel -h` to see all the possible options. -* **Resume paused scans.** To indicate the scans to resume, you can provide the identifiers or apply a filter. Use `probely scans resume -h` to see all the possible options. +* List scans in your account. To indicate the scans to list, provide the identifiers or apply a filter. Run `probely scans get -h` to see all the options. +* Pause running scans. To indicate the scans to pause, provide the identifiers or apply a filter. Run `probely scans pause -h` to see all the options. +* Cancel running scans. To indicate the scans to cancel, provide the identifiers or apply a filter. Run `probely scans cancel -h` to see all the options. +* Resume paused scans. To indicate the scans to resume, provide the identifiers or apply a filter. Run `probely scans resume -h` to see all the options. ## Findings -For your findings, you can learn the available operations using the command `probely findings -h`. They are basically the following: +To learn the available operations for your findings, run the command `probely findings -h`. The operations are the following: -* **List findings in your account.** To indicate the findings to list, you can provide the identifiers or apply a filter. Use `probely findings get -h` to see all the possible options. +* List findings in your account. To indicate the findings to list, provide the identifiers or apply a filter. Run `probely findings get -h` to see all the options. ## Getting started -To run these commands, you need to install the CLI and get an authorization token to use them. Check out these topics in the Developers Portal to learn more about it: +To run these commands, you must install the CLI and get an authorization token. Visit these topics in the Developers Portal to learn more: * Quick Start * Authentication diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/collaborate/integrate-with-slack.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/collaborate/integrate-with-slack.md index 75f4ebd86978..9764b3410536 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/collaborate/integrate-with-slack.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/collaborate/integrate-with-slack.md @@ -1,6 +1,6 @@ # Integrate with Slack -By connecting Snyk API & Web with Slack, you receive notifications about the activity of your targets in your Slack channels. For example, when target scans start or finish, when logins fail, or when vulnerabilities are found or fixed. +By connecting Snyk API & Web with Slack, you receive notifications about the activity of your targets in your Slack channels. For example, when target scans start or finish, when logins fail, or when Snyk finds or fixes vulnerabilities. This integration involves two steps: @@ -11,33 +11,33 @@ This article describes these steps in detail. ## Configure the webhook in Slack -The first step is to configure a webhook in Slack with a channel to receive notifications from Snyk API & Web: +Configure a webhook in Slack with a channel to receive notifications from Snyk: -1. Sign in to your Slack account at `https://slack.com/signin` and select your Slack workspace. -2. Go to `https://api.slack.com/apps` and do the following: +1. Log in to your Slack account at `https://slack.com/signin` and select your Slack workspace. +2. Navigate to `https://api.slack.com/apps` and do the following: 1. If this is your first app, click **Create an App**. Otherwise, click **Create New App**. 2. In the displayed dialog, click **From Scratch**. 3. In the next dialog, fill out the form as follows: - 1. In the **App name**, type in a meaningful name. For example: "Snyk API & Web Integration". - 2. In the dropdown, pick the Slack workspace you want to receive Snyk API & Web notifications. - 3. Click **Create App**, and you are redirected to the **Basic Information** page. -4. On the sidebar menu, select **Incoming Webhooks**, and if not turned on, click the toggle button of **Activate Incoming Webhooks** to turn it on. + 1. In the **App name**, enter a meaningful name. For example: "Snyk API & Web Integration". + 2. In the dropdown, select the Slack workspace you want to receive Snyk notifications. + 3. Click **Create App**. Slack redirects you to the **Basic Information** page. +4. In the sidebar menu, select **Incoming Webhooks**. If it is not turned on, click the toggle button of **Activate Incoming Webhooks** to turn it on. 5. Scroll to the bottom of the page and click **Add New Webhook to Workspace**. -6. On the displayed page, click the dropdown to see the list of Slack channels, select the one you want to receive Snyk API & Web notifications to (for example, "Snyk API & Web notifications"), and click **Allow**. -7. Back to **Incoming Webhooks**, scroll down and validate the newly created webhook. -8. Click **Copy** to store the webhook URL in the clipboard. You need it to configure the Slack integration in Snyk API & Web. +6. On the displayed page, click the dropdown to see the list of Slack channels, select the one you want to receive Snyk notifications (for example, "Snyk API & Web notifications"), and click **Allow**. +7. Return to **Incoming Webhooks**, scroll down, and validate the newly created webhook. +8. Click **Copy** to store the webhook URL in the clipboard. You need it to configure the Slack integration in Snyk. -The webhook has been configured on the Slack side. Now move on to the Snyk API & Web side. +You have configured the webhook on the Slack side. Now move on to the Snyk side. ## Configure the Slack webhook in Snyk API & Web -In this step, configure the Slack webhook on the target for which you want to receive notifications about its activity: +Configure the Slack webhook on the target for which you want to receive notifications about its activity: -1. In the Snyk API & Web application, go to **Targets** and click the **gear icon** of the row of the target you want to configure. -2. Click the **Integrations** tab, go to the **Slack** section, and set the **Slack webhook URL**. If you copied the URL to the clipboard at the end of the previous step, paste it. -3. Now choose which events you want to be notified about. For example, events of target scans such as when they start and end, when they identify high-severity vulnerabilities, and if they fail to log in. +1. In the Snyk API & Web application, navigate to **Targets** and click the **gear icon** of the row of the target you want to configure. +2. Click the **Integrations** tab, navigate to the **Slack** section, and set the **Slack webhook URL**. If you copied the URL to the clipboard at the end of the previous step, paste it. +3. Select which events you want to be notified about. For example, target scan events such as when scans start and end, when they identify high-severity vulnerabilities, and when they fail to log in. 4. Click **Save** to conclude the Slack integration for the target. -Once a target is integrated with Slack, you start receiving notifications from Snyk API & Web about the target's activity in your Slack channel. For example: +After you integrate a target with Slack, you start receiving notifications from Snyk about the target's activity in your Slack channel. For example: -This integration allows you to adjust notifications to your organization's needs. For example, you can have a single Slack webhook to configure your targets, and you receive all notifications in the same Slack channel. However, if necessary, you can create more webhooks and configure your targets accordingly so that you receive notifications of different targets (or groups of targets) in different Slack channels. +This integration lets you adjust notifications to the needs of your company. For example, you can use a single Slack webhook to configure your targets and receive all notifications in the same Slack channel. If necessary, you can create more webhooks and configure your targets so that you receive notifications of different targets, or groups of targets, in different Slack channels. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/generate-api-key.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/generate-api-key.md index 8e1b9550890f..e50d12b49997 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/generate-api-key.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/generate-api-key.md @@ -4,7 +4,7 @@ Learn how to generate API keys to integrate with Snyk API & Web. ## Overview -Snyk API & Web provides API keys for authentication purposes in the integration with third-party systems (for example, Slack, Jira, Azure Boards, Azure DevOps, or Jenkins), as well as the integration of your own applications with Snyk API & Web using the Snyk API & Web API. +Snyk API & Web provides API keys for authentication when you integrate with third-party systems, such as Slack, Jira, Azure Boards, Azure DevOps, or Jenkins. You also use API keys to integrate your own applications with Snyk using the Snyk API & Web API. Generating an API key has two steps: @@ -15,10 +15,10 @@ This article describes these steps in detail. ## Step 1: Access the API key configuration -Start by accessing the API key configuration as follows: +Access the API key configuration as follows: -1. Go to the Snyk API & Web application. -2. Go to the **Settings** dropdown menu at the bottom-left corner of the navigation bar and click **API Keys**. +1. Open the Snyk API & Web application. +2. Navigate to the **Settings** dropdown menu in the bottom-left corner of the navigation bar and select **API Keys**. 3. Click **Add API key** to open the configuration form. ## Step 2: Configure, generate, and save the API key @@ -26,13 +26,13 @@ Start by accessing the API key configuration as follows: In the configuration form, fill out the following fields: 1. **Name**: Type a meaningful name for the API key (for example, "Azure DevOps Integration" or "My App Integration with Snyk API & Web"). -2. **Role / Scope**: Choose the roles that can use the API key and at which level (scope) (for example, "Admin" / "Global (account)"). Click the plus (**+**) button to add the pairs of roles and scopes. -3. (Optional) **Labels**: Tag the API key with meaningful labels for filtering purposes. +2. **Role / Scope**: Select the roles that can use the API key and at which level (scope), for example, "Admin" / "Global (account)". Click the plus (**+**) button to add the pairs of roles and scopes. +3. (Optional) **Labels**: Tag the API key with meaningful labels for filtering. Click **Generate key** and copy and save the API key. {% hint style="warning" %} -This is the only time the API key is displayed. Make sure you copy and save it in a secure place. +Snyk displays the API key only this one time. Ensure you copy and save it in a secure place. {% endhint %} -With the API key saved, proceed to the integration with third-party tools or the integration of your own applications with Snyk API & Web using the Snyk API & Web API. +After you save the API key, proceed to integrate with third-party tools or integrate your own applications with Snyk using the Snyk API & Web API. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/integrate-with-defectdojo.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/integrate-with-defectdojo.md index 6258113152ab..44b3642123aa 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/integrate-with-defectdojo.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/integrate-with-defectdojo.md @@ -2,53 +2,53 @@ By connecting Snyk API & Web to your DefectDojo server, you can synchronize target scan results with a DefectDojo product of your choice. -The synchronization is uni-directional, meaning that a finding reported by Snyk API & Web is sent to DefectDojo, but if its state changes at DefectDojo, the matching finding at Snyk API & Web will not have its state updated. +The synchronization is unidirectional. Snyk sends a finding it reports to DefectDojo, but if the state of that finding changes in DefectDojo, Snyk does not update the state of the matching finding. -If Snyk API & Web detects a change, it updates the DefectDojo finding. For instance, if the underlying vulnerability is fixed, Snyk API & Web detects it, sets the finding as fixed, and updates the DefectDojo finding to fixed as well. +When Snyk detects a change, it updates the DefectDojo finding. For example, when the underlying vulnerability is fixed, Snyk detects this, sets the finding as fixed, and updates the DefectDojo finding to fixed. -The DefectDojo instance is set at the account level and enabled on demand for each target. Configurations such as which product and engagement to use are set in the target settings. +You set the DefectDojo instance at the account level and enable it on demand for each target. You set configurations such as which product and engagement to use in the target settings. This integration supports DefectDojo versions 1.5.X and 1.6.X. ## Configure DefectDojo API key -Snyk API & Web needs the URL of your DefectDojo server and an API v2 Key to authenticate itself. The API key must belong to a staff user. +Snyk needs the URL of your DefectDojo server and an API v2 Key to authenticate. The API key must belong to a staff user. -You can find your API v2 Key at `/api/key-v2` or by clicking in the top right dropdown and click **API v2 Key**. +You can find your API v2 Key at `/api/key-v2` or by clicking the top-right dropdown and selecting **API v2 Key**. Copy the API key value. -Go to `https://plus.probely.app/integrations` and enter your DefectDojo URL and the copied API key. It looks like this: +Navigate to `https://plus.probely.app/integrations` and enter your DefectDojo URL and the copied API key. It looks like this: Click **Save**. -Snyk API & Web tries to connect and authenticate to DefectDojo, and a success message appears. Done. +Snyk connects and authenticates to DefectDojo, and a success message appears. -If the Snyk API & Web servers cannot connect or the API key is incorrect, an error is displayed. Review your configuration and ensure your server can receive connections from Snyk API & Web IPs. +If the Snyk servers cannot connect or the API key is incorrect, an error appears. Review your configuration and ensure your server can receive connections from Snyk IPs. ## Choose your synchronization settings -You need to choose which targets to synchronize and how. To configure a target to use DefectDojo go to its settings at **Settings > Integrations** and then **DefectDojo**. +Choose which targets to synchronize and how. To configure a target to use DefectDojo, navigate to its settings at **Settings > Integrations** and then **DefectDojo**. You see the following screen: ### Product -Choose which DefectDojo product to sync with. +Select which DefectDojo product to synchronize with. ### Engagement -Choose which engagement to sync with. The list only shows engagements for the selected product. +Select which engagement to synchronize with. The list shows only engagements for the selected product. ### Test -An optional name to identify Snyk API & Web scans. If empty, the target scans can be identified by the test type **Snyk API & Web Scan**. The test type is created automatically when the integration is configured. +An optional name to identify Snyk scans. If empty, the test type **Snyk API & Web Scan** identifies the target scans. Snyk creates the test type automatically when you configure the integration. ### Set findings to active/verified -Sets the findings reported by Snyk API & Web to active/verified. +Sets the findings that Snyk reports to active/verified. -These are enabled by default to ensure findings get adequate visibility at DefectDojo. Non-active and non-verified findings might not be visible in the DefectDojo dashboards. +These are enabled by default to ensure findings get adequate visibility in DefectDojo. Non-active and non-verified findings can be hidden in the DefectDojo dashboards. ### Delete diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/configure-jira-synchronization-settings.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/configure-jira-synchronization-settings.md index b742bcc36bb2..0f51c6b104af 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/configure-jira-synchronization-settings.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/configure-jira-synchronization-settings.md @@ -1,16 +1,16 @@ # Configure Jira synchronization settings -You can connect Snyk API & Web with either Jira Cloud or with your own Jira Server instance. This enables you to have two-way synchronization of your findings with Jira, by fully integrating Snyk API & Web with your existing bug tracker or task manager. +You can connect Snyk API & Web with either Jira Cloud or your own Jira Server instance. This gives you two-way synchronization of your findings with Jira by integrating Snyk with your existing bug tracker or task manager. -Regardless of your Jira setup, you need to choose which targets to synchronize and how. The options available are the same for both Jira Cloud and Jira Server. +Regardless of your Jira setup, you must choose which targets to synchronize and how. The available options are the same for both Jira Cloud and Jira Server. -For information on how to connect Snyk API & Web with your Jira Server instance, visit [Integrate with Jira Server](integrate-with-jira-server.md). +For information about connecting Snyk with your Jira Server instance, visit [Integrate with Jira Server](integrate-with-jira-server.md). ## Access the Jira integration settings To set up the configuration, access the **Integrations** tab of your **Target Settings** and locate the **Jira Server** or **Jira Cloud** module, depending on the integration you want to configure. -If the integration is available to be set up, you see the following screen: +If the integration is available to set up, you see the following screen: ## Configure synchronization options @@ -22,22 +22,22 @@ Choose which Jira project to sync with. Choose the type of issue for the findings. -The options available depend on the project you chose before. The same goes for the status and priority mapping that follows. +The available options depend on the project you chose. The same applies to the status and priority mapping that follows. ### Automatically sync all findings -If enabled, all findings, existing and future, are automatically synchronized with Jira. If disabled, you need to choose individual findings to sync at each finding's details. +If enabled, Snyk automatically synchronizes all findings, existing and future, with Jira. If disabled, you must choose individual findings to sync in each finding's details. ### Status mapping Maps Snyk API & Web status to Jira status: -* **Not Fixed**: The initial state of the finding, right after being reported. -* **Invalid** (optional): Manually changed by the user to report a false positive. -* **Accepted Risk** (optional): Manually changed by the user, who acknowledges the finding but accepts its risk and will not fix it. -* **Fixed**: Snyk API & Web confirms that the finding is fixed. +* **Not Fixed**: The initial state of the finding, right after Snyk reports it. +* **Invalid** (optional): The user changes the finding manually to report a false positive. +* **Accepted Risk** (optional): The user changes the finding manually to acknowledge it but accept its risk and not fix it. +* **Fixed**: Snyk confirms that the finding is fixed. -Each Jira status can only be used once for each project. +You can use each Jira status only once for each project. ### Priority mapping @@ -46,6 +46,6 @@ Maps Snyk API & Web severity to Jira priority: * **Critical**: A finding that represents a critical risk for the application and requires immediate remediation. * **High**: A finding that represents a high risk for the application, whose exploitation can relatively easily cause damage to the application. * **Medium**: A finding that alone is unlikely to cause damage to the application. However, if combined with another one, or in rare situations by itself, it can cause damage. -* **Low**: Alone, a low risk finding will not compromise your application, except in extreme situations. The attacker will normally require another higher risk finding to be able to take advantage of this one. +* **Low**: Alone, a low-risk finding does not compromise your application, except in extreme situations. The attacker normally requires another higher-risk finding to take advantage of this one. -Once you are done, do not forget to click **Save** so that your changes are not lost. +After you finish, click **Save** so that you do not lose your changes. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-azure-devops-boards.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-azure-devops-boards.md index 0ba5f66404fb..e775099cf747 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-azure-devops-boards.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-azure-devops-boards.md @@ -2,33 +2,33 @@ By connecting Snyk API & Web to Microsoft Azure DevOps Boards, you can synchronize target scan results with an Azure Boards organization and project of your choice. -The synchronization is bi-directional, meaning that a finding reported by Snyk API & Web is sent to your Azure Boards, and as soon as it is set as Done, Snyk API & Web triggers a retest. If the finding is fixed, the Azure Boards work item remains closed. Otherwise, it is reopened. +The synchronization is bi-directional. Snyk sends a reported finding to your Azure Boards, and as soon as the finding is set to **Done**, Snyk triggers a retest. If the finding is fixed, the Azure Boards work item remains closed. Otherwise, Snyk reopens it. -If Snyk API & Web detects a change, it updates the Azure Boards work item. For instance, if the underlying vulnerability was fixed, Snyk API & Web detects it, sets the finding as fixed, and updates the Azure Boards work item to fixed as well. +If Snyk detects a change, it updates the Azure Boards work item. For example, if the underlying vulnerability is fixed, Snyk detects it, sets the finding as fixed, and updates the Azure Boards work item to fixed as well. -Comments are also synchronized in both directions to ensure you always have all the information about that finding in both places. +Snyk synchronizes comments in both directions so that you always have all the information about a finding in both places. -The Azure DevOps service connection is enabled at the account level and then enabled on demand for each target. Configurations such as which product and work item to use are set in the target settings. +You enable the Azure DevOps service connection at the account level and then on demand for each target. You set configurations such as which product and work item to use in the target settings. ## Authorize Snyk API & Web to access your Azure DevOps account -To start, go to the Snyk API & Web Integrations page at `https://plus.probely.app/integrations` and find the Azure DevOps section. +To start, navigate to the Snyk Integrations page at `https://plus.probely.app/integrations` and find the Azure DevOps section. -Snyk API & Web needs permission to connect to your Azure DevOps account to synchronize findings. Snyk API & Web asks for the minimum set of permissions that allow it to list organizations and projects and create work items from Snyk API & Web findings. +Snyk needs permission to connect to your Azure DevOps account to synchronize findings. Snyk asks for the minimum set of permissions that let it list organizations and projects and create work items from Snyk findings. -Click the link to begin. A browser tab opens at Azure, where you are asked to log in if you are not already authenticated. Then you are asked to accept the permissions Snyk API & Web is requesting. +Click the link to begin. A browser tab opens at Azure, where you log in if you are not already authenticated. You then accept the permissions Snyk requests. Click **Accept** to continue. -If you already have an organization and at least one project created at Azure DevOps, you are redirected to Snyk API & Web right away. If that is not the case, Azure asks you to create an organization and a project, both required for this integration to work. +If you already have an organization and at least one project created at Azure DevOps, Azure redirects you to Snyk right away. Otherwise, Azure asks you to create an organization and a project, both required for this integration to work. Choose the organization you want to use and click **Save**. -You may need to update your organization settings at Azure. Access your **Organization**, go to **Organization Settings**, and under **Security**, click the **Policies** entry. There you need to make sure that the "Third-party application access via OAuth" is set to On. +You might need to update your organization settings at Azure. Access your **Organization**, navigate to **Organization Settings**, and under **Security**, click **Policies**. Make sure that **Third-party application access via OAuth** is set to **On**. ## Choose your synchronization settings -Back at Snyk API & Web, you need to choose which targets to synchronize and how. To configure a target to use Azure DevOps Boards, go to the **Integrations** tab from that target's **Settings** and locate the **Azure DevOps Boards** module. +Back at Snyk, choose which targets to synchronize and how. To configure a target to use Azure DevOps Boards, navigate to the **Integrations** tab from that target's **Settings** and locate the **Azure DevOps Boards** module. You see the following screen: @@ -38,28 +38,28 @@ Choose which project to sync with. ### Work Item Type -Choose which work item type to sync with. This depends on the project selected. Only two types of work items are currently supported: **Issue** or **Task**. +Choose which work item type to sync with. This depends on the selected project. Snyk supports only two types of work items: **Issue** or **Task**. ### Automatically sync all findings -If checked, all findings that are not fixed are synced to Azure, as well as any new findings. +If selected, Snyk syncs all findings that are not fixed to Azure, as well as any new findings. -Alternatively, you can enable per-finding synchronization. To do so, check **Sync finding** in the details of the finding, as shown here: +Alternatively, you can enable per-finding synchronization. To do so, select **Sync finding** in the details of the finding, as shown here: ### Delete -Removes the configuration for this target. Findings already synchronized are kept at Azure. +Removes the configuration for this target. Azure keeps findings that are already synchronized. -To finish the configuration, select the project and work item and click **Save**. If the **Automatically sync all findings** box is checked, synchronization starts immediately and takes just a few seconds. +To finish the configuration, select the project and work item and click **Save**. If the **Automatically sync all findings** box is selected, synchronization starts immediately and takes a few seconds. -Snyk API & Web adds two tags to each work item created at Azure: +Snyk adds two tags to each work item created at Azure: * One indicating the severity, with the following values: `Low severity`, `Medium severity`, or `High severity`. -* One with `Probely`, identifying which work items are being synced. It also gives you a way to easily filter those coming from Snyk API & Web. **Do not remove this tag**. Otherwise, the synchronization stops working for that work item. +* One with `Probely`, identifying which work items are synced. It also gives you a way to filter those coming from Snyk. **Do not remove this tag**. Otherwise, the synchronization stops working for that work item. ## Integrate with Azure DevOps CI/CD pipelines -To foster automation between systems, integrate with Azure DevOps to execute operations in Snyk API & Web triggered from Azure pipelines using the Snyk API & Web API. +To foster automation between systems, integrate with Azure DevOps to run operations in Snyk triggered from Azure pipelines using the Snyk API. The integration involves two steps: @@ -68,19 +68,19 @@ The integration involves two steps: ### Get integration information from Snyk API & Web -Before configuring the integration in Azure, get the necessary information from Snyk API & Web: +Before configuring the integration in Azure, get the necessary information from Snyk: 1. Get the **Target Identifier** (Target ID): - 1. Go to the **Targets** list in the Snyk API & Web application. + 1. Navigate to the **Targets** list in the Snyk application. 2. Click the target and obtain the target ID from the URL. -2. Generate the **API Key** and save it so Azure is able to perform actions in Snyk API & Web. Learn how to generate an API key in the Snyk API & Web documentation. +2. Generate the **API Key** and save it so Azure can perform actions in Snyk. Learn how to generate an API key in the Snyk documentation. ### Configure Azure to integrate with Snyk API & Web -With the information from Snyk API & Web, it is time to do the configuration in Azure: +With the information from Snyk, do the configuration in Azure: -1. Log in to the Azure DevOps account at `https://dev.azure.com` and go to **Pipelines**. -2. Click the pipeline to select it and then click the **Edit** button on the top-right corner of the screen. +1. Log in to the Azure DevOps account at `https://dev.azure.com` and navigate to **Pipelines**. +2. Click the pipeline to select it and then click **Edit** in the top-right corner of the screen. 3. In the list of Agent Jobs, click the plus (**+**) button to add a new task. 4. Select **Command Line** from the list and click **Add**. 5. Select the newly added Command Line Script. @@ -94,11 +94,11 @@ curl -k -X POST 'https://api.probely.com/targets//scan_now/' -H 'Auth **Notes:** -1. In this example, the command triggers a target scan using the Snyk API & Web API endpoint. Explore the API for other operations to trigger from your Azure pipelines. +1. In this example, the command triggers a target scan using the Snyk API endpoint. Explore the API for other operations to trigger from your Azure pipelines. 2. In the curl command: 1. Replace `` and `` with the corresponding values obtained in the previous step. - 2. There is also a parameter defining the scan profile to be used in the scan: `-d '{"scan_profile": "normal"}'`. You can remove it, and the scan profile will be the one defined in the target settings. + 2. A parameter also defines the scan profile to use in the scan: `-d '{"scan_profile": "normal"}'`. You can remove it, and the scan profile is the one defined in the target settings. 3. Click the **Save & queue** dropdown menu and select **Save & queue** from the list. -4. A **Run pipeline** dialog is displayed. Click **Save and run** to manually run the pipeline and test the integration. +4. A **Run pipeline** dialog appears. Click **Save and run** to run the pipeline manually and test the integration. -From now on, every time this Azure pipeline runs, it triggers the scan of the target in Snyk API & Web. +From now on, every time this Azure pipeline runs, it triggers the scan of the target in Snyk. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-jira-cloud.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-jira-cloud.md index 1bbbae1fb75d..117ab6eb3205 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-jira-cloud.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-jira-cloud.md @@ -1,14 +1,14 @@ # Integrate with Jira Cloud -You can connect Snyk API & Web with either Jira Cloud or with your own Jira Server instance. This enables you to have two-way synchronization of your findings with Jira, meaning that a finding that is reported by Snyk API & Web is sent to Jira and as soon as it is closed it triggers a retest. If the finding is fixed, the Jira issue remains closed. Otherwise, it is reopened. +You can connect Snyk API & Web with either Jira Cloud or your own Jira Server instance. This gives you two-way synchronization of your findings with Jira. Snyk sends a reported finding to Jira, and as soon as the finding is closed, Snyk triggers a retest. If the finding is fixed, the Jira issue remains closed. Otherwise, Snyk reopens it. -Regardless of your Jira setup, you need to choose which targets to synchronize and how (either manually or automatically). +Regardless of your Jira setup, you must choose which targets to synchronize and how, either manually or automatically. -For information on integrating with Jira Server, visit [Integrate with Jira Server](integrate-with-jira-server.md). +For information about integrating with Jira Server, visit [Integrate with Jira Server](integrate-with-jira-server.md). ## Configure Jira synchronization settings -After connecting your Jira Cloud instance to Snyk API & Web, configure which targets to synchronize and how. The options available are the same for both Jira Cloud and Jira Server. +After connecting your Jira Cloud instance to Snyk, configure which targets to synchronize and how. The available options are the same for both Jira Cloud and Jira Server. To set up the configuration, access the **Integrations** tab of your **Target Settings** and locate the **Jira Cloud** module, depending on the integration you configured. @@ -20,22 +20,22 @@ Choose which Jira project to sync with. Choose the type of issue for the findings. -The options available depend on the project you chose before. The same goes for the status and priority mapping that follows. +The available options depend on the project you chose. The same applies to the status and priority mapping that follows. ### Automatically sync all findings -If enabled, all findings, existing and future, are automatically synchronized with Jira. If disabled, you need to choose individual findings to sync at each finding's details. +If enabled, Snyk automatically synchronizes all findings, existing and future, with Jira. If disabled, you must choose individual findings to sync in each finding's details. ### Status mapping Maps Snyk API & Web status to Jira status: -* **Not Fixed**: The initial state of the finding, right after being reported. -* **Invalid** (optional): Manually changed by the user to report a false positive. -* **Accepted Risk** (optional): Manually changed by the user, who acknowledges the finding but accepts its risk and will not fix it. -* **Fixed**: Snyk API & Web confirms that the finding is fixed. +* **Not Fixed**: The initial state of the finding, right after Snyk reports it. +* **Invalid** (optional): The user changes the finding manually to report a false positive. +* **Accepted Risk** (optional): The user changes the finding manually to acknowledge it but accept its risk and not fix it. +* **Fixed**: Snyk confirms that the finding is fixed. -Each Jira status can only be used once for each project. +You can use each Jira status only once for each project. ### Priority mapping @@ -44,6 +44,6 @@ Maps Snyk API & Web severity to Jira priority: * **Critical**: A finding that represents a critical risk for the application and requires immediate remediation. * **High**: A finding that represents a high risk for the application, whose exploitation can relatively easily cause damage to the application. * **Medium**: A finding that alone is unlikely to cause damage to the application. However, if combined with another one, or in rare situations by itself, it can cause damage. -* **Low**: Alone, a low risk finding will not compromise your application, except in extreme situations. The attacker will normally require another higher risk finding to be able to take advantage of this one. +* **Low**: Alone, a low-risk finding does not compromise your application, except in extreme situations. The attacker normally requires another higher-risk finding to take advantage of this one. -Once you are done, do not forget to click **Save** so that your changes are not lost. +After you finish, click **Save** so that you do not lose your changes. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-jira-server.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-jira-server.md index e88ca4acbc9f..7cbf0da65573 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-jira-server.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-jira-server.md @@ -1,16 +1,16 @@ # Integrate with Jira Server -By connecting Snyk API & Web to your Jira Server, you can synchronize target scan results with a Jira project of your choice. This synchronization can be done automatically or manually, finding by finding. +By connecting Snyk API & Web to your Jira Server, you can synchronize target scan results with a Jira project of your choice. Snyk can do this synchronization automatically or manually, finding by finding. -The synchronization is bi-directional. A finding reported by Snyk API & Web is sent to Jira, and as soon as it is closed, Snyk API & Web triggers a retest. If the finding is fixed, the Jira issue remains closed. Otherwise, it is reopened. +The synchronization is bi-directional. Snyk sends a reported finding to Jira, and as soon as the finding is closed, Snyk triggers a retest. If the finding is fixed, the Jira issue remains closed. Otherwise, Snyk reopens it. -Connecting Snyk API & Web to your Jira Server takes no more than five minutes by following the instructions below. +Connecting Snyk to your Jira Server takes no more than five minutes if you follow these instructions. ## Generate an RSA public/private key pair -Jira validates the identity of the Snyk API & Web server by requiring it to use a certificate. You can use any RSA public/private key pair, so you can skip the generation if you want to use another pair. +Jira validates the identity of the Snyk server by requiring it to use a certificate. You can use any RSA public/private key pair, so you can skip the generation if you want to use another pair. -When prompted for the certificate details, you can enter whatever you want, including using the default values by pressing Enter, except for the Common Name, where you must enter something (anything will do). +When prompted for the certificate details, you can enter anything, including the default values, by pressing **Enter**. The exception is the Common Name, where you must enter something. ```bash openssl genrsa -out jira_privatekey.pem 2048 @@ -24,12 +24,12 @@ openssl x509 -pubkey -noout -in jira_publickey.cer > jira_publickey.pem ## Create a new Jira application link -1. In Jira Server, at the top right corner, go to **gear icon > Applications** and then click **Application Links** under **Integrations**. +1. In Jira Server, in the top-right corner, navigate to **gear icon > Applications** and then click **Application Links** under **Integrations**. 1. Enter `https://plus.probely.app/jira-server/` in the input field and then click **Create new link**. Ignore the warning "No response was received from the URL you entered" and click **Continue**. -1. On the next dialog, input the following: +1. On the next dialog, enter the following: * **Application Name**: Probely * **Application Type**: Generic Application * **Service Provider Name**: Probely @@ -42,23 +42,23 @@ Ignore the warning "No response was received from the URL you entered" and click 1. Edit the Probely application link (pencil icon on the right) and fill out the Incoming Authentication form as follows: * **Consumer Key**: Same key as in the previous form * **Consumer Name**: Probely - * **Public Key**: Public key created in the beginning (in the jira\_publickey.pem file) + * **Public Key**: Public key created at the start (in the jira\_publickey.pem file) * **Callback URL**: `https://plus.probely.app/jira-server/callback/` 1. Click **Save**. ## Connect Snyk API & Web -1. In your Snyk API & Web account, open the **Settings** dropdown menu on the bottom-left corner and click **Integrations**. +1. In your Snyk account, open the **Settings** dropdown menu in the bottom-left corner and click **Integrations**. 1. Fill out the **Jira Server** form as follows: * **Server URL**: URL for your Jira Server instance * **Consumer Key**: Same as previous steps - * **Consumer Secret**: Private key created at the beginning (in the jira\_privatekey.pem file) + * **Consumer Secret**: Private key created at the start (in the jira\_privatekey.pem file) * **Verify TLS**: On (do not turn this option off without a very good reason) 1. Click **Authorize**. -1. Click **Allow** to allow Snyk API & Web to access your Jira Server. +1. Click **Allow** to allow Snyk to access your Jira Server. -Your Jira Server is now connected to your Snyk API & Web account. +Your Jira Server is now connected to your Snyk account. -The next step is configuring the Snyk API & Web targets you want to synchronize. For each target you want to synchronize the findings, go to its **Target Settings > Integrations > Jira Server** and configure how they synchronize. +The next step is configuring the Snyk targets you want to synchronize. For each target whose findings you want to synchronize, navigate to its **Target Settings > Integrations > Jira Server** and configure how they synchronize. Visit [Configure Jira synchronization settings](configure-jira-synchronization-settings.md) for more information about the configuration options. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-servicenow.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-servicenow.md index 68f42dc0e4e0..b44535badc12 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-servicenow.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-servicenow.md @@ -1,21 +1,21 @@ # Integrate with ServiceNow -This integration periodically fetches data, such as targets and findings, from the Snyk API & Web platform and includes it in your ServiceNow Application Vulnerability Response (AVR) tables, allowing you to manage Snyk API & Web vulnerabilities within your ServiceNow workflow. +This integration periodically fetches data, such as targets and findings, from the Snyk API & Web platform and includes it in your ServiceNow Application Vulnerability Response (AVR) tables. This lets you manage Snyk vulnerabilities in your ServiceNow workflow. ## Prerequisites -Before you begin, ensure you have the following: +Ensure you have the following: -* **Snyk API & Web requirements:** - * A Snyk API & Web API Key. - * Your Snyk API & Web base URL. - * A valid Enterprise license for the Snyk Platform. -* **ServiceNow version compatibility:** +* Snyk API & Web requirements: + * A Snyk API Key. + * Your Snyk base URL. + * A valid Enterprise license for the Snyk platform. +* ServiceNow version compatibility: * Washington DC, Xanadu, or Yokohama. -* **Required ServiceNow plugins:** +* Required ServiceNow plugins: * **Vulnerability Response** (version 25.0.7 or newer). You must have a Pro or Enterprise license for this plugin. -* **Required ServiceNow roles:** - * You need the **System Administrator (admin)** role in ServiceNow to install the application and configure system properties. +* Required ServiceNow roles: + * You must have the **System Administrator (admin)** role in ServiceNow to install the application and configure system properties. ## Install the Snyk API & Web application in ServiceNow @@ -43,17 +43,17 @@ After installation, assign the necessary roles to the users or groups who manage ## Authenticate and configure the integration -Next, connect the application to your Snyk API & Web account and configure the data filters. +Next, connect the application to your Snyk account and configure the data filters. 1. In ServiceNow, navigate to the **Snyk API and Web** application menu and select **Authentication**. -1. Enter your Snyk API & Web base URL (if different from the default). For example, `https://api.eu.probely.com`, `https://api.us.probely.com`, and so on. -1. Paste your Snyk API & Web API Key into the corresponding field. +1. Enter your Snyk base URL (if different from the default). For example, `https://api.eu.probely.com`, `https://api.us.probely.com`, and so on. +1. Paste your Snyk API Key into the corresponding field. 1. Click **Authenticate Credentials** to validate the connection. -1. Once authentication is successful, expand the **Filter Configuration** section. Here you can define which assets and findings to import. - * **Target Labels**: Filter by Snyk API & Web target labels. - * **Finding Labels**: Filter by Snyk API & Web finding labels. - * **Teams**: Filter by Snyk API & Web teams. - * **Severity**: Filter by Snyk API & Web severity level (Low, Medium, High, Critical). +1. After authentication is successful, expand the **Filter Configuration** section. Here you can define which assets and findings to import. + * **Target Labels**: Filter by Snyk target labels. + * **Finding Labels**: Filter by Snyk finding labels. + * **Teams**: Filter by Snyk teams. + * **Severity**: Filter by Snyk severity level (Low, Medium, High, Critical). **Note:** Within a single filter, an **OR** logic is used (for example, selecting **High** and **Critical** imports findings with either severity). Across different filters, an **AND** logic is used (for example, selecting a target label and a severity requires a finding to match both). @@ -61,39 +61,39 @@ Next, connect the application to your Snyk API & Web account and configure the d ## Perform the initial data import -After authentication, run the initial import to pull findings from Snyk API & Web into ServiceNow. +After authentication, run the initial import to pull findings from Snyk into ServiceNow. 1. In ServiceNow, navigate to the **Snyk API and Web** application menu and click **Integrations**. 1. Select the **Snyk Findings Import** record. 1. To run the import immediately, click **Execute Now**. -1. To set up a recurring import, check the **Active** box and configure the schedule (for example, Daily, Weekly, Monthly) as needed. +1. To set up a recurring import, select the **Active** box and configure the schedule (for example, Daily, Weekly, or Monthly) as needed. ## Verify the outcome -Once the integration run is complete, you can verify its success: +After the integration run is complete, you can verify its success: -* **View imported targets**: Navigate to **Snyk API and Web > Targets**. You see a list of the application targets imported from Snyk API & Web. -* **View vulnerable items**: Navigate to **Snyk API and Web > Application Vulnerable Items**. This list contains all the findings from Snyk API & Web. +* **View imported targets**: Navigate to **Snyk API and Web > Targets**. You see a list of the application targets imported from Snyk. +* **View vulnerable items**: Navigate to **Snyk API and Web > Application Vulnerable Items**. This list contains all the findings from Snyk. * **Check the dashboard**: Navigate to **Snyk API and Web > Snyk Dashboards** for a graphical overview of the imported data. ## Manage the integration ### Retest findings -When an Application Vulnerable Item (AVIT) is closed in ServiceNow, you can trigger a retest in Snyk API & Web. +When an Application Vulnerable Item (AVIT) is closed in ServiceNow, you can trigger a retest in Snyk. 1. Navigate to **Snyk API and Web > Retest Targets**. -1. Ensure the **Scheduled Script Execution** is set to **Active**. This job periodically checks for closed AVITs and initiates a retest in Snyk API & Web. +1. Ensure the **Scheduled Script Execution** is set to **Active**. This job periodically checks for closed AVITs and initiates a retest in Snyk. ### Fetch labels and teams -To update the available filter options in the configuration, you can manually fetch the latest labels and teams from Snyk API & Web. +To update the available filter options in the configuration, you can manually fetch the latest labels and teams from Snyk. 1. Navigate to **Snyk API and Web > Fetch Labels and Teams**. 1. Click **Execute Now**. ### Advanced configuration -The integration includes default assignment rules and CI lookup rules. You can customize these to fit your organization's workflow by navigating to **Application Vulnerability Response > Administration**. +The integration includes default assignment rules and CI lookup rules. You can customize these to fit your company workflow by navigating to **Application Vulnerability Response > Administration**. **Important:** Do not delete the integration record from the **Integrations** module. Doing so requires a full reinstallation of the application. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-shortcut.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-shortcut.md index 52a006772053..d4e4cab18074 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-shortcut.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/issue-tracking/integrate-with-shortcut.md @@ -1,34 +1,34 @@ # Integrate with Shortcut -You can synchronize findings with your Shortcut storyboard by connecting Snyk API & Web to Shortcut. This synchronization can be done automatically or manually, finding by finding. +You can synchronize findings with your Shortcut storyboard by connecting Snyk API & Web to Shortcut. Snyk can do this synchronization automatically or manually, finding by finding. -Synchronization is one-way, and changes made to Shortcut items will not be propagated to their respective findings on Snyk API & Web. Manual changes to Snyk API & Web findings are also not synced to Shortcut. Only changes caused by a scan are synced. +Synchronization is one-way. Snyk does not propagate changes made to Shortcut items to their respective findings in Snyk. Snyk also does not sync manual changes to Snyk findings to Shortcut. Snyk syncs only changes caused by a scan. ## Generate a Shortcut token -1. In Shortcut, go to **Your Account > Settings > API Tokens**. +1. In Shortcut, navigate to **Your Account > Settings > API Tokens**. 2. Name and generate a new token. -3. Copy and save the token somewhere secure. When you generate a new token, the value is displayed only once, so write it down. +3. Copy and save the token somewhere secure. When you generate a new token, the value appears only once, so write it down. ## Authenticate and configure the integration -Once you have the token, use it to authenticate with Snyk API & Web. +After you have the token, use it to authenticate with Snyk. 1. Log in to your account and choose **Integrations** from the side menu. 2. Scroll to the Shortcut option. -3. Insert your token and click **Save**. -4. Next, go to your target's **Settings** and access the **Integrations** tab to set up the configuration. -5. Fill out the required fields from the Shortcut configuration form. It includes: +3. Enter your token and click **Save**. +4. Next, navigate to your target's **Settings** and access the **Integrations** tab to set up the configuration. +5. Fill out the required fields in the Shortcut configuration form. It includes: * **Project** * **Story type** * **Priority mapping** * **Severity mapping** -This information is required for Snyk API & Web to start synchronizing findings. +Snyk requires this information to start synchronizing findings. -1. Check the box "Automatically sync all findings". Otherwise, Snyk API & Web will not start synchronizing them. +1. Select the **Automatically sync all findings** box. Otherwise, Snyk does not start synchronizing them. -If you do not wish to synchronize all the findings or if you prefer to hand-pick some of them, instead of selecting this checkbox you can manually configure the synchronization for certain findings. To do that: +If you do not want to synchronize all the findings, or if you prefer to hand-pick some of them, you can manually configure the synchronization for certain findings instead of selecting this box. To do that: -1. Go to that target and choose a finding you want to synchronize with your Shortcut project and board. -2. Check the "Sync finding" box to get updates from Snyk API & Web to Shortcut. +1. Navigate to that target and choose a finding you want to synchronize with your Shortcut project and board. +2. Select the **Sync finding** box to get updates from Snyk to Shortcut. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/README.md index dcee8fedf492..f8f1145e1c59 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/README.md @@ -1,14 +1,14 @@ # CI/CD integrations overview -This guide provides everything you need to get started integrating Dynamic Application Security Testing (DAST) into your CI/CD pipeline. +This guide provides everything you need to start integrating dynamic application security testing (DAST) into your CI/CD pipeline. ## Why integrate DAST into CI/CD Integrating DAST into your CI/CD pipeline is the most scalable way to automate security. It serves as a central point to guarantee security coverage across all your applications, provides a readily available version of your app for testing, and fits directly into your developers' existing workflows. -Whether your goal is to monitor applications at scale, cause vulnerable deployments to fail before they go live, or provide early security feedback to developers, the Snyk API & Web integration is designed to be flexible enough for any environment. +Whether your goal is to monitor applications at scale, fail vulnerable deployments before they go live, or provide early security feedback to developers, the Snyk API & Web integration is flexible enough for any environment. -To begin, find your specific provider in the guides below or use the Snyk API & Web CLI for any other tool. +To begin, find your provider in the following guides or use the Snyk CLI for any other tool. ## CI/CD provider guides @@ -19,39 +19,39 @@ To begin, find your specific provider in the guides below or use the Snyk API & ## Connect to any CI/CD tool -While detailed guides are provided for popular platforms, you can integrate Snyk API & Web into any CI/CD provider using the Snyk API & Web CLI. This command-line tool is simple to script and a versatile tool for integration into various development and automation environments. +Detailed guides are provided for popular platforms, but you can integrate Snyk into any CI/CD provider using the Snyk CLI. This command-line tool is simple to script and versatile for integration into various development and automation environments. Visit the [CLI key features](../cli-key-features.md) article to learn more about the CLI capabilities. ## Best practices -### Choose your integration strategy: blocking vs. non-blocking +### Choose your integration strategy: blocking or non-blocking -The first step is to decide on your goal. The CI/CD integration is flexible to support two primary use cases: +The first step is to decide on your goal. The CI/CD integration supports two primary use cases: **Non-blocking scans (for monitoring)** -This approach uses the Snyk API & Web CLI to actively monitor your pipeline for security vulnerabilities. This approach is ideal for AppSec teams who want to continuously monitor new changes introduced by developers for compliance and visibility. +This approach uses the Snyk CLI to monitor your pipeline for security vulnerabilities. It is ideal for AppSec teams who want to continuously monitor new changes introduced by developers for compliance and visibility. -Scans are triggered in the pipeline but do not block the pipeline if vulnerabilities are found. This allows you to track test results for each application version over time without causing the deployments to fail. +Snyk triggers scans in the pipeline but does not block the pipeline if it finds vulnerabilities. You can track test results for each application version over time without failing the deployments. **Blocking scans (for prevention)** -This approach uses the Snyk API & Web CLI to actively prevent security vulnerabilities from reaching production. +This approach uses the Snyk CLI to prevent security vulnerabilities from reaching production. -While no direct support using the CLI is available, you can use the code examples in this guide to configure blocking directly in your own CI/CD pipeline script. For example, you can add a condition that blocks the pipeline if the scan discovers any high or critical severity issues. This gives you full control to define your security standards as code and reduce risk. +The CLI provides no direct support for blocking, but you can use the code examples in this guide to configure blocking directly in your own CI/CD pipeline script. For example, you can add a condition that blocks the pipeline if the scan discovers any high or critical severity vulnerabilities. This gives you full control to define your security standards as code and reduce risk. -Once the pipeline is blocked, you can check details of findings in the Snyk API & Web dashboard, or in the issue tracker if it is integrated with Snyk API & Web. +After the pipeline is blocked, you can check the details of findings in the Snyk dashboard, or in the issue tracker if it is integrated with Snyk. -You can perform the same actions using the Snyk API & Web API. +You can perform the same actions using the Snyk API. -### Leverage incremental scans in CI/CD +### Use incremental scans in CI/CD To balance speed with effective coverage, especially for blocking scans, use incremental scans. This feature shortens scan times by focusing on new URLs, updated URLs, and URLs with existing findings. ### Scan the right application branch -The solution is designed to integrate seamlessly into your branching strategy, whether you use feature branches, release branches, or trunk-based development. +The solution integrates seamlessly into your branching strategy, whether you use feature branches, release branches, or trunk-based development. Consider which branches represent the most logical points for security feedback and monitoring. You can also scan an application in an ephemeral environment. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/cicd-integrations-faq.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/cicd-integrations-faq.md index 9108ea31e97f..4d6e5ff5064f 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/cicd-integrations-faq.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/cicd-integrations-faq.md @@ -4,58 +4,58 @@ Find answers to the most common questions about integrating Snyk API & Web into ## Which CI/CD providers do you support? -You can integrate Snyk API & Web with any CI/CD provider. Two primary methods are supported: +You can integrate Snyk with any CI/CD provider using one of two primary methods: -* **Snyk API & Web CLI:** This is the recommended method. The CLI is a convenient wrapper for the API that is easy to use in shell scripts for tasks like starting a scan or adding a target. -* **Direct API:** For more complex integrations or to access the full range of features with fine-grained control, you can interact with the Snyk API & Web API directly. +* **Snyk CLI:** This is the recommended method. The CLI is a convenient wrapper for the API that is easy to use in shell scripts for tasks like starting a scan or adding a target. +* **Direct API:** For more complex integrations or to access the full range of features with fine-grained control, you can interact with the Snyk API directly. -## Is it possible to block the pipeline if vulnerabilities are detected? +## Can I block the pipeline if Snyk detects vulnerabilities? -Yes. Blocking mode code examples are provided for [GitLab](integrate-snyk-api-web-with-gitlab-cicd.md), [Bitbucket](integrate-snyk-api-web-with-bitbucket-pipelines.md), and [GitHub Actions](integrate-snyk-api-web-with-github-actions.md) in their respective guides and the GitHub repository. These examples contain a script that checks the scan results for high-severity findings and blocks the pipeline (or causes the deployment to fail) if any are found. +Yes. Blocking mode code examples are provided for [GitLab](integrate-snyk-api-web-with-gitlab-cicd.md), [Bitbucket](integrate-snyk-api-web-with-bitbucket-pipelines.md), and [GitHub Actions](integrate-snyk-api-web-with-github-actions.md) in their respective guides and the GitHub repository. These examples contain a script that checks the scan results for high-severity findings and blocks the pipeline, or fails the deployment, if it finds any. If you use a different CI/CD tool, you can adapt the logic from these examples to fit your pipeline. ## My scan is taking too long. What can I do? -If your pipeline scans are too slow, you have several options to optimize their speed. A balanced approach is recommended: use less comprehensive scans earlier in the development cycle (on feature branches) and more comprehensive scans in pre-production. +If your pipeline scans are too slow, you have several options to optimize their speed. Snyk recommends a balanced approach: use less comprehensive scans earlier in the development cycle (on feature branches) and more comprehensive scans in pre-production. -Here are a few ways to reduce scan time: +Reduce scan time in the following ways: -* **Adjust the scan profile:** You can increase scan speed by choosing a less comprehensive scan profile. +* **Adjust the scan profile:** Increase scan speed by choosing a less comprehensive scan profile. * **Enable incremental scans:** This focuses the scan only on new or updated parts of your application, which is significantly faster than a full scan. -* **Leverage partial scopes:** You can configure the scan to check only the specific endpoints or URLs that have been impacted by recent code changes. -* **Optimize tests:** You can create a custom scan profile and select only a specific list of vulnerabilities to test for. This is faster than running the default comprehensive profile, as it avoids running tests for vulnerability types that may not be a priority for a specific pipeline. -* **Vary scan strategies by environment:** A scan should be faster the closer it is to the developer. Reduce the comprehensiveness of scans in dev or feature-branch environments to provide fast feedback. Then run more comprehensive scans in your pre-production environment. You can also set different severity policies for each environment. For example, you might block the pipeline only for critical findings in dev, but block the pipeline for both critical and high findings in QA. +* **Use partial scopes:** Configure the scan to check only the specific endpoints or URLs impacted by recent code changes. +* **Optimize tests:** Create a custom scan profile and select only a specific list of vulnerabilities to test for. This is faster than running the default comprehensive profile, because it avoids running tests for vulnerability types that are not a priority for a specific pipeline. +* **Vary scan strategies by environment:** A scan is faster the closer it is to the developer. Reduce the comprehensiveness of scans in dev or feature-branch environments to provide fast feedback. Then run more comprehensive scans in your pre-production environment. You can also set different severity policies for each environment. For example, you can block the pipeline only for critical findings in dev, but block the pipeline for both critical and high findings in QA. ## How do I specify a scan profile in my CI/CD pipeline? You can specify a scan profile in two ways: -* **To set a default:** You can update the target's settings in the Snyk API & Web UI or via an API call. This profile is used for all scans on that target unless overridden. -* **To override for one scan:** For a one-time scan in a CI/CD pipeline, you can use the Snyk API & Web CLI to specify the profile in your YAML configuration file or make a direct API call to the /scan-now/ endpoint. +* **To set a default:** Update the target's settings in the Snyk UI or with an API call. Snyk uses this profile for all scans on that target unless you override it. +* **To override for one scan:** For a one-time scan in a CI/CD pipeline, use the Snyk CLI to specify the profile in your YAML configuration file, or make a direct API call to the /scan-now/ endpoint. -For technical details, see the Snyk API & Web API documentation. +For technical details, visit the Snyk API documentation. ## What is the difference between running SAST and DAST in a CI/CD pipeline? -You typically run a SAST (Static Application Security Testing) scan on your source code before the application is built. +You typically run a static application security testing (SAST) scan on your source code before you build the application. -A DAST (Dynamic Application Security Testing) scan, like Snyk API & Web, requires a running application to test. Therefore, you must run DAST scans at a later stage in your pipeline, after your application has been deployed to a test or staging environment. DAST scans also typically take more time than SAST scans. +A dynamic application security testing (DAST) scan, like Snyk API & Web, requires a running application to test. You must run DAST scans at a later stage in your pipeline, after you deploy your application to a test or staging environment. DAST scans also typically take more time than SAST scans. ## How can I dynamically manage target settings in my CI/CD pipeline? -Use the Snyk API & Web CLI for all CI/CD configurations. It is flexible and allows you to script any action, such as creating, updating, or deleting targets, and initiating scans. +Use the Snyk CLI for all CI/CD configurations. It is flexible and lets you script any action, such as creating, updating, or deleting targets and starting scans. -For detailed commands, see the Snyk API & Web CLI Targets Reference and CLI Scans Reference. +For detailed commands, visit the Snyk CLI Targets Reference and CLI Scans Reference. ## How can I label findings with metadata like a commit hash or repo name? -The recommended way to add CI/CD metadata is to set labels on specific findings after a scan completes. This allows you to trace vulnerabilities back to their source, such as the exact commit, branch, or repository. +To add CI/CD metadata, set labels on specific findings after a scan completes. This lets you trace vulnerabilities back to their source, such as the exact commit, branch, or repository. The workflow from your pipeline script is: 1. Start the scan and wait for it to finish. -1. Get the list of new findings via the Snyk API & Web API. -1. Loop through the new findings and make an API call to add your desired labels (for example, `repo:my-project`, `commit:a1b2c3d4`) to each one. +1. Get the list of new findings using the Snyk API. +1. Loop through the new findings and make an API call to add your labels (for example, `repo:my-project`, `commit:a1b2c3d4`) to each one. You can find the specific endpoints for this in the Finding Labels Reference. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-bitbucket-pipelines.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-bitbucket-pipelines.md index 1a4a6650a342..1628ee249ccd 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-bitbucket-pipelines.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-bitbucket-pipelines.md @@ -4,44 +4,44 @@ This guide provides step-by-step instructions for integrating Snyk API & Web int ## Overview -This guide focuses on using the Snyk API & Web CLI to run scans. The examples below cover a complete end-to-end journey, from configuring your targets in the Snyk API & Web UI to running different scan scenarios in your pipeline. +This guide focuses on using the Snyk CLI to run scans. The following examples cover a complete end-to-end journey, from configuring your targets in the Snyk UI to running different scan scenarios in your pipeline. ## Prerequisites -Before you begin, you must configure your scan targets and credentials in the Snyk API & Web application. +Configure your scan targets and credentials in the Snyk application before you begin. -### Create a target in Snyk API & Web +### Create a target in Snyk -In the Snyk API & Web app, go to the Targets menu and click **Add**. Fill out the form and click **Add** to create the new target. +In the Snyk app, navigate to the **Targets** menu and click **Add**. Fill out the form and click **Add** to create the new target. {% hint style="info" %} -During this process, connectivity is checked. If your target is internal or not yet deployed, you can bypass any warnings and add the target regardless. For more details, visit How to add a Target. +During this process, Snyk checks connectivity. If your target is internal or not yet deployed, you can bypass any warnings and add the target. For more details, visit How to add a Target. {% endhint %} -Before configuring the integration in Bitbucket Pipelines, make sure to retrieve the unique target ID from Snyk API & Web. +Before you configure the integration in Bitbucket Pipelines, retrieve the unique target ID from Snyk. -1. In your Snyk API & Web dashboard, select **Targets**. +1. In your Snyk dashboard, select **Targets**. 2. From the target list, select the target you want to integrate. 3. In your browser's address bar, copy the target ID. This is the string of characters immediately following /target/ in the URL. {% hint style="info" %} -After creating a target, it is mandatory to verify your target's domain. Otherwise, your scans are only limited to lightning scans. To learn more, see the importance of domain ownership verification. +After you create a target, you must verify the target's domain. Otherwise, your scans are limited to lightning scans. To learn more, visit the importance of domain ownership verification. {% endhint %} -### Create a Snyk API & Web API key +### Create a Snyk API key You need an API key with permissions to start a scan on your target. For instructions, visit How to generate an API key. ## Step 1: Add your API key and target ID to Bitbucket Pipelines -To run a scan, your pipeline needs to authenticate with Snyk API & Web and know which target to scan. You must configure your Snyk API & Web API Key and target ID as secure repository variables in your Bitbucket Pipelines project. +To run a scan, your pipeline must authenticate with Snyk and know which target to scan. Configure your Snyk API key and target ID as secure repository variables in your Bitbucket Pipelines project. 1. From your Bitbucket Pipelines project side menu, navigate to **Repository settings > Repository variables**. -2. Click **Add** and create an entry for your Snyk API & Web **API Key** (for example, **PROBELY\_API\_KEY**). +2. Click **Add** and create an entry for your Snyk **API Key** (for example, **PROBELY\_API\_KEY**). 3. Click **Add** again to create a second entry for your **target ID** (for example, **TARGET\_ID**). {% hint style="warning" %} -For enhanced security, always store sensitive values as Bitbucket CI/CD variables. Storing variables directly in your bitbucket-pipelines.yml file is not recommended, as they are saved in plain text and visible to anyone who can view the file. +For enhanced security, always store sensitive values as Bitbucket CI/CD variables. Do not store variables directly in your bitbucket-pipelines.yml file, because they are saved in plain text and visible to anyone who can view the file. {% endhint %} ## Step 2: Configure your pipeline @@ -50,13 +50,13 @@ Create a `bitbucket-pipelines.yml` file at the root of your repository and add o ### Important note on these examples -The YAML configurations below are scanning steps designed to be incorporated into your existing `bitbucket-pipelines.yml` file. +The following YAML configurations are scanning steps to incorporate into your existing `bitbucket-pipelines.yml` file. -For example, your pipeline might already have steps to build your code, deploy to a QA environment, and run automated tests. You can add the Snyk API & Web scan as another step at any point that makes sense for your workflow, such as after you deploy to QA or staging. +For example, your pipeline might already have steps to build your code, deploy to a QA environment, and run automated tests. You can add the Snyk scan as another step at any point that makes sense for your workflow, such as after you deploy to QA or staging. ### Run a scan on a target in non-blocking mode -This is the simplest configuration. It uses the Snyk API & Web CLI to run a scan on a remote target and does not wait for the scan to finish, allowing the pipeline to complete quickly. +This is the simplest configuration. It uses the Snyk CLI to run a scan on a remote target and does not wait for the scan to finish, so the pipeline completes quickly. ```yaml # bitbucket-remote-app-non-blocking-mode.yaml @@ -172,14 +172,14 @@ pipelines: ### Run a scan on an ephemeral (dynamic) target in blocking mode -This is a more advanced configuration for building, deploying, and scanning an application in a temporary environment that is created for a specific purpose and then automatically destroyed during the pipeline run. +This is a more advanced configuration for building, deploying, and scanning an application in a temporary environment. The pipeline creates the environment for a specific purpose and then automatically destroys it during the run. -Using ephemeral environments requires agent token, target hostname, and target URL. Store them as variables for better security. +Ephemeral environments require an agent token, target hostname, and target URL. Store them as variables for better security. -You also need to create a scanning agent in Snyk API & Web and configure your target to use it. This process requires the `scanning-agent/farcasterd-linux-amd64-0.4.3` file. For detailed instructions, visit How to install a Scanning Agent and How to scan internal applications. +You also need to create a scanning agent in Snyk and configure your target to use it. This process requires the `scanning-agent/farcasterd-linux-amd64-0.4.3` file. For detailed instructions, visit How to install a Scanning Agent and How to scan internal applications. {% hint style="info" %} -In this code example, Docker is used to create ephemeral environments. However, you can use any other solution to create your environment. +This code example uses Docker to create ephemeral environments. However, you can use any other solution to create your environment. {% endhint %} ```yaml @@ -300,7 +300,7 @@ pipelines: ### Advanced scenario: dynamic target creation -This example demonstrates how to use the Snyk API & Web CLI to dynamically check for, create, and then scan a target that may not already exist in the Snyk API & Web UI. +This example demonstrates how to use the Snyk CLI to dynamically check for, create, and then scan a target that does not already exist in the Snyk UI. ```yaml # bitbucket-create-remote-app-blocking-mode.yaml @@ -396,6 +396,6 @@ pipelines: ## Step 3: Run the pipeline and view the results -After committing your `bitbucket-pipelines.yml` file, you can run the pipeline in Bitbucket Pipelines to test the integration. +After you commit your `bitbucket-pipelines.yml` file, you can run the pipeline in Bitbucket Pipelines to test the integration. -Once the scan is complete, you can view the detailed findings in your Snyk API & Web dashboard. +After the scan completes, you can view the detailed findings in your Snyk dashboard. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-github-actions.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-github-actions.md index 0be23e41bfe4..3fa2085779cc 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-github-actions.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-github-actions.md @@ -9,37 +9,37 @@ To foster automation between systems, you can trigger target scans directly from Two integration methods are offered: * **Snyk API & Web Action:** A simple way to quickly add a scan to your workflow. -* **Snyk API & Web CLI:** A more flexible and powerful method that gives you full control over complex scenarios like blocking builds and scanning ephemeral applications. +* **Snyk CLI:** A more flexible and powerful method that gives you full control over complex scenarios like blocking builds and scanning ephemeral applications. ## Prerequisites -Before you begin, you must configure your scan targets and credentials in the Snyk API & Web application. +Configure your scan targets and credentials in the Snyk application before you begin. -### Create a target in Snyk API & Web +### Create a target in Snyk -In the Snyk API & Web app, go to the Targets menu and click **Add**. Fill out the form and click **Add** to create the new target. +In the Snyk app, navigate to the **Targets** menu and click **Add**. Fill out the form and click **Add** to create the new target. {% hint style="info" %} -During this process, connectivity is checked. If your target is internal or not yet deployed, you can bypass any warnings and add the target regardless. For more details, visit How to add a Target. +During this process, Snyk checks connectivity. If your target is internal or not yet deployed, you can bypass any warnings and add the target. For more details, visit How to add a Target. {% endhint %} -Before configuring the integration in GitHub Actions, make sure to retrieve the unique target ID from Snyk API & Web. +Before you configure the integration in GitHub Actions, retrieve the unique target ID from Snyk. -1. In your Snyk API & Web dashboard, select **Targets**. +1. In your Snyk dashboard, select **Targets**. 2. From the target list, select the target you want to integrate. 3. In your browser's address bar, copy the target ID. This is the string of characters immediately following /target/ in the URL. {% hint style="info" %} -After creating a target, it is mandatory to verify your target's domain. Otherwise, your scans are only limited to lightning scans. To learn more, see the importance of domain ownership verification. +After you create a target, you must verify the target's domain. Otherwise, your scans are limited to lightning scans. To learn more, visit the importance of domain ownership verification. {% endhint %} -### Create a Snyk API & Web API key +### Create a Snyk API key You need an API key with permissions to start a scan on your target. For instructions, visit How to generate an API key. ## Step 1: Add your API key and target ID to GitHub -To allow GitHub Actions to communicate with Snyk API & Web, you must store your credentials as secure repository secrets. +To allow GitHub Actions to communicate with Snyk, you must store your credentials as secure repository secrets. 1. In your GitHub repository, navigate to the **Settings** tab. 2. In the side menu, expand **Secrets and variables** and click **Actions**. @@ -73,25 +73,25 @@ jobs: region: "eu" ``` -Depending on the region where your Snyk API & Web instance is located, you need to specify a region value. The options are: `eu`, `us`, `au`. +Depending on the region where your Snyk instance is located, you must specify a region value. The options are `eu`, `us`, and `au`. -Remember to replace `` with the target ID you copied in the Prerequisites step. +Replace `` with the target ID you copied in the Prerequisites step. -### Option 2: Use the Snyk API & Web CLI +### Option 2: Use the Snyk CLI -For more control over the pipeline, such as blocking builds or scanning ephemeral applications, you can use the Snyk API & Web CLI directly. +For more control over the pipeline, such as blocking builds or scanning ephemeral applications, you can use the Snyk CLI directly. Create a `probely.yml` file at the root of your repository, under the `.github/workflows/` directory, and add one of the following code examples based on your use case. You can also find all of them in the Snyk API & Web CI/CD examples repository on GitHub. #### Important note on these examples -The YAML configurations below are scanning steps designed to be incorporated into your existing `probely.yml` file. +The following YAML configurations are scanning steps to incorporate into your existing `probely.yml` file. -For example, your pipeline might already have steps to build your code, deploy to a QA environment, and run automated tests. You can add the Snyk API & Web scan as another step at any point that makes sense for your workflow, such as after you deploy to QA or staging. +For example, your pipeline might already have steps to build your code, deploy to a QA environment, and run automated tests. You can add the Snyk scan as another step at any point that makes sense for your workflow, such as after you deploy to QA or staging. #### Run a scan on a target in non-blocking mode -This workflow installs the CLI and starts a scan, but does not wait for the results, allowing your pipeline to complete quickly. +This workflow installs the CLI and starts a scan, but does not wait for the results, so your pipeline completes quickly. ```yaml # github-remote-app-non-blocking-mode.yaml @@ -225,14 +225,14 @@ jobs: #### Run a scan on an ephemeral (dynamic) target in blocking mode -This is a more advanced configuration for building, deploying, and scanning an application in a temporary environment that is created for a specific purpose and then automatically destroyed during the pipeline run. +This is a more advanced configuration for building, deploying, and scanning an application in a temporary environment. The pipeline creates the environment for a specific purpose and then automatically destroys it during the run. -Using ephemeral environments requires agent token, target hostname, and target URL. Store them as variables for better security. +Ephemeral environments require an agent token, target hostname, and target URL. Store them as variables for better security. -You also need to create a scanning agent in Snyk API & Web and configure your target to use it. This process requires the `scanning-agent/farcasterd-linux-amd64-0.4.3` file. For detailed instructions, visit How to install a Scanning Agent and How to scan internal applications. +You also need to create a scanning agent in Snyk and configure your target to use it. This process requires the `scanning-agent/farcasterd-linux-amd64-0.4.3` file. For detailed instructions, visit How to install a Scanning Agent and How to scan internal applications. {% hint style="info" %} -In this code example, Docker is used to create ephemeral environments. However, you can use any other solution to create your environment. +This code example uses Docker to create ephemeral environments. However, you can use any other solution to create your environment. {% endhint %} ```yaml @@ -283,10 +283,10 @@ jobs: ## Step 3: Run the pipeline and view the results -After committing your workflow file, the scan is triggered automatically on a push to the main branch. You can also run the workflow manually. +After you commit your workflow file, Snyk triggers the scan automatically on a push to the main branch. You can also run the workflow manually. -1. In your GitHub repository, go to the **Actions** tab. +1. In your GitHub repository, navigate to the **Actions** tab. 2. Under **All workflows**, find and select your scan workflow. 3. Click the **Run workflow** dropdown, then click **Run workflow** to trigger a new scan. -Once the scan is complete, you can view the detailed findings in your Snyk API & Web dashboard. +After the scan completes, you can view the detailed findings in your Snyk dashboard. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-gitlab-cicd.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-gitlab-cicd.md index 0f098ac26a07..f8c370d6bfe3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-gitlab-cicd.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-gitlab-cicd.md @@ -4,45 +4,45 @@ This guide provides step-by-step instructions for integrating Snyk API & Web int ## Overview -This guide focuses on using the Snyk API & Web CLI to run scans. The examples below cover the complete end-to-end journey, from configuring your targets to running scans in different scenarios. +This guide focuses on using the Snyk CLI to run scans. The following examples cover the complete end-to-end journey, from configuring your targets to running scans in different scenarios. ## Prerequisites -Before you begin, you must configure your scan targets and credentials in the Snyk API & Web application. +Configure your scan targets and credentials in the Snyk application before you begin. -### Create a target in Snyk API & Web +### Create a target in Snyk -In the Snyk API & Web app, go to the **Targets** menu and click **Add**. Fill out the form and click **Add** to create the new target. +In the Snyk app, navigate to the **Targets** menu and click **Add**. Fill out the form and click **Add** to create the new target. {% hint style="info" %} -During this process, connectivity is checked. If your target is internal or not yet deployed, you can bypass any warnings and add the target regardless. For more details, visit How to add a Target. +During this process, Snyk checks connectivity. If your target is internal or not yet deployed, you can bypass any warnings and add the target. For more details, visit How to add a Target. {% endhint %} -Before configuring the integration in GitLab, make sure to retrieve the unique **target ID** from Snyk API & Web. +Before you configure the integration in GitLab, retrieve the unique **target ID** from Snyk. -1. In your Snyk API & Web dashboard, select **Targets**. +1. In your Snyk dashboard, select **Targets**. 2. From the target list, select the target you want to integrate. 3. In your browser's address bar, copy the **target ID**. This is the string of characters immediately following /target/ in the URL. {% hint style="info" %} -After creating a target, it is mandatory to verify your target's domain. Otherwise, your scans are only limited to lightning scans. To learn more, see the importance of domain ownership verification. +After you create a target, you must verify the target's domain. Otherwise, your scans are limited to lightning scans. To learn more, visit the importance of domain ownership verification. {% endhint %} -### Create a Snyk API & Web API Key +### Create a Snyk API key You need an API key with permissions to start a scan on your target. For instructions, visit How to generate an API key. -## Step 1: Add your API Key and target ID to GitLab +## Step 1: Add your API key and target ID to GitLab -To run a scan, your pipeline needs to authenticate with Snyk API & Web and know which target to scan. You must configure your Snyk API & Web **API Key** and the specific **target ID** as secure CI/CD variables in your GitLab project. +To run a scan, your pipeline must authenticate with Snyk and know which target to scan. Configure your Snyk API key and the specific target ID as secure CI/CD variables in your GitLab project. 1. From your GitLab project side menu, navigate to **Settings > CI/CD**. 2. Find the **Variables** section and expand it. -3. Click **Add variable** and create an entry for your Snyk API & Web **API Key** (for example, **PROBELY\_API\_KEY**). -4. Click **Add variable** again to create a second entry for your **target ID** (for example, **TARGET\_ID**). +3. Click **Add variable** and create an entry for your Snyk API key (for example, **PROBELY\_API\_KEY**). +4. Click **Add variable** again to create a second entry for your target ID (for example, **TARGET\_ID**). {% hint style="warning" %} -For enhanced security, always store sensitive values as GitLab CI/CD variables. Storing variables directly in your `.gitlab-ci.yml` file is not recommended, as they are saved in plain text and visible to anyone who can view the file. +For enhanced security, always store sensitive values as GitLab CI/CD variables. Do not store variables directly in your `.gitlab-ci.yml` file, because they are saved in plain text and visible to anyone who can view the file. {% endhint %} ## Step 2: Configure your pipeline @@ -51,9 +51,9 @@ Create a `.gitlab-ci.yml` file at the root of your repository and add one of the ### Important note on these examples -The YAML configurations below are scanning steps designed to be incorporated into your existing `.gitlab-ci.yml` file. +The following YAML configurations are scanning steps to incorporate into your existing `.gitlab-ci.yml` file. -For example, your pipeline might already have steps to build your code, deploy to a QA environment, and run automated tests. You can add the Snyk API & Web scan as another step at any point that makes sense for your workflow, such as after you deploy to QA or staging. +For example, your pipeline might already have steps to build your code, deploy to a QA environment, and run automated tests. You can add the Snyk scan as another step at any point that makes sense for your workflow, such as after you deploy to QA or staging. ### Run a scan on a target in non-blocking mode @@ -153,14 +153,14 @@ scan: ### Run a scan on an ephemeral (dynamic) target in blocking mode -This is a more advanced configuration for building, deploying, and scanning an application in a temporary environment that is created for a specific purpose and then automatically destroyed during the pipeline run. +This is a more advanced configuration for building, deploying, and scanning an application in a temporary environment. The pipeline creates the environment for a specific purpose and then automatically destroys it during the run. -Using ephemeral environments requires agent token, target hostname, and target URL. Store them as variables for better security. +Ephemeral environments require an agent token, target hostname, and target URL. Store them as variables for better security. -You also need to create a scanning agent in Snyk API & Web and configure your target to use it. This process requires the `scanning-agent/farcasterd-linux-amd64-0.4.3` file. For detailed instructions, visit How to install a Scanning Agent and How to scan internal applications. +You also need to create a scanning agent in Snyk and configure your target to use it. This process requires the `scanning-agent/farcasterd-linux-amd64-0.4.3` file. For detailed instructions, visit How to install a Scanning Agent and How to scan internal applications. {% hint style="info" %} -In this code example, Docker is used to create ephemeral environments. However, you can use any other solution to create your environment. +This code example uses Docker to create ephemeral environments. However, you can use any other solution to create your environment. {% endhint %} ```yaml @@ -278,6 +278,6 @@ build-and-test: ## Step 3: Run the pipeline and view the results -After committing your `.gitlab-ci.yml` file, you can run the pipeline in GitLab to test the integration. +After you commit your `.gitlab-ci.yml` file, you can run the pipeline in GitLab to test the integration. -Once the scan is complete, you can view the detailed findings in your Snyk API & Web dashboard. +After the scan completes, you can view the detailed findings in your Snyk dashboard. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-jenkins.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-jenkins.md index 31015e05cf0e..4cb91909809c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-jenkins.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/overview-cicd-integrations/integrate-snyk-api-web-with-jenkins.md @@ -1,18 +1,18 @@ # Integrate with Jenkins -Configure Jenkins CI/CD pipeline to scan your application for security issues. +Configure a Jenkins CI/CD pipeline to scan your application for vulnerabilities. ## Overview -With the Snyk API & Web plugin, you can automatically start a scan every time your Jenkins pipeline is executed. +With the Snyk API & Web plugin, you can automatically start a scan every time your Jenkins pipeline runs. -Jenkins allows you to have an arbitrary number of build and test scenarios, but a common pattern is as follows: +Jenkins lets you have an arbitrary number of build and test scenarios, but a common pattern is as follows: -* **Build step**: Compiles the application or creates the Docker containers. -* **Deploy step**: Sends the compiled code or the containers to test server and executes them. -* **Test step**: Executes tests on the running application. +* **Build step**: Compiles the application or creates the containers. +* **Deploy step**: Sends the compiled code or the containers to a test server and runs them. +* **Test step**: Runs tests on the running application. -The Snyk API & Web plugin is a build task that should run after the application is built and deployed. It is recommended that the security tests run after the integration or functional tests pass, to ensure the application is working properly. A broken application may cause security tests to miss vulnerabilities because a particular feature is not working. +The Snyk plugin is a build task that runs after Jenkins builds and deploys the application. Snyk recommends that the security tests run after the integration or functional tests pass, to ensure the application is working properly. A broken application can cause security tests to miss vulnerabilities, because a particular feature is not working. ## Installation and setup @@ -21,55 +21,55 @@ Installing and setting up the plugin takes less than five minutes. 1. Open Jenkins and click **Manage Jenkins**. 2. Click **Manage Plugins**. 3. Click the **Available** tab. -4. On the **Filter** search box, enter **probely**. +4. In the **Filter** search box, enter **probely**. 5. Select the **Probely Security Scanner** plugin. 6. Click **Download now and install after restart**. -7. After Jenkins restarts, the plugin is installed. Continue reading to set up the required API key from Snyk API & Web. +7. After Jenkins restarts, the plugin is installed. Continue reading to set up the required API key from Snyk. ## Generate an API key -Before using the plugin, you must generate an API Key for Jenkins to be able to start a scan with Snyk API & Web. +Before you use the plugin, generate an API key so that Jenkins can start a scan with Snyk. -Once the API key is created, take note of its value, as it is required to configure the Plugin credentials later on, and it is not displayed again. You also need the ID of the target you want to scan. You can obtain this ID from the target page. +After you create the API key, take note of its value, because you need it to configure the plugin credentials later, and Snyk does not display it again. You also need the ID of the target you want to scan. You can obtain this ID from the target page. ## Configure the plugin -The plugin can be used in both Freestyle and Pipeline projects, and this article provides an example for each one. You can learn more about these two project types and their differences in the Jenkins documentation. +You can use the plugin in both Freestyle and Pipeline projects. This article provides an example for each one. You can learn more about these two project types and their differences in the Jenkins documentation. ### Configure credentials 1. Click **Credentials**. -2. Click the down arrow near **(global)** to enable the dropdown menu and choose **Add credentials**. -3. On the Kind dropdown menu, choose **Secret text**. -4. Enter the API key in the **Secret** textbox. -5. Enter a value for the credentials in the **ID** textbox (for example, **probely-test-site**). -6. Enter an optional Description and click **OK**. +2. Click the down arrow near **(global)** to open the dropdown menu and select **Add credentials**. +3. In the **Kind** dropdown menu, select **Secret text**. +4. Enter the API key in the **Secret** text box. +5. Enter a value for the credentials in the **ID** text box (for example, **probely-test-site**). +6. Enter an optional description and click **OK**. ### Use the plugin in a Freestyle project -Creating a freestyle is the simplest way to have a repeatable process to build and test your application, especially for simple applications with just a few jobs. +Creating a Freestyle project is the simplest way to have a repeatable process to build and test your application, especially for simple applications with a few jobs. -If you already have a freestyle project, you only need to configure the plugin: in the project listing page, click the Configure in the drop-down menu next to the project name. If you are creating a new project, follow the next steps: +If you already have a Freestyle project, you only need to configure the plugin. On the project listing page, select **Configure** in the dropdown menu next to the project name. To create a new project, follow these steps: 1. Click **New Item**. -2. Enter your project name, choose **Freestyle Project** and click **OK**. -3. In the **Build** section add **Probely scan step**. +2. Enter your project name, select **Freestyle Project**, and click **OK**. +3. In the **Build** section, add **Probely scan step**. -This assumes you have configured the other project options properly, such as checking out from your SCM, building the code and deploying it. +This assumes you have configured the other project options properly, such as checking out from your SCM, building the code, and deploying it. -In the just added **Probely Security Scanner** section: +In the **Probely Security Scanner** section you just added: 1. Add the **Target ID** of the target you want to scan. -2. Select the right credentials, which were configured in Configure credentials. If the connection to Snyk API & Web's API is working correctly, and the credentials are valid, you should see the message "Credentials verified successfully". -3. When all steps are properly configured, click **Save**. +2. Select the credentials you configured in Configure credentials. If the connection to the Snyk API is working correctly and the credentials are valid, the message **Credentials verified successfully** appears. +3. After you configure all steps properly, click **Save**. -The next time the build job for this project runs, Snyk API & Web tests the security of the configured target and sends you an email with the scan results at the end. +The next time the build job for this project runs, Snyk tests the security of the configured target and sends you an email with the scan results at the end. ### Use the plugin in a Pipeline project -Pipeline projects are the most flexible and powerful way of creating CI/CD pipelines with Jenkins. +Pipeline projects are the most flexible and powerful way to create CI/CD pipelines with Jenkins. -The projects need a configuration file, a **Jenkinsfile**. The one in this example uses the more modern declarative syntax, instead of the imperative one. +The projects need a configuration file, a **Jenkinsfile**. The one in this example uses the more modern declarative syntax instead of the imperative one. 1. Click **New Item**. 2. Enter your project name, choose **Pipeline Project** and click **OK**. @@ -97,12 +97,12 @@ pipeline { } ``` -As with the Freestyle project, the security tests are executed after the functional tests, in this case after the Unit tests stage, to ensure the application is working properly. +As with the Freestyle project, the security tests run after the functional tests, in this case after the Unit tests stage, to ensure the application is working properly. -1. Configure Jenkins to use the Jenkins file on your repository. +1. Configure Jenkins to use the Jenkinsfile in your repository. -If your Jenkinsfile is stored in a repository that was already configured here (Definition **Pipeline script from SCM**), you only need to commit the updated file to the repository. +If your Jenkinsfile is stored in a repository already configured here (Definition **Pipeline script from SCM**), you only need to commit the updated file to the repository. Click **Save**. Your pipeline now has a stage that scans your target for vulnerabilities. -You have some options on how Snyk API & Web scans your target, at the target settings page: you can choose different scan profiles, configure authentication to scan behind login pages, add custom headers, and enable automatic synchronization with your project at Jira. +On the target settings page, you have several options for how Snyk scans your target. You can choose different scan profiles, configure authentication to scan behind login pages, add custom headers, and enable automatic synchronization with your project in Jira. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/snyk-sast-dast-integration.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/snyk-sast-dast-integration.md index 70c7afbf9f61..a2429229f087 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/snyk-sast-dast-integration.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/integrations/snyk-sast-dast-integration.md @@ -1,40 +1,40 @@ # Snyk SAST/DAST integration -This guide explains how to set up and use the SAST/DAST integration to correlate findings from Snyk API & Web (DAST) with your static analysis results in Snyk (SAST). +This guide explains how to set up and use the static application security testing (SAST) and dynamic application security testing (DAST) integration to correlate findings from Snyk API & Web (DAST) with your static analysis results in Snyk (SAST). ## Overview -By connecting your dynamic and static scan results, you can streamline triage and remediation. This integration links DAST findings directly to the vulnerable location in your source code, helping your developers fix issues faster. +By connecting your dynamic and static scan results, you can streamline triage and remediation. This integration links DAST findings directly to the vulnerable location in your source code, helping your developers fix vulnerabilities faster. ## Prerequisites * You must have active accounts in both Snyk API & Web and the Snyk platform. -* You need to have a target application that is being scanned by both Snyk for SAST (Snyk Code) and Snyk API & Web for DAST. +* You must have a target application that both Snyk for SAST (Snyk Code) and Snyk API & Web for DAST scan. ## Step 1: Connect your Snyk accounts -First, you need to establish a connection between your Snyk API & Web account and your main Snyk account. +Establish a connection between your Snyk API & Web account and your main Snyk account. 1. In Snyk API & Web, navigate to **Settings > Integrations**. 2. Locate the **Snyk** module. -3. Follow the link to **Snyk group**. This starts the authentication and authorization process to connect your two accounts. +3. Click the link to **Snyk group**. This starts the authentication and authorization process to connect your two accounts. ## Step 2: Map a target to your Snyk projects -Next, you need to tell Snyk API & Web which Snyk Code projects (code repository) correspond to your DAST target. +Next, tell Snyk API & Web which Snyk Code projects (code repository) correspond to your DAST target. 1. Navigate to the **Targets** page and identify the target you want to integrate. -2. Go to that target **Settings** and click the **Integrations** tab. +2. Navigate to that target **Settings** and click the **Integrations** tab. 3. In the **Snyk** module, click **Select projects** to open a new modal. -4. Map the current Snyk API & Web target to the corresponding code analysis project(s) from Snyk and click **Save**. +4. Map the current Snyk API & Web target to the corresponding code analysis projects from Snyk and click **Save**. ## Step 3: Run a DAST scan -Run a new scan on the target you configured in Step 2. Snyk API & Web now correlates the DAST findings from this scan with the SAST findings from your mapped Snyk projects. +Run a new scan on the target you configured in Step 2. Snyk API & Web correlates the DAST findings from this scan with the SAST findings from your mapped Snyk projects. ## Step 4: Analyze correlated findings -After the scan is complete, you can view the correlated results. Any correlated finding will have a SAST label associated with it. +After the scan is complete, you can view the correlated results. Any correlated finding has an associated SAST label. 1. From the list of findings for your target, click a finding to open its details page. 2. Select the **SAST Findings** tab. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/enforce-2fa-for-all-users.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/enforce-2fa-for-all-users.md index 09febe5cd32c..ed3c70ae0831 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/enforce-2fa-for-all-users.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/enforce-2fa-for-all-users.md @@ -2,28 +2,28 @@ Learn how to enforce two-factor authentication (2FA) for all users of your Snyk API & Web account. -Two-factor authentication (2FA) strengthens authentication with an additional layer of security that requires presenting an extra piece of evidence (the possession factor) to an authentication mechanism of a website or application. To obtain the possession factor, you can use an authenticator like Google Authenticator, 1Password, Authy, or Microsoft Authenticator, which provides a random code that changes frequently. +Two-factor authentication (2FA) strengthens authentication with an additional layer of security that requires presenting an extra piece of evidence (the possession factor) to the authentication mechanism of a website or application. To obtain the possession factor, you can use an authenticator like Google Authenticator, 1Password, Authy, or Microsoft Authenticator, which provides a random code that changes frequently. -If **you are the owner of the Snyk API & Web account**, you can enforce 2FA for all its users so that they have this extra layer of authentication in their profiles. +If you are the owner of the Snyk account, you can enforce 2FA for all its users so that they have this extra layer of authentication in their profiles. ## Enforce 2FA -In the Snyk API & Web app, enforce 2FA for all the users as follows: +In the Snyk app, enforce 2FA for all users as follows: -1. Open the **Settings** dropdown menu on the bottom-left corner of the navigation bar and click on **Authentication**. -2. In the **TWO-FACTOR AUTHENTICATION (2FA) SETTINGS** section, click on **Enforce 2FA**. -3. A dialog is displayed to enter your password and 2FA code as a security measure. +1. Open the **Settings** dropdown on the bottom-left corner of the navigation bar and click **Authentication**. +2. In the **TWO-FACTOR AUTHENTICATION (2FA) SETTINGS** section, click **Enforce 2FA**. +3. In the dialog that appears, enter your password and 2FA code as a security measure. -Now that you have enforced 2FA, the following happens to the users of your account: +After you enforce 2FA, the following happens to the users of your account: * **Users logging in without 2FA set up for their profile**\ - At login, they must follow some extra steps to set up 2FA for their profile.\ - The procedure will be like steps four and five described in [How to set up 2FA for your profile](https://help.probely.com/en/articles/8945079-how-to-set-up-2fa-for-your-profile). + At login, they must follow extra steps to set up 2FA for their profile.\ + The procedure is like steps four and five described in [How to set up 2FA for your profile](https://help.probely.com/en/articles/8945079-how-to-set-up-2fa-for-your-profile). * **Users already logged in without 2FA set up for their profile**\ - These users will be automatically logged out.\ - When logging back in, they must follow some extra steps to set up 2FA for their profile.\ - The procedure will be like steps four and five described in [How to set up 2FA for your profile](https://help.probely.com/en/articles/8945079-how-to-set-up-2fa-for-your-profile). + Snyk logs out these users automatically.\ + When they log back in, they must follow extra steps to set up 2FA for their profile.\ + The procedure is like steps four and five described in [How to set up 2FA for your profile](https://help.probely.com/en/articles/8945079-how-to-set-up-2fa-for-your-profile). * **Users already logged in with 2FA disabled for their profile**\ - Their 2FA will become enabled, and they will be asked to enter the random code generated by the authenticator app installed on their device. + Their 2FA becomes enabled, and Snyk asks them to enter the random code generated by the authenticator app installed on their device. * **Users with 2FA enabled for their profile**\ - They will not notice because they are already using 2FA. + They do not notice a change because they already use 2FA. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/enhancing-your-security-with-ai.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/enhancing-your-security-with-ai.md index c0ceb5cdd013..f2292c3ac66c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/enhancing-your-security-with-ai.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/enhancing-your-security-with-ai.md @@ -2,27 +2,27 @@ Leveraging advanced machine learning to improve your application security posture. -To help you stay ahead of an ever-evolving threat landscape, Snyk API & Web incorporates advanced AI models in its scanning process. By leveraging AI, it provides a more intelligent, faster, and more comprehensive security experience. +To help you stay ahead of an ever-evolving threat landscape, Snyk API & Web incorporates advanced AI models in its scanning process. By using AI, Snyk provides a more intelligent, faster, and more comprehensive security experience. ## Key benefits of AI-driven scanning -Integrating AI into your security workflow transforms how vulnerabilities are detected and managed. Accounts with AI features enabled can expect to see improvements in the efficiency of our crawler and scanner. +Integrating AI into your security workflow transforms how Snyk detects and manages vulnerabilities. Accounts with AI features enabled can expect improvements in the efficiency of the Snyk crawler and scanner. ## Default settings and account types AI Powered capabilities are governed by the following default settings: * **Trials and paid accounts:** AI-driven scanning is **enabled by default**. This ensures you immediately benefit from higher accuracy and better coverage during your evaluation or subscription. -* **Free Accounts:** AI-driven scanning is **disabled by default**. +* **Free accounts:** AI-driven scanning is **disabled by default**. -If you wish to opt out of AI-powered scans for your organization, contact **Snyk Support** to request a change. +To opt out of AI-powered scans for your organization, contact **Snyk Support** to request a change. ## Data privacy and security -We prioritize your privacy and the security of your data. When AI features are active for Snyk API & Web, here is how data is handled: +Snyk prioritizes your privacy and the security of your data. When AI features are active for Snyk API & Web, Snyk handles data as follows: -* **What is sent:** Snyk API & Web sends specific components of web communications, such as portions of HTTP requests and responses, to the AI model for real-time analysis. -* **No training on your data:** Snyk API & Web does **not** use your proprietary code or sensitive request data to train, optimize, or fine-tune our AI models. -* **Secure infrastructure:** we use a combination of proprietary models and secure third-party LLMs. For third-party models, your data is never used for model training and is retained for no more than eight hours. +* **What is sent:** Snyk sends specific components of web communications, such as portions of HTTP requests and responses, to the AI model for real-time analysis. +* **No training on your data:** Snyk does **not** use your proprietary code or sensitive request data to train, optimize, or fine-tune its AI models. +* **Secure infrastructure:** Snyk uses a combination of proprietary models and secure third-party LLMs. For third-party models, Snyk never uses your data for model training and retains it for no more than eight hours. -For a comprehensive breakdown of our AI governance and legal commitments, visit the official Snyk documentation: [How Snyk incorporates generative AI into the platform](https://docs.snyk.io/working-with-snyk/how-snyk-incorporates-generative-ai-into-the-platform). +For a comprehensive breakdown of Snyk AI governance and legal commitments, visit [How Snyk incorporates generative AI into the platform](https://docs.snyk.io/working-with-snyk/how-snyk-incorporates-generative-ai-into-the-platform). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/generate-and-use-audit-log-reports.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/generate-and-use-audit-log-reports.md index 9d117550fbed..631dd0c9f7ac 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/generate-and-use-audit-log-reports.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/generate-and-use-audit-log-reports.md @@ -2,7 +2,7 @@ Generate audit log reports and understand their content. -Audit logs contain the record of user activity in Snyk API & Web, allowing the reproduction of the timeline of events originated by users, which can be useful for identifying and analyzing behaviors or issues and taking the necessary actions. +Audit logs record user activity in Snyk API & Web, which lets you reproduce the timeline of events that users originated. This is useful for identifying and analyzing behaviors or issues and taking the necessary actions. This article is divided into the following sections: @@ -12,25 +12,25 @@ This article is divided into the following sections: ## Generate the audit log report -To analyze the audit log, first, we need to generate the report: +To analyze the audit log, first generate the report: -1. Open the **Settings** dropdown menu on the bottom-left corner of the navigation bar and select **Audit Log**. -2. Fill in the criteria of the report. You can download the list of actions performed by a single user or by all users in a specific period. When you are done, click on **Export**. +1. Open the **Settings** dropdown on the bottom-left corner of the navigation bar and select **Audit Log**. +2. Fill in the criteria of the report. You can download the list of actions performed by a single user or by all users in a specific period. When you are done, click **Export**. ## Understand the information in the audit log report -Essentially, events listed in the report describe which action was done, on which object, when, and by whom. In update actions, there is also information about the fields that changed, the old and new values. +Events listed in the report describe which action was done, on which object, when, and by whom. Update actions also include information about the fields that changed and the old and new values. -The report is in CSV format and can be opened in any application that handles spreadsheets. +The report is in CSV format and you can open it in any application that handles spreadsheets. -The events are sorted by date (starting with the oldest event), and all event details are displayed in columns: +Snyk sorts the events by date, starting with the oldest event, and displays all event details in columns: * **user\_email** - Email of the user that originated the event. * **date** - Date and time of the event, in ISO 8601 UTC format. -* **action** - Action of the event, that can be: - * create - A new object was created. - * update - An existing object was updated. - * delete - An existing object was deleted. +* **action** - Action of the event, which can be: + * create - Snyk created a new object. + * update - Snyk updated an existing object. + * delete - Snyk deleted an existing object. * **object\_model** - Type of object. Visit the next section for more information. * **object\_id** - Identifier of the object. * **field** - In update actions, this shows the name of the property or parameter for which the value changed. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/get-started-with-teams.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/get-started-with-teams.md index 7a19bc10771b..99ee24fe4898 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/get-started-with-teams.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/get-started-with-teams.md @@ -17,49 +17,49 @@ The following sections detail each one of these aspects. ## Add a team with or without a target quota -Follow these steps to add a Team: +Follow these steps to add a team: -1. Log in to your account, open the **Settings** dropdown menu on the bottom-left corner of the navigation bar, and choose **Teams**. -2. Click **Add team** and give it a name. This is required to identify the team. -3. Optionally, you can limit the number of targets each team can create by assigning a target quota. This value depends on how many targets can still be added to your Snyk API & Web account. +1. Log in to your account, open the **Settings** dropdown on the bottom-left corner of the navigation bar, and choose **Teams**. +2. Click **Add team** and give it a name. The name is required to identify the team. +3. Optionally, limit the number of targets each team can create by assigning a target quota. This value depends on how many targets you can still add to your Snyk API & Web account. 4. If you assign a target quota (a limit of targets), you can reserve target slots for the current team. Doing so prevents other teams from using those slots beforehand. Reserving that quota to the team is optional. ## Manage a team -When you access a team's details, you have three tabs where you can manage that team: Users, API Keys, and Targets. The Users tab is selected by default. +When you access the details for a team, you have three tabs where you can manage that team: **Users**, **API Keys**, and **Targets**. The **Users** tab is selected by default. -To manage a team, go to its details and: +To manage a team, navigate to its details and: * From the **Users** tab, add users in bulk and assign them a role in the context of that team. -* Click on the **API Keys** tab, and manage API Keys precisely as you did for users. -* Go to the **Targets** tab, and add targets to the team by selecting the desired ones from the list of existing targets. +* Click the **API Keys** tab, and manage API keys exactly as you did for users. +* Click the **Targets** tab, and add targets to the team by selecting the ones you want from the list of existing targets. -Once you have your team created and set up, users who were added to that team will be able to access the respective targets with the role you defined. Note that one user can be added to different teams and assigned roles that do not affect one another, such as an Admin or Developer. Also, bear in mind that a user with the Admin role within a team will be able to list all of the account's users, so that they are able to manage the users from their team independently. +After you create and set up your team, users who were added to that team can access the respective targets with the role you defined. One user can be added to different teams and assigned roles that do not affect one another, such as an Admin or Developer. A user with the Admin role within a team can list all of the account's users, so that they can manage the users from their team independently. ## Manage Users, API Keys, and Targets -Similar to how you can manage every component of the Team (Users, API Keys, and Targets) from the team's details, you can also manage these components from their respective sections. +You can manage every component of a team (Users, API Keys, and Targets) from the details for the team, and you can also manage these components from their respective sections. -For instance, through the Users list, you can add new or edit existing users to accommodate distinct roles for different access scopes: +For instance, through the Users list, you can add new users or edit existing ones to accommodate distinct roles for different access scopes: * With a **Global (account)** scope, the user can use the assigned role on the entire account. * With a **specific Team** scope, the user can only use the assigned role in the context of that team. * With a **specific Target** scope, the user can only use the assigned role in the context of that target. -To do this, select the role you want to assign and choose the respective scope using the Teams or Targets toggle and selecting the intended scope from the respective dropdown. +To do this, select the role you want to assign and choose the respective scope using the **Teams** or **Targets** toggle and selecting the intended scope from the respective dropdown. -You can do precisely the same for API Keys by accessing the new menu entry API Keys and either adding a new API Key or editing an existing one. +You can do the same for API keys by accessing the **API Keys** menu entry and either adding a new API key or editing an existing one. -Just like for Users and API Keys, you can also define a specific target's scope by adding a new target or editing an existing one. If you assign a target to a team, members of that team can access it. Depending on the role they have in the context of that team, what they can do on the target may vary. +As you do for users and API keys, you can also define the scope of a specific target by adding a new target or editing an existing one. If you assign a target to a team, members of that team can access it. Depending on the role they have in the context of that team, what they can do on the target can vary. -If the target is bound to the account or global level, only users with a Global role can list, view, change, or otherwise interact with that target. Depending on their role in a global or account context, what they can do on the target may vary. +If the target is bound to the account or global level, only users with a Global role can list, view, change, or otherwise interact with that target. Depending on their role in a global or account context, what they can do on the target can vary. -* With the **Global (account)** scope, they will have access to all targets. -* With a specific **team** scope, they will only have access to targets that belong to that team. +* With the **Global (account)** scope, they have access to all targets. +* With a specific **team** scope, they only have access to targets that belong to that team. -Note that a target can only belong to one team at a time. +A target can only belong to one team at a time. -If a specific target belongs to a team, and you need to allow a user to access that target but do not want to give them access to every target from that team, you can always assign a target-specific role to that user by going to the Users list, as explained above. +If a specific target belongs to a team, and you need to allow a user to access that target but do not want to give them access to every target from that team, you can assign a target-specific role to that user from the Users list. ## Manage Scanning Agents diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/log-in-to-snyk-api-web.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/log-in-to-snyk-api-web.md index 37e69c72cffe..714c79fe43d4 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/log-in-to-snyk-api-web.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/log-in-to-snyk-api-web.md @@ -8,12 +8,12 @@ There are a few ways you can access your Snyk API & Web account: * Log in with Snyk Single Sign-On (SSO). * Log in with your company SSO. -Using SSO allows you and your users to save time, improve the overall experience, and enhance security. +Using SSO saves you and your users time, improves the overall experience, and enhances security. -If you already use your company's SSO to log in to Snyk, you can log in to Snyk API & Web with your existing Snyk account, and all members of your Snyk Organization will have access as well. Click on the **Log in with Snyk** button to access Snyk API & Web. +If you already use your company's SSO to log in to Snyk, you can log in to Snyk API & Web with your existing Snyk account, and all members of your Snyk Organization have access as well. Click **Log in with Snyk** to access Snyk API & Web. If you are a Snyk user not using SSO yet and want to access Snyk API & Web, set up SSO with Snyk by visiting [Single Sign-On (SSO) for authentication to Snyk](https://docs.snyk.io/enterprise-setup/single-sign-on-sso-for-authentication-to-snyk). If you are not a Snyk user, and you only use Snyk API & Web, you can [set up SSO separately for Snyk API & Web](set-up-single-sign-on-sso-in-snyk-api-web.md). -If you do not use SSO, or if you access Snyk through social login or passwordless methods, you need to set up a password for accessing Snyk API & Web. When you create an account, you will receive instructions on how to do this. +If you do not use SSO, or if you access Snyk through social login or passwordless methods, you must set up a password for accessing Snyk API & Web. When you create an account, you receive instructions on how to do this. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/roles-and-permissions.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/roles-and-permissions.md index 083d584923e9..550280501246 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/roles-and-permissions.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/roles-and-permissions.md @@ -2,11 +2,11 @@ Roles and permissions overview. -The access to the main features of Snyk API & Web is ruled by permissions. For instance, in order to add a target, the user needs to have the permission `Create Target`. +Permissions control access to the main features of Snyk API & Web. For instance, to add a target, the user must have the `Create Target` permission. You can group permissions using [Roles](https://plus.probely.app/roles). For instance, the built-in role `Developer` can view targets, change target settings, change findings, and start target scans, but cannot add targets. -You can then map roles to users at an account level, team level, or at a target level. When you are [adding a user](https://plus.probely.app/users), you can set the user's: +You can then map roles to users at an account level, team level, or target level. When you are [adding a user](https://plus.probely.app/users), you can set the user's: * Global role, which is applied to all targets of the account (the role is set at an account level or global scope). * Team role, which is applied to all targets of that team. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/set-up-single-sign-on-sso-in-snyk-api-web.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/set-up-single-sign-on-sso-in-snyk-api-web.md index f0d683c5ca7b..6c6140eb64a0 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/set-up-single-sign-on-sso-in-snyk-api-web.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/set-up-single-sign-on-sso-in-snyk-api-web.md @@ -8,30 +8,30 @@ When you do this, users from your account can choose the following option from t Note: -* If you already use SSO to log in to Snyk, you can log in to Snyk API & Web with your existing Snyk account, using the "Log in with Snyk" button: +* If you already use SSO to log in to Snyk, you can log in to Snyk API & Web with your existing Snyk account, using the **Log in with Snyk** button: * If you already have a Snyk account but you do not use SSO, you can [set up SSO with Snyk](https://docs.snyk.io/enterprise-setup/single-sign-on-sso-for-authentication-to-snyk). -Learn more about [Log in to Snyk API & Web](log-in-to-snyk-api-web.md). +Learn more in [Log in to Snyk API & Web](log-in-to-snyk-api-web.md). *** -This configuration of Snyk API & Web's specific SSO involves two steps: +The configuration of the SSO specific to Snyk API & Web involves two steps: 1. Configure Snyk API & Web in your Identity Provider. 2. Configure SSO in Snyk API & Web. This article describes these steps in detail. -Once you complete this set up, you can choose the following option from the login screen to access your account: +After you complete this setup, you can choose the following option from the login screen to access your account: ## Step 1: Configure Snyk API & Web in your Identity Provider -In this first step, go to your Identity Provider and create an entry for Snyk API & Web using the following information: +In this first step, navigate to your Identity Provider and create an entry for Snyk API & Web using the following information: * **Entity Identifier** - The URL that identifies Snyk API & Web as the issuer of SAML requests, responses, or assertions: `https://probely.com`. * **Assertion Consumer Service** - The Snyk API & Web endpoint to do the SAML authentication and authorization: `https://sso.plus.probely.app/sso//complete/` -In the endpoint, replace `` with a string that identifies your organization (with lowercase letters and hyphens only). For example, the company name, but if you need any help, we can suggest it for you. +In the endpoint, replace `` with a string that identifies your organization, using lowercase letters and hyphens only. For example, use the company name. If you need help, Snyk can suggest it for you. * **Certificate** - The SAML certificate for Snyk API & Web: @@ -41,7 +41,7 @@ MIIFjzCCA3egAwIBAgIUBjrMlHlE8dKutYm0cz0JXFIjMMQwDQYJKoZIhvcNAQELBQAwVzELMAkGA1UE ## Step 2: Configure SSO in Snyk API & Web -With Snyk API & Web configured in your Identity Provider, the second part of the SSO configuration is on the Snyk API & Web side. For that, you need to provide the following information: +With Snyk API & Web configured in your Identity Provider, the second part of the SSO configuration is on the Snyk API & Web side. For that, you must provide the following information: * Your Entity Identifier. * Your Certificate. @@ -60,8 +60,8 @@ You can also map your SAML Groups to [Snyk API & Web Roles](roles-and-permission | teamX\_developers | Developer | Team X | | portal\_developers | Developer | Portal Target | -This mapping would produce the following results: +This mapping produces the following results: -* Users belonging to **probely\_admin** would be given **Admin** permissions to the whole Snyk API & Web account (global scope). They could view and take action on any target of your account. -* Users belonging to groups **teamX\_admin** and **teamX\_developers** would only perform actions on targets of **Team X**, with permissions to do what the respective **Admin** and **Developer** roles allow. -* Users belonging to **portal\_developers** would have the permissions given by the **Developer** role and would only perform actions on a single target: the **Portal Target**. +* Users belonging to **probely\_admin** receive **Admin** permissions to the whole Snyk API & Web account (global scope). They can view and take action on any target of your account. +* Users belonging to the groups **teamX\_admin** and **teamX\_developers** only perform actions on targets of **Team X**, with permissions to do what the respective **Admin** and **Developer** roles allow. +* Users belonging to **portal\_developers** receive the permissions given by the **Developer** role and only perform actions on a single target: the **Portal Target**. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/understanding-permissions.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/understanding-permissions.md index d5a720d8f38b..df6a34bf79d7 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/understanding-permissions.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/managing-account/understanding-permissions.md @@ -2,7 +2,7 @@ Learn what actions each permission grants to better configure your custom roles. -This article provides a detailed breakdown of the high-level permissions within Snyk API & Web, explaining what actions each permission grants. Permissions are then grouped into roles (either built-in or custom) and, along with a scope, dictate the actions a user can perform. +This article provides a detailed breakdown of the high-level permissions in Snyk API & Web, explaining what actions each permission grants. Snyk groups permissions into roles, either built-in or custom. The role, along with a scope, dictates the actions a user can perform. ## Role and scope structure diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/README.md index bc471c443e99..f18a65588e0d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/README.md @@ -4,7 +4,7 @@ After scanning your targets, use Snyk API & Web to review findings, assess their ## Key features -Snyk API & Web provides several capabilities to help you manage findings: +Snyk provides several capabilities to help you manage findings: * **Severity classification**: Understand the risk level of each finding based on exploitability and impact. * **Self-review**: Review and approve or reject low-confidence findings without waiting for manual verification. @@ -18,23 +18,23 @@ Snyk API & Web provides several capabilities to help you manage findings: After running a scan, you can view detailed results showing scan progress, discovered vulnerabilities, and generated reports. The scan results page provides insights into the scanner components (fingerprinter, crawler, and scanner), HTTP response codes, and the overall risk assessment of your target. -Visit [Interpret target scan results](interpret-target-scan-results.md) to learn how to understand and analyze scan results. For specific information about HTTP response codes, visit [HTTP status codes in target scans](http-status-codes-in-target-scans.md). +Visit [Interpret target scan results](interpret-target-scan-results.md) to learn how to understand and analyze scan results. For information about HTTP response codes, visit [HTTP status codes in target scans](http-status-codes-in-target-scans.md). ### Review findings severity Each finding includes a severity level (Critical, High, Medium, Low) to help you prioritize remediation efforts. The severity considers the likelihood of exploitation, required skills to exploit, and potential impact. -Visit [Severity levels in findings](severity-levels-in-findings.md) for detailed information about how Snyk API & Web assigns severity levels. +Visit [Severity levels in findings](severity-levels-in-findings.md) for detailed information about how Snyk assigns severity levels. ### Review pending findings -Snyk API & Web allows you to review findings that are in a Pending Review state without waiting for manual verification by the Snyk team. This feature gives you immediate access to low-confidence findings so you can speed up your security reviews. +Snyk lets you review findings in a **Pending Review** state without waiting for manual verification by the Snyk team. This feature gives you immediate access to low-confidence findings so you can speed up your security reviews. Visit [Review pending findings](review-pending-findings.md) for step-by-step instructions on enabling and using the self-review feature. ### Assign vulnerabilities to team members -You can assign findings to team members for tracking and remediation. Assignments can be made individually or in bulk from the Target page, Scan Results page, or Finding Details page. +You can assign findings to team members for tracking and remediation. Assign findings individually or in bulk from the **Target** page, **Scan Results** page, or **Finding Details** page. Visit [Assign vulnerabilities to a team member](assign-vulnerabilities-to-team-member.md) for instructions on assigning findings. @@ -46,7 +46,7 @@ Visit [Review scan login attempts](review-scan-login-attempts.md) for details on ## SAST/DAST integration -The SAST/DAST integration connects dynamic scan findings from Snyk API & Web with static analysis results from Snyk Code. This correlation links DAST findings directly to the vulnerable location in your source code, helping developers fix issues faster. +The SAST/DAST integration connects dynamic scan findings from Snyk with static analysis results from Snyk Code. This correlation links DAST findings directly to the vulnerable location in your source code, helping developers fix vulnerabilities faster. When a DAST finding correlates with SAST results, you see: @@ -66,20 +66,20 @@ To connect your dynamic and static scan results, do the following. #### Connect your Snyk accounts -1. In Snyk API & Web, navigate to **Settings > Integrations**. +1. In Snyk, navigate to **Settings > Integrations**. 2. Locate the **Snyk** module. 3. Follow the link to **Snyk group** to start the authentication and authorization process. #### Map a target to your Snyk projects 1. Navigate to the **Targets** page and identify the target you want to integrate. -2. Go to that target **Settings** and click the **Integrations** tab. +2. Navigate to that target **Settings** and click the **Integrations** tab. 3. In the **Snyk** module, click **Select projects** to open a new modal. -4. Map the current Snyk API & Web target to the corresponding code analysis project(s) from Snyk and click **Save**. +4. Map the current target to the corresponding code analysis projects from Snyk and click **Save**. #### Run a DAST scan -Run a new scan on the configured target. Snyk API & Web now correlates the DAST findings from this scan with the SAST findings from your mapped Snyk projects. +Run a new scan on the configured target. Snyk now correlates the DAST findings from this scan with the SAST findings from your mapped Snyk projects. #### Analyze correlated findings diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/assign-vulnerabilities-to-team-member.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/assign-vulnerabilities-to-team-member.md index 84d9519220da..16793504c297 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/assign-vulnerabilities-to-team-member.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/assign-vulnerabilities-to-team-member.md @@ -1,18 +1,18 @@ # Assign vulnerabilities to team member -You can assign a vulnerability to one of your team members from several places: Target page, Scan Results page, or Finding Details page. Assigning vulnerabilities helps track responsibility and ensures that issues are addressed by the appropriate team member. +You can assign a vulnerability to one of your team members from several places: the **Target** page, **Scan Results** page, or **Finding Details** page. Assigning vulnerabilities helps track responsibility and ensures that the appropriate team member addresses each vulnerability. ## Assign from Target or Scan Results page -You can assign findings in bulk to a user from the Target page or Scan Results page. +You can assign findings in bulk to a user from the **Target** page or **Scan Results** page. -1. Select one or more vulnerabilities by checking the respective boxes on the left-hand side. -2. A dropdown menu appears, allowing you to assign the vulnerability to one of your team members. -3. Click the dropdown, select the teammate to which you want to assign the vulnerabilities, and confirm the action. +1. Select one or more vulnerabilities by selecting the respective check boxes on the left-hand side. +2. A dropdown menu appears so you can assign the vulnerability to one of your team members. +3. Click the dropdown, select the teammate to assign the vulnerabilities to, and confirm the action. ## Assign from Finding Details page -You can also assign a vulnerability to a team member directly from the Finding Details page. +You can also assign a vulnerability to a team member directly from the **Finding Details** page. -1. Access the finding details page. +1. Access the **Finding Details** page. 2. Click the **Assign** dropdown to choose the user. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/finding-states.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/finding-states.md index 583e21962be1..26c333dc8dd6 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/finding-states.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/finding-states.md @@ -1,17 +1,17 @@ # Finding states -During a target scan, the scanner identifies vulnerabilities within the target's URLs. When a vulnerability is discovered, a finding is created. The finding's state can change either automatically (by the scanner, as a result of a target scan or re-test) or manually (by user actions). +During a target scan, the scanner identifies vulnerabilities within the target's URLs. When the scanner discovers a vulnerability, Snyk creates a finding. The state of a finding can change either automatically (by the scanner, as a result of a target scan or re-test) or manually (by user actions). ## Available finding states A finding can have the following states: -* **Not fixed** - A vulnerability was found and is waiting to be fixed. This state is not controlled by the user. As long as a target scan or re-test finds the vulnerability, the finding will be set as Not fixed. -* **Invalid** - The vulnerability was marked as invalid. This state is a result of a user action. You can use it to report a False Positive. -* **Accepted risk** - The vulnerability was marked as accepted risk. This state is a result of a user action. This can be used to identify vulnerabilities that the user doesn't consider in need of being fixed. -* **Fixed** - A previously existing vulnerability couldn't be found while running a subsequent target scan using the same profile (or a broader one), thus it has been marked as fixed. This state is not user controlled. -* **Re-testing** - A previously existing vulnerability is being re-tested. This state is a result of a user action and can lead to either a Fixed vulnerability (if the scanner isn't able to replicate the vulnerability during the re-test) or Not fixed vulnerability (if the scanner is able to find it again during the re-test). +* **Not fixed** - The scanner found a vulnerability that is waiting to be fixed. The user does not control this state. As long as a target scan or re-test finds the vulnerability, the finding stays in the **Not fixed** state. +* **Invalid** - The user marked the vulnerability as invalid. This state results from a user action. Use it to report a false positive. +* **Accepted risk** - The user marked the vulnerability as accepted risk. This state results from a user action. Use it to identify vulnerabilities that the user does not consider in need of being fixed. +* **Fixed** - The scanner could not find a previously existing vulnerability while running a subsequent target scan using the same profile or a broader one, so it marked the vulnerability as fixed. The user does not control this state. +* **Re-testing** - The scanner is re-testing a previously existing vulnerability. This state results from a user action. It can lead to either a **Fixed** vulnerability (if the scanner cannot replicate the vulnerability during the re-test) or a **Not fixed** vulnerability (if the scanner finds it again during the re-test). ## User-controlled vs. scanner-controlled states -In summary, Invalid, Accepted risk, and Re-testing are states controlled by the user, while Fixed and Not fixed are states set by the scanner. +In summary, the user controls the **Invalid**, **Accepted risk**, and **Re-testing** states, while the scanner sets the **Fixed** and **Not fixed** states. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/http-status-codes-in-target-scans.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/http-status-codes-in-target-scans.md index c47792a33b55..933123885b69 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/http-status-codes-in-target-scans.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/http-status-codes-in-target-scans.md @@ -1,17 +1,17 @@ # HTTP status codes in target scans -When analyzing your [target scan results](interpret-target-scan-results.md), you may find details about the crawler and the scanner, including a list of HTTP response status codes. +When analyzing your [target scan results](interpret-target-scan-results.md), you can find details about the crawler and the scanner, including a list of HTTP response status codes. -This information provides an overall view of how the application is responding to the crawler and scanner activities. When looking at them, bear in mind the following: +This information provides an overall view of how the application responds to the crawler and scanner activities. When looking at them, keep the following in mind: * **HTTP 2XX** - These are success status codes, that is, successful requests from Snyk API & Web. -* **HTTP 3XX** - These redirection status codes should be seen as a normal behavior of the application. They are most likely a result of the wide range of combinations in requests when Snyk API & Web crawls the application and searches for vulnerabilities. -* **HTTP 4XX** - These client error status codes should be seen as normal behavior of the application. They are most likely a result of the wide range of combinations in requests when Snyk API & Web crawls the application and searches for vulnerabilities. -* **HTTP 5XX** - These server error status codes indicate that the application is not responding well to Snyk API & Web requests due to server problems. Check the server to understand why this is happening. +* **HTTP 3XX** - These redirection status codes indicate normal behavior of the application. They most likely result from the wide range of request combinations when Snyk crawls the application and searches for vulnerabilities. +* **HTTP 4XX** - These client error status codes indicate normal behavior of the application. They most likely result from the wide range of request combinations when Snyk crawls the application and searches for vulnerabilities. +* **HTTP 5XX** - These server error status codes indicate that the application is not responding well to Snyk requests because of server problems. Check the server to understand why this is happening. ## Troubleshooting -Although some of the reported HTTP status codes can be seen as normal behavior (because the applications or APIs are doing what they are supposed to), there are some cases that need troubleshooting and fixing. +Although some reported HTTP status codes indicate normal behavior (because the applications or APIs are doing what they are supposed to), some cases need troubleshooting and fixing. ### HTTP 5XX status codes @@ -21,9 +21,9 @@ Look into the server to find any misbehaviors or problems and fix them. ### HTTP 401 status code with API targets -Snyk API & Web is not able to log in to scan the API. +Snyk cannot log in to scan the API. -In the Snyk API & Web app, navigate to your target settings and review the authentication according to how the API was specified: +In the Snyk app, navigate to your target settings and review the authentication according to how the API was specified: * **Swagger/OpenAPI** - The authentication configuration is in the target settings. Review and fix it. * **Postman Collection** - The authentication is implemented in the Postman Collection. Review the implementation, fix it, export the collection, and upload it in the target settings or submit the Postman Collection schema URL. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/interpret-target-scan-results.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/interpret-target-scan-results.md index e90550be84f8..3cbd4c5b870b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/interpret-target-scan-results.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/interpret-target-scan-results.md @@ -2,7 +2,7 @@ After setting up your target at Snyk API & Web, you can start a scan and access the scan details to visualize the progress and results with real-time updates. -On this page, you will find three valuable sections to analyze and interpret a target scan: +On this page, you find three valuable sections to analyze and interpret a target scan: * **Overview** tab, with the Risk, Status, Settings, and Details of the scan. * **Findings** tab, with the list of vulnerabilities found by the scanner. @@ -12,13 +12,13 @@ This article provides all the details on these sections. ## Overview -The **Risk** section shows the counter of vulnerabilities found and the compliance tags. If a target does not meet the required checklist needed for being compliant, the tags will be red. +The **Risk** section shows the counter of vulnerabilities found and the compliance tags. If a target does not meet the required checklist for compliance, the tags are red. -The **Status** section shows all the relevant information about the scan date (when it started and ended), its duration, status, whether the login was successful or not, and allows for the download of the crawling report (or provisory crawling report, if the scan is still running). +The **Status** section shows all the relevant information about the scan date (when it started and ended), its duration, status, and whether the login was successful. This section also lets you download the crawling report, or the provisory crawling report if the scan is still running. Visit [What happens during a scan](../start-scanning/what-happens-during-a-scan.md) for details on scan states. -The **Settings** section shows the settings that were used during the scan. +The **Settings** section shows the settings used during the scan. The **Details** section shows the evolution of the three major components at play, each one with a specific job: @@ -26,13 +26,13 @@ The **Details** section shows the evolution of the three major components at pla * The **crawler** goes through the target's URLs and interacts with every element found, clicking on buttons and filling out forms, among other actions. * The **scanner** finds vulnerabilities within the target's URLs obtained by the crawler. -Under the progress bars, you can have more details of the work performed by each component: +Under the progress bars, you can find more details of the work performed by each component: * **Fingerprinter** - Shows the list of technologies detected. -* **Crawler** - Shows the number of crawled URLs and how many were deduplicated. It also shows whether the login was successful or not, and the statistics of the HTTP response codes obtained during the crawling, which can be relevant to figuring out issues that may require attention. If the crawler is still working, you will also see which URLs are being crawled at the time. If you need to check the complete list of crawled URLs, issue a report as described in the Reports section. -* **Scanner** - Shows the number of scanned URLs, the average time it took, and, similarly to the crawler, the statistics of the HTTP response codes obtained, which can be relevant to figuring out issues that may require attention. If the scanner is still working, you will also see which URLs are being scanned at the time. +* **Crawler** - Shows the number of crawled URLs and how many were deduplicated. It also shows whether the login was successful, and the statistics of the HTTP response codes obtained during the crawling, which can be relevant to identifying problems that require attention. If the crawler is still working, you also see which URLs are being crawled at the time. To check the complete list of crawled URLs, issue a report as described in the Reports section. +* **Scanner** - Shows the number of scanned URLs, the average time it took, and, similar to the crawler, the statistics of the HTTP response codes obtained, which can be relevant to identifying problems that require attention. If the scanner is still working, you also see which URLs are being scanned at the time. -To know more about the HTTP response codes displayed in the crawler and scanner details, visit [HTTP status codes in target scans](http-status-codes-in-target-scans.md). +To learn more about the HTTP response codes displayed in the crawler and scanner details, visit [HTTP status codes in target scans](http-status-codes-in-target-scans.md). ## Findings @@ -40,16 +40,16 @@ In this section, you can see the list of all the vulnerabilities found by the sc Depending on the type of vulnerability found, its exploitability, impact, and scope, a CVSS score and risk/severity classification are attributed to the finding, helping you prioritize the vulnerability fixes. -In general terms, vulnerabilities with a more significant impact that can be easily exploited have a higher risk. While vulnerabilities with a lower impact are more complex to replicate and require several specific conditions to be exploited, they likely represent a lower risk. +In general terms, vulnerabilities with a more significant impact that can be exploited easily have a higher risk. Vulnerabilities with a lower impact are more complex to replicate and require several specific conditions to exploit, so they represent a lower risk. Here, you can analyze the findings and decide which actions to take. ## Reports -At the bottom of the page, the **Reports** dropdown button allows you to download the crawling and the scan reports. +At the bottom of the page, the **Reports** dropdown button lets you download the crawling and the scan reports. -The options available will depend on the scan status: +The available options depend on the scan status: -* **Preliminary crawling report** - While the scan is running, this option is available to issue and download a provisory coverage report. It allows you to check the endpoints the scanner has reached so far. Bear in mind, however, that this report might be subject to change until the scan finishes. -* **Crawling report** - Once the scan finishes, this option is available to issue and download the final version of the coverage report. It allows you to check every endpoint the scanner reached during the entire scan. -* **Scan report** - Once the scan finishes successfully, this button is available to issue and download a target scan report, which you can share within your company or with your auditors or customers. The report will list the vulnerabilities found, along with a detailed description and ways of fixing them, as well as a list of all the tests performed during the target scan. Depending on the type of report, it can have additional information on tests performed for specific compliances, such as OWASP Top 10 or PCI-DSS. +* **Preliminary crawling report** - While the scan is running, this option is available to issue and download a provisory coverage report. Use it to check the endpoints the scanner has reached so far. This report is subject to change until the scan finishes. +* **Crawling report** - After the scan finishes, this option is available to issue and download the final version of the coverage report. Use it to check every endpoint the scanner reached during the entire scan. +* **Scan report** - After the scan finishes successfully, this button is available to issue and download a target scan report, which you can share within your company or with your auditors or customers. The report lists the vulnerabilities found, along with a detailed description and ways of fixing them, and a list of all the tests performed during the target scan. Depending on the type of report, it can have additional information on tests performed for specific compliances, such as OWASP Top 10 or PCI-DSS. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/invalid-findings-and-false-positives.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/invalid-findings-and-false-positives.md index baad6c873460..04e6893d600b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/invalid-findings-and-false-positives.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/invalid-findings-and-false-positives.md @@ -1,24 +1,24 @@ # Invalid findings and false positives -In security scans, Snyk API & Web makes a great effort to avoid false positives because they bring a costly overhead of manual analysis and resolution of vulnerabilities. +In security scans, Snyk API & Web avoids false positives because they bring a costly overhead of manual analysis and resolution of vulnerabilities. -When Snyk API & Web finds a vulnerability, a finding is created as **Not fixed**. This state can change automatically or manually, as explained in [Finding states](finding-states.md). +When Snyk finds a vulnerability, it creates a finding with a **Not fixed** state. This state can change automatically or manually, as explained in [Finding states](finding-states.md). -If a user manually changes the state to **Invalid**, it means the vulnerability does not exist and is a candidate for a false positive. +When a user manually changes the state to **Invalid**, the vulnerability does not exist and is a candidate for a false positive. -This triggers Snyk API & Web to proceed with further investigation to confirm it: +This triggers Snyk to investigate further to confirm it: -* If it is a false positive, Snyk API & Web improves the identification of vulnerabilities so that it is no longer reported. -* If not, Snyk API & Web contacts the user to explain how the vulnerability can be exploited. +* If it is a false positive, Snyk improves the identification of vulnerabilities so that it no longer reports the vulnerability. +* If not, Snyk contacts the user to explain how the vulnerability can be exploited. ## Accept risk instead of marking as invalid -In some situations, a finding should not be considered a false positive (that is, **Invalid**) and should be accepted in the specific context instead. +In some situations, a finding is not a false positive (that is, **Invalid**) and is accepted in the specific context instead. -For example, if a target uses Cloudflare with Transport Layer Security (TLS) 1.2 with the default configuration, the weak cipher suites enabled vulnerability is reported by the scanner due to the existence of the Cipher Block Chaining (CBC) weak cipher. +For example, if a target uses Cloudflare with Transport Layer Security (TLS) 1.2 with the default configuration, the scanner reports the weak cipher suites enabled vulnerability because of the Cipher Block Chaining (CBC) weak cipher. -However, using TLS 1.2 may be acceptable to support a broader range of users for business reasons. +However, using TLS 1.2 is acceptable to support a broader range of users for business reasons. -In this case, consider changing the state of the finding to **Accept risk**. +In this case, change the state of the finding to **Accept risk**. Visit [Manage findings](manage-findings.md) to learn how to change the state. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/manage-findings.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/manage-findings.md index 2c60ca7a205b..354f1d1ffd5f 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/manage-findings.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/manage-findings.md @@ -1,6 +1,6 @@ # Manage findings -During a scan, Snyk API & Web finds vulnerabilities within the target URLs. When a vulnerability is found, a finding is created. These findings are registered in Snyk API & Web, and you can perform the following actions: +During a scan, Snyk API & Web finds vulnerabilities within the target URLs. When Snyk finds a vulnerability, it creates a finding. Snyk registers these findings, and you can perform the following actions: * Change a finding's state. * Change a finding's severity. @@ -11,36 +11,36 @@ During a scan, Snyk API & Web finds vulnerabilities within the target URLs. When ## Change state -A finding's state can change automatically (by the scanner during a target scan or re-test) or manually (through user actions). +The state of a finding can change automatically (by the scanner during a target scan or re-test) or manually (through user actions). -Using the Snyk API & Web interface, you can define a finding as **Accepted** if you acknowledge and accept its risk, or as **Invalid** if you consider it to be a false positive. +Using the Snyk interface, you can define a finding as **Accepted** if you acknowledge and accept its risk, or as **Invalid** if you consider it to be a false positive. You can change the state from the following locations: -* From the side panel or small details screen, click the **three vertical dots** that appear on the bottom-right corner and choose the respective action. +* From the side panel or small details screen, click the **three vertical dots** that appear in the bottom-right corner and select the respective action. * From the full details page, click the respective button on the bottom right of the screen. * From the list of findings, click the **State** dropdown. -These actions are reflected in the **State** field shown below. +These actions are reflected in the **State** field. -Visit [Finding states](finding-states.md) to learn more about the findings' states and how they can change. +Visit [Finding states](finding-states.md) to learn more about finding states and how they can change. ## Change severity -Depending on the type of vulnerability found, its exploitability, impact, and scope, a CVSS score and severity classification are attributed to the finding, helping you prioritize vulnerability fixes. +Depending on the type of vulnerability found, its exploitability, impact, and scope, Snyk attributes a CVSS score and severity classification to the finding, helping you prioritize vulnerability fixes. -While the CVSS score cannot be manually changed, you can still change the finding's severity. This can be done directly from the finding's details page: +You cannot manually change the CVSS score, but you can change the severity of the finding. Change it directly from the details page of the finding: -* From the small details panel, click the **three vertical dots** to open the dropdown menu, and click the **Change severity** option. +* From the small details panel, click the **three vertical dots** to open the dropdown menu, and select **Change severity**. * From the full details page, click the respective button on the bottom right of the screen. Regardless of which method you choose, you can then define the intended value and save the change. -Once you save the change, Snyk API & Web will not change the severity back, so make sure you intend to make the change. Visit [Severity levels in findings](severity-levels-in-findings.md) for more information. +After you save the change, Snyk does not change the severity back, so ensure you intend to make the change. Visit [Severity levels in findings](severity-levels-in-findings.md) for more information. ## Change assignee -After a target scan or a re-test, you may want to assign a vulnerability to be handled by a specific team member. This can be done either through the finding's details page by clicking the respective **pencil icon** next to the **Assignee** field, or through the target page or the scan results page by selecting one or more findings and clicking the respective dropdown. +After a target scan or a re-test, you can assign a vulnerability to be handled by a specific team member. Assign it from the details page of the finding by clicking the respective **pencil icon** next to the **Assignee** field, or from the target page or the scan results page by selecting one or more findings and clicking the respective dropdown. Visit [Assign vulnerabilities to a team member](assign-vulnerabilities-to-team-member.md) to learn more about changing a finding's assignee. @@ -48,20 +48,20 @@ Visit [Assign vulnerabilities to a team member](assign-vulnerabilities-to-team-m To help you filter scan results, you can use finding labels. You can create and apply them to your findings: -* Through the finding's details page, click the **pencil icon** that appears next to the respective field. -* Through the findings list, click the **Set labels** dropdown. +* From the details page of the finding, click the **pencil icon** that appears next to the respective field. +* From the findings list, click the **Set labels** dropdown. ## Re-test -After fixing vulnerabilities previously reported by Snyk API & Web, you can re-test them to confirm they can no longer be exploited and are resolved. +After fixing vulnerabilities previously reported by Snyk, you can re-test them to confirm they can no longer be exploited and are resolved. To start a re-test: -* Visit the finding's details and click the **Re-test** button. -* Access any list in which it is displayed (target page, scan results page, or findings list), select it, and click the **Re-test** button. +* Visit the details of the finding and click **Re-test**. +* Access any list in which it is displayed (target page, scan results page, or findings list), select it, and click **Re-test**. -If during a re-test the scanner is not able to replicate the vulnerability, the finding is marked as **Fixed**. Otherwise, it remains listed as **Not Fixed** until it can no longer be replicated by the scanner. +If the scanner cannot replicate the vulnerability during a re-test, Snyk marks the finding as **Fixed**. Otherwise, it remains listed as **Not fixed** until the scanner can no longer replicate it. ## Add a note -When viewing a vulnerability's details, you can add comments or notes for your teammates. Scroll down to the bottom of the page, write the intended note, and click the **Add note** button. These notes are not a way to contact Snyk API & Web and should only be used to leave contextualized information available for your teammates. +When viewing the details of a vulnerability, you can add comments or notes for your teammates. Scroll down to the bottom of the page, write the intended note, and click **Add note**. These notes are not a way to contact Snyk. Use them only to leave contextualized information available for your teammates. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/README.md index ebf05f888ca5..f3497f8e4671 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/README.md @@ -1,10 +1,10 @@ # Overview of reports -Snyk API & Web enables you to generate reports that can be used to showcase your security to auditors or customers, to achieve compliance, for internal assessment, and for many other purposes. +With Snyk API & Web, you can generate reports to showcase your security to auditors or customers, achieve compliance, perform internal assessments, and more. ## Types of reports -Snyk API & Web offers several types of reports: +Snyk offers several types of reports: ### Target scan reports @@ -17,23 +17,23 @@ Target scan reports are available in PDF and DOCX formats and include: * **ISO 27001** - Compliance report for ISO/IEC 27001 (2022 revision). * **HIPAA** - Compliance report for HIPAA standards. -Visit [Report types](report-types.md) to learn more about each report type and their contents. +Visit [Report types](report-types.md) to learn more about each report type and its contents. ### Coverage reports -Coverage reports show all the URLs that Snyk API & Web visited while the scan was running. These CSV reports help you verify that your target was scanned in full and that all endpoints were covered. +Coverage reports show all the URLs that Snyk visited while the scan was running. These CSV reports help you verify that your target was scanned in full and that all endpoints were covered. Visit [Coverage report](coverage-report.md) to learn how to read and interpret coverage reports. ### Saved reports -Saved reports allow you to generate reports based on search criteria that can comprise multiple targets. This feature is available on the Enterprise plan only. +Saved reports let you generate reports based on search criteria that can comprise multiple targets. This feature is available on the Enterprise plan only. Visit [Saved reports](saved-reports.md) to learn how to configure and download saved reports. ### Table exports -You can export filtered, customized table data directly from your Snyk API & Web account to CSV format for analysis in Excel, Google Sheets, or any BI tool. +You can export filtered, customized table data directly from your Snyk account to CSV format for analysis in Excel, Google Sheets, or any BI tool. Visit [Export table data to CSV](export-table-data-to-csv.md) to learn how to export table data. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/change-report-type.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/change-report-type.md index f634df05e23b..745722200beb 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/change-report-type.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/change-report-type.md @@ -1,8 +1,8 @@ # Change report type -Snyk API & Web allows you to generate reports for target scans that are already finished. You can use these reports to showcase your security to auditors, clients, consultants, and management. You can also use these reports to achieve HIPAA, PCI-DSS, or ISO 27001 compliance. +With Snyk API & Web, you can generate reports for target scans that are already finished. Use these reports to showcase your security to auditors, clients, consultants, and management. You can also use these reports to achieve HIPAA, PCI-DSS, or ISO 27001 compliance. -When generating a target scan report, click the **Scan report** button, select the desired type, and the report is generated and downloaded. +To generate a target scan report, click **Scan report** and select the type you want. Snyk generates and downloads the report. Visit [Report types](report-types.md) to learn more about all the report types. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/coverage-report.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/coverage-report.md index 2bf612a5bac6..2269d7a332c3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/coverage-report.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/coverage-report.md @@ -1,36 +1,36 @@ # Coverage report -Coverage is a fundamental aspect of a scan, as it may be the difference between a useful, successful scan and an uninformative scan. +Coverage is a fundamental aspect of a scan. It can be the difference between a useful, successful scan and an uninformative one. -As soon as your scan starts, you can download a provisional coverage report to get some sense of what is happening during your scan. Bear in mind, however, that this report might be subject to change until the scan is finished. +As soon as your scan starts, you can download a provisional coverage report to understand what is happening during your scan. This report is subject to change until the scan is finished. -Once the scan completes, you can export the detailed coverage report, where scanned URLs are listed along with the ones that were not scanned. +After the scan completes, you can export the detailed coverage report, which lists scanned URLs along with the ones that were not scanned. -This acts as a tool for you to check if the scanner is reaching every endpoint possible and filtering them successfully. +Use this report to check whether the scanner is reaching every possible endpoint and filtering them successfully. ## How coverage works -Before and while doing tests, the crawler navigates your website to find every endpoint possible while testing every input it might find. Then those URLs are sent to the scanner to be tested for any vulnerabilities. +Before and during tests, the crawler navigates your website to find every possible endpoint while testing every input it finds. The crawler then sends those URLs to the scanner to test for vulnerabilities. ## Finding your report You can find your scan's coverage next to the scan's report and download it for further analysis. -By default, only the accepted endpoints are shown on the report. To include rejected endpoints on the report, go to your **Target Settings** and change the **Coverage Detail** under **Scanner**. +By default, the report shows only the accepted endpoints. To include rejected endpoints, navigate to your **Target Settings** and change the **Coverage Detail** under **Scanner**. Visit [Generate a CSV coverage report](generate-csv-coverage-report.md) to learn how to download your coverage report. ## Reading the CSV file -A Comma Separated Values (CSV) file is a plain text file that contains a list of data. A CSV file has a fairly simple structure. It is a list of data separated by commas. +A CSV file is a plain text file that contains a list of data separated by commas. After downloading the file, you can open it in your terminal, text editor, or spreadsheet application. -The first column is about the type of request the crawler made (HTTP requests such as GET, POST, PUT, DELETE, PATCH, and so on). +The first column shows the type of request the crawler made (HTTP requests such as GET, POST, PUT, DELETE, PATCH, and so on). -The second column regards the found or targeted URL. Check this column to verify if all the endpoints possible for your website are being reached. +The second column shows the found or targeted URL. Check this column to verify that all possible endpoints for your website are being reached. -The third and fourth columns are the request's response and its meaning. The most frequent responses are: +The third and fourth columns show the request's response and its meaning. The most frequent responses are: * 200 - OK. * 301 - Moved Permanently. @@ -46,19 +46,19 @@ The third and fourth columns are the request's response and its meaning. The mos These requests are then accepted or rejected by the engine's standards. If the engine rejects an endpoint, it provides a reason, such as: * `is on keyword reject list` - * Meaning: Was rejected because the URL contains a keyword that is on the internal keyword reject list. + * Meaning: Rejected because the URL contains a keyword that is on the internal keyword reject list. * Words like "logout", "logoff", or "signout" are blocked to ensure that the crawler does not lose its session. * `file extension ignored` - * Meaning: Was rejected because the URL file extension is on the internal reject list. + * Meaning: Rejected because the URL file extension is on the internal reject list. * Extensions such as .exe, .zip, and .tgz get rejected by the crawler. * `is on user reject list` - * Meaning: Was rejected because the URL matches an item that is on the user's reject list. + * Meaning: Rejected because the URL matches an item that is on the user's reject list. * `deduplicated (simhash)` * Meaning: The content structure of the endpoint's simhash was the same as another endpoint's, so it was rejected. * `path limit reached` * Meaning: The base URL (without fragments and query strings) reached the visit limit. * `query string limit reached` - * Meaning: The base URL with the same query string parameters (values excluded) reached the visit limit. The default limit is currently set as 2. + * Meaning: The base URL with the same query string parameters (values excluded) reached the visit limit. The default limit is 2. * `fragment limit reached` * Meaning: The same base URL with fragments or hashes reached the visit limit. * `auto pattern limit reached` @@ -85,4 +85,4 @@ Here are a few examples to help you understand your coverage report: A GET request to http://example.com/showimage.php?file=./pictures/5.jpg was rejected by the scanner because the base URL with the query string reached the visit limit. -With this knowledge, you are now able to fully read your coverage feedback and identify any blind spots or misconfigurations of your target. +With this knowledge, you can read your coverage feedback and identify any blind spots or misconfigurations of your target. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/export-table-data-to-csv.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/export-table-data-to-csv.md index c9423a1dadaa..ed06563fd74a 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/export-table-data-to-csv.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/export-table-data-to-csv.md @@ -2,7 +2,7 @@ Whether you are performing a deep-dive audit or preparing a presentation for stakeholders, getting your data into your own workflow should be seamless. -The **Download CSV** feature allows you to export filtered, customized table data directly from your Snyk API & Web account. This eliminates the need for manual copy-pasting and allows you to manipulate your data in Excel, Google Sheets, or any BI tool of your choice. +The **Download CSV** feature lets you export filtered, customized table data directly from your Snyk API & Web account. This eliminates the need for manual copy-pasting and lets you manipulate your data in Excel, Google Sheets, or any BI tool of your choice. ## Prerequisites @@ -10,21 +10,21 @@ Access is tied to table visibility. If you have permission to view a table, you ## How it works -The export tool is designed to provide you with as much flexibility as you need. When choosing to download a CSV file, you can customize the fields you want to export (by selecting them on the interface). +The export tool provides as much flexibility as you need. When you download a CSV file, you can customize the fields you want to export by selecting them in the interface. ### Steps to export data 1. Navigate to the page that contains the table you want to export. -1. Click the **Download CSV** button above the table. +1. Click **Download CSV** above the table. 1. Select the fields you want to export. -1. Choose your delivery method. A prompt appears asking how you would like to receive your file: - * **Wait for generation:** stay on the page while the system processes the request. Once finished, you can download the file directly to your device. - * **Receive via email:** you can continue working on the app. Snyk API & Web sends you an email with the CSV file attached. +1. Choose your delivery method. A prompt appears asking how you want to receive your file: + * Wait for generation: stay on the page while the system processes the request. After it finishes, you can download the file directly to your device. + * Receive by email: continue working in the app. Snyk sends you an email with the CSV file attached. -If you choose to wait for the generation but change your mind, you can still opt to have the completed report sent to your email once it is ready. +If you choose to wait for the generation but change your mind, you can still have the completed report sent to your email after it is ready. ## Technical details (API) -For users leveraging the Snyk API & Web's API, the export functionality can be triggered programmatically. The API respects the same filtering and field-selection parameters as the Web interface, ensuring consistency across your automated workflows. +If you use the Snyk API, you can trigger the export functionality programmatically. The API respects the same filtering and field-selection parameters as the web interface, ensuring consistency across your automated workflows. -For more details on how to export data using the API, see [Export API Reference](https://developers.probely.com/api/reference/export). +For more details on how to export data using the API, visit the [Export API reference](https://developers.probely.com/api/reference/export). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/generate-csv-coverage-report.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/generate-csv-coverage-report.md index 24aedf072e92..fd9d43e2bb93 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/generate-csv-coverage-report.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/generate-csv-coverage-report.md @@ -1,6 +1,6 @@ # Generate CSV coverage report -Sometimes, you might want to make sure that your target was scanned in full and that all URLs were covered by the scan. For that reason, Snyk API & Web allows you to download a CSV coverage or crawling report, which shows a list of all the URLs that Snyk API & Web visited while the scan was running. +To verify that your target was scanned in full and that the scan covered all URLs, Snyk API & Web lets you download a CSV coverage or crawling report. This report shows a list of all the URLs that Snyk visited while the scan was running. There are a few different ways to generate a CSV coverage report: @@ -15,27 +15,27 @@ This article describes each way in detail. Follow this procedure to generate a crawling report from the Scan Activity of a target. 1. In the **Targets** section, click the target name to show its details. -2. Click the **Scan Activity** tab. You will see a **Reports** button next to each scan. -3. Generate the report by clicking the button and choosing the Crawling report. +2. Click the **Scan Activity** tab. A **Reports** button appears next to each scan. +3. Click the button and choose the **Crawling report** to generate the report. ## From the global Scan Activity Follow this procedure to generate the crawling report from the global Scan Activity in your account. -1. Once you access the **Scans** section, the **Scan activity** tab displays a **Reports** button next to each scan. -2. Generate the report by clicking the button and choosing the Crawling report. +1. Access the **Scans** section. The **Scan Activity** tab displays a **Reports** button next to each scan. +2. Click the button and choose the **Crawling report** to generate the report. ## From a target's scan results Follow this procedure to generate the scan report from the details of a target's scan results. -1. Go to the **Targets** section and click the target name to show its details. +1. Navigate to the **Targets** section and click the target name to show its details. 2. Click the **Scan Activity** tab. 3. In the scans listed in the **Scan Activity** tab, click the row of the scan to view the scan details. -4. At this point, you can download the **Crawling report** either from the **Status** section or from the **Reports** button. +4. Download the **Crawling report** either from the **Status** section or from the **Reports** button. -If you open the full view of the scan details, you will see the same two options: +If you open the full view of the scan details, you see the same two options. -Once you request the report, the CSV file is automatically downloaded, and you have a list of all the endpoints Snyk API & Web accessed during that particular target scan. +After you request the report, Snyk downloads the CSV file automatically. The file lists all the endpoints Snyk accessed during that target scan. Visit [Coverage report](coverage-report.md) to learn how to read and interpret the CSV coverage report. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/generate-scan-report.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/generate-scan-report.md index 9e0651df1a0e..aa605e00d3d2 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/generate-scan-report.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/generate-scan-report.md @@ -1,8 +1,8 @@ # Generate a scan report -With Snyk API & Web, you are one click away from generating reports that can be used to showcase your security to auditors or customers, to achieve compliance, for internal assessment, and for many other purposes. +With Snyk API & Web, you are one click away from generating reports to showcase your security to auditors or customers, achieve compliance, perform internal assessments, and more. -Snyk API & Web provides several types of target scan reports as described in [Report types](report-types.md). +Snyk provides several types of target scan reports, as described in [Report types](report-types.md). There are a few different ways to generate a scan report: @@ -17,25 +17,25 @@ This article describes each way in detail. Follow this procedure to generate a scan report from the Scan Activity of a target. 1. In the **Targets** section, click the target name to show its details. -2. Click the **Scan Activity** tab. You will see a **Reports** button next to each scan. -3. Generate the report of a completed scan by clicking the button and choosing the type of report. +2. Click the **Scan Activity** tab. A **Reports** button appears next to each scan. +3. To generate the report of a completed scan, click the button and choose the type of report. ## From the global Scan Activity Follow this procedure to generate the scan report from the global Scan Activity in your account. -1. Once you access the **Scans** section, the **Scan Activity** tab displays a **Reports** button next to each scan. -2. Generate the report of a completed scan by clicking the button and choosing the type of report. +1. Access the **Scans** section. The **Scan Activity** tab displays a **Reports** button next to each scan. +2. To generate the report of a completed scan, click the button and choose the type of report. ## From a target's scan results Follow this procedure to generate the scan report from the details of a target's scan results. -1. Go to the **Targets** section and click the target name to show its details. +1. Navigate to the **Targets** section and click the target name to show its details. 2. Click the **Scan Activity** tab. 3. In the scans listed in the **Scan Activity** tab, click the row of the scan to view the scan details. -4. Click the **Reports** button and choose the type of report to generate. +4. Click **Reports** and choose the type of report to generate. -Regardless of where you perform this action, once you click the desired type, the report is generated and you can choose to receive the report by email or download it as soon as it is ready. +Regardless of where you perform this action, after you click the type you want, Snyk generates the report. You can choose to receive the report by email or download it as soon as it is ready. Visit [Switch report format](switch-report-format.md) to learn how to change the file format between DOCX and PDF. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/report-types.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/report-types.md index 9343ca367f2f..4e10c4b8bea5 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/report-types.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/report-types.md @@ -9,7 +9,7 @@ Snyk API & Web offers several types of target scan reports, available in PDF or * ISO 27001. * HIPAA. -Use the type of report that is adjusted to your situation. +Use the type of report that fits your situation. The following sections describe the content of each report. @@ -36,24 +36,24 @@ This is a high-level view report of the target scan and only contains: This is a target scan report specific to PCI-DSS compliance. You can use any of these reports to verify which controls a target is passing or failing in the respective PCI-DSS version. The PCI-DSS report is similar to the Standard report but adds a section to the scan summary with the PCI-DSS requirements checklist. -Snyk API & Web indicates if a target was tested for the requirements checklist and if it passed each item on the list. +Snyk indicates whether a target was tested for the requirements checklist and whether it passed each item on the list. ## OWASP Top 10 2021 and 2025 -This is similar to the PCI-DSS report but considers OWASP Top 10 2021 or 2025. OWASP Top 10 uses a popular framework provided by OWASP that lists the top 10 security risks of Web applications. Auditors often use this framework when performing a company's security audit. +This is similar to the PCI-DSS report but considers OWASP Top 10 2021 or 2025. OWASP Top 10 is a popular framework provided by OWASP that lists the top 10 security risks of web applications. Auditors often use this framework when performing a company's security audit. -Snyk API & Web indicates if a target was tested for the requirements checklist and if it passed each item on the list. +Snyk indicates whether a target was tested for the requirements checklist and whether it passed each item on the list. ## ISO 27001 This is a specific target scan report on compliance with ISO/IEC 27001 (2022 revision). You can use this report to verify which controls a target is passing or failing. ISO 27001 is similar to the Standard report but adds a section to the scan summary with the ISO 27001 requirements checklist. -Snyk API & Web indicates if a target was tested for the requirements checklist and if it passed each item on the list. +Snyk indicates whether a target was tested for the requirements checklist and whether it passed each item on the list. ## HIPAA This is a specific target scan report on HIPAA compliance. You can use this report to verify which controls a target is passing or failing. HIPAA is similar to the Standard report but adds a section to the scan summary with the HIPAA requirements checklist. -Snyk API & Web indicates if a target was tested for the requirements checklist and if it passed each item on the list. +Snyk indicates whether a target was tested for the requirements checklist and whether it passed each item on the list. You do not need to start a target scan again to issue a new type of report. Visit [Change report type](change-report-type.md) to generate and download a different report type. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/saved-reports.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/saved-reports.md index 3bdda5d2e430..adfb0965a945 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/saved-reports.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/saved-reports.md @@ -2,30 +2,28 @@ With Snyk API & Web, you can download reports of specific scans (scan reports), or reports based on search criteria you define, that can comprise multiple targets (saved reports). -This feature (available on the Enterprise plan only) allows you to, for instance, get a report of all High findings across all targets from a specific team. +This feature, available on the Enterprise plan only, lets you, for instance, get a report of all High findings across all targets from a specific team. ## Generate a saved report -To generate these reports, go to the global list of **Findings**, apply the search terms and filters wanted, and click the **Reports** button from the top right corner of the page. - -Once you do, a dropdown menu appears with 3 options: +To generate these reports, navigate to the global list of **Findings**, apply the search terms and filters you want, and click **Reports** in the top right corner of the page. A dropdown menu appears with three options. ### Generate now -This generates a PDF report of the findings listed, taking into account the search and filters applied on the interface. +This generates a PDF report of the findings listed, taking into account the search and filters applied in the interface. -Similarly to what happens with scan reports, you can choose to send the report by email, or wait for it to be generated and then download it. +As with scan reports, you can choose to send the report by email, or wait for it to be generated and then download it. ### Save report -This saves a new report (that takes into account the search and filters applied on the interface) and lists it under Manage reports. +This saves a new report, which takes into account the search and filters applied in the interface, and lists it under Manage reports. -Reports can be saved with or without recurrence. If recurrence is configured, you automatically receive the respective report in your email address at the "next report" date. +You can save reports with or without recurrence. If you configure recurrence, you automatically receive the report at your email address on the "next report" date. ### Manage reports -This option redirects to a new page where you can manage the reports already saved using the previous option. +This option redirects to a new page where you can manage the reports you already saved using the previous option. -* You can click the **Findings list** link in the Findings column to access the global Findings list filtered by the same criteria that were used when saving the report. This gives you an overview of the findings that match the criteria applied and you can even tweak this pre-filtered view to generate new reports with similar filters, if needed. -* You can click the **Download** button to download the current report taking into account the filters and search defined. This means every time the report is downloaded, the results may be different (that is, the findings from the report are always up to date). -* You can click the **Delete** button to delete the report. If you do, any upcoming reports are canceled and you no longer receive them by email. +* Click the **Findings list** link in the Findings column to access the global Findings list filtered by the same criteria used when saving the report. This gives you an overview of the findings that match the criteria applied. You can also tweak this pre-filtered view to generate new reports with similar filters. +* Click **Download** to download the current report, taking into account the filters and search defined. The results can differ each time you download the report, because the findings in the report are always up to date. +* Click **Delete** to delete the report. Snyk cancels any upcoming reports, and you no longer receive them by email. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/switch-report-format.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/switch-report-format.md index ade4a4361130..511d3de55cc7 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/switch-report-format.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/overview-reports/switch-report-format.md @@ -1,7 +1,5 @@ # Switch report format -Depending on your account plan, you can download reports either in DOCX or PDF formats. To choose which one to use, access the **Reports** tab of your target settings and select the desired option in the **Report format** section. +Depending on your account plan, you can download reports in either DOCX or PDF format. To choose which one to use, access the **Reports** tab of your target settings and select the option you want in the **Report format** section. Click **Save** to confirm your changes. -Once you do, click **Save** to confirm your changes. - -Afterwards, you can download your reports. Visit [Generate a scan report](generate-scan-report.md) to learn how to do this. +You can then download your reports. Visit [Generate a scan report](generate-scan-report.md) to learn how. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/review-scan-login-attempts.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/review-scan-login-attempts.md index a8c7b40e076e..6fc5a8dfbdb9 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/review-scan-login-attempts.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/review-scan-login-attempts.md @@ -1,7 +1,7 @@ # Review scan login attempts -When you configure authentication on your target and run a scan, you can verify that the crawler successfully logged in to your application. Besides reviewing the crawling report for each particular scan and the endpoints visited during the scan, you can also watch a video of the login attempt. +When you configure authentication on your target and run a scan, you can verify that the crawler successfully logged in to your application. Besides reviewing the crawling report for each scan and the endpoints visited during the scan, you can also watch a video of the login attempt. -This video is available on your last scan's results page for a bit over a month, assuming there was a login attempt during that scan. You can see this in the feedback section of the scan results page. +This video is available on the results page of your last scan for a bit over a month, if there was a login attempt during that scan. You can find this in the feedback section of the scan results page. -This video allows you to confirm whether a login was successful, alerting you to update your target settings accordingly if needed. If you realize the login did not work as expected, even though it was identified as successful, contact Snyk support. +This video lets you confirm whether a login was successful, alerting you to update your target settings if needed. If you realize the login did not work as expected, even though it was identified as successful, contact Snyk support. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/severity-levels-in-findings.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/severity-levels-in-findings.md index c7ab896eba44..6908b0cfc552 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/severity-levels-in-findings.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/review-and-fix/severity-levels-in-findings.md @@ -6,7 +6,7 @@ Snyk API & Web assigns a severity level to each finding to summarize its overall * The skills required to exploit the vulnerability. * The impact of exploiting the vulnerability. -For example, a vulnerability that is easy to find, easy to exploit, and has a high impact will likely be classified with a high severity. +For example, a vulnerability that is easy to find, easy to exploit, and has a high impact is likely classified with a high severity. Different findings for the same vulnerability can have different severity levels depending on the context in which Snyk API & Web finds the vulnerabilities. Multiple factors can influence this context, which Snyk API & Web considers to lower or raise the severity level. For example, the severity of a finding can be higher or lower depending on whether the scanned target has authentication configured. @@ -17,8 +17,8 @@ The following table describes the different severity levels. | Severity | Description | Examples | | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ | | DAoGv5pJ2QPn | These findings require immediate attention and remediation due to their potentially devastating impact. | SQL Injection, OS Command Injection | -| CEQJw2Dg2qUX | These findings may have a direct impact on the application security, either clients or service owners, for instance, by granting the attacker access to sensitive information. | Reflected Cross-Site Scripting, Path Traversal | -| CLg1PflLeJ0i | Medium findings do not usually have an immediate impact alone, but combined with other findings, may lead to a successful compromise of the application. | Cross-Site Request Forgery, Unencrypted Communications | +| CEQJw2Dg2qUX | These findings can have a direct impact on the application security, either clients or service owners, for example, by granting the attacker access to sensitive information. | Reflected Cross-Site Scripting, Path Traversal | +| CLg1PflLeJ0i | Medium findings do not usually have an immediate impact alone, but combined with other findings, can lead to a successful compromise of the application. | Cross-Site Request Forgery, Unencrypted Communications | | dzwfjdzNIMju | Findings where either the exploit is not trivial, or the finding cannot be exploited by itself. | Directory Listing, Clickjacking | ## Related information diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/README.md index 3b6ec5fa426c..f062d4602ede 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/README.md @@ -1,9 +1,9 @@ # Start scanning -After configuring your targets in Snyk API & Web, you can start scanning to identify security vulnerabilities. This section covers everything you need to know about running, managing, and optimizing scans: +After you configure your targets in Snyk API & Web, you can start scanning to identify security vulnerabilities. This section covers running, managing, and optimizing scans: * [What happens during a scan](what-happens-during-a-scan.md) - Understand the scan stages and states -* [Scan settings](overview-scan-settings/) - Configure how Snyk API & Web scans your targets +* [Scan settings](overview-scan-settings/) - Configure how Snyk scans your targets * [Scanning agent](overview-scanning-agent/) - Scan internal applications not accessible from the internet * [Scan management](overview-scan-management/) - Control when and how scans run * [Scan access and connectivity](overview-scan-access-and-connectivity/) - Configure network access for scanning diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/README.md index 4f6ea2863cfb..e3b22d713224 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/README.md @@ -4,5 +4,5 @@ Configure network access and connectivity for Snyk API & Web scanning: * [Scanner's outgoing IP address](scanner-ip-address.md) - Get the IP address for allowlist configuration * [Configure IPs in WAFs](configure-ips-in-wafs.md) - Set up web application firewall rules for scanning -* [Identify scanner requests](identify-scanner-requests.md) - Recognize Snyk API & Web traffic in your logs +* [Identify scanner requests](identify-scanner-requests.md) - Recognize Snyk traffic in your logs * [CAPTCHAs impact on scans](captchas-impact.md) - Understand how CAPTCHAs can affect your scans diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/captchas-impact.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/captchas-impact.md index e041906aeb3c..a904aad7805b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/captchas-impact.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/captchas-impact.md @@ -2,24 +2,24 @@ A CAPTCHA, short for "Completely Automated Public Turing test to tell Computers and Humans Apart," is a challenge-response test used to confirm whether the user is human. -The primary goal of a CAPTCHA challenge is to ensure that a human initiates all actions taken on a website. This is typically accomplished through letter and image recognition. +The primary goal of a CAPTCHA challenge is to ensure that a human initiates all actions taken on a website. CAPTCHAs typically accomplish this through letter and image recognition. -Implementing a CAPTCHA on a website can help protect against bots and spam, and it is highly recommended for use in production. +Implementing a CAPTCHA on a website helps protect against bots and spam. Snyk recommends a CAPTCHA for use in production. ## Helping Snyk API & Web bypass a CAPTCHA -When using Snyk API & Web, it is important to allow full access to the target you wish to scan. +When using Snyk, allow full access to the target you want to scan. The crawler, an automated module that crawls the target and gathers endpoints and injection points for the scanner, cannot solve a CAPTCHA independently. As a result, a CAPTCHA can block the crawling of a target and hinder the scanning process. -To help Snyk API & Web bypass a CAPTCHA, you can: +To help Snyk bypass a CAPTCHA, you can: * Disable the challenge on a target in a staging environment -* Allow Snyk API & Web outbound IP addresses to bypass the CAPTCHA in its settings +* Allow Snyk outbound IP addresses to bypass the CAPTCHA in its settings -If these options do not work, add a cookie that, when presented in a request, will disable the CAPTCHA and allow Snyk API & Web to bypass it successfully. +If these options do not work, add a cookie that disables the CAPTCHA when presented in a request, allowing Snyk to bypass it. -The cookie (implemented on your target) will check if the requests are being made using the configured header, disabling the CAPTCHAs and giving clear access to the target. +Implement the cookie on your target. The cookie checks whether the requests use the configured header, then disables the CAPTCHAs and gives clear access to the target. Example cookie snippet: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/configure-ips-in-wafs.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/configure-ips-in-wafs.md index f92f051ca362..2669f549d0e1 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/configure-ips-in-wafs.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/configure-ips-in-wafs.md @@ -1,8 +1,8 @@ # Configure IPs in WAFs -Snyk API & Web uses specific public IP addresses to scan your targets. If you are using a Web Application Firewall (WAF) in front of your target, it can block scan requests and cause the scan to fail. To avoid that, you must configure the WAF to allow Snyk API & Web IP addresses. +Snyk API & Web uses specific public IP addresses to scan your targets. If you use a Web Application Firewall (WAF) in front of your target, it can block scan requests and cause the scan to fail. To avoid that, configure the WAF to allow Snyk IP addresses. -For a list of Snyk API & Web IP addresses, see [Scanner IP address](scanner-ip-address.md). +For a list of Snyk IP addresses, visit [Scanner IP address](scanner-ip-address.md). ## Configure Cloudflare WAF @@ -10,9 +10,9 @@ Cloudflare provides documentation explaining how to configure access rules for i When following these steps, use this information: -* **IP, IP range, country name, or ASN** - Enter the Snyk API & Web IP address for your case. +* **IP, IP range, country name, or ASN** - Enter the Snyk IP address for your case. * **Action** - Select **Allow**. -* **Zone** - From the available options, select **This website** if you want to apply the rule only to the current zone. Alternatively, select **All websites in account** if you want the rule to be created in all zones of your Cloudflare account. -* **Notes** - This is optional, but you can provide text identifying the rule. For example, "Snyk API & Web IP". +* **Zone** - To apply the rule only to the current zone, select **This website**. To create the rule in all zones of your Cloudflare account, select **All websites in account**. +* **Notes** - Optionally, provide text identifying the rule. For example, "Snyk API & Web IP". -After creating the rule, your target scans with Snyk API & Web should run smoothly without being blocked by Cloudflare WAF. +After you create the rule, your target scans with Snyk run without being blocked by Cloudflare WAF. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/identify-scanner-requests.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/identify-scanner-requests.md index e6f5b935cf08..30262181166e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/identify-scanner-requests.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/identify-scanner-requests.md @@ -16,4 +16,4 @@ Use this string to identify Snyk API & Web requests. Do not rely on any other in ## Related information -Another alternative to identify Snyk API & Web requests is through the scanner IP address. For more information, see [Scanner IP address](scanner-ip-address.md). +You can also identify Snyk requests through the scanner IP address. For more information, visit [Scanner IP address](scanner-ip-address.md). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/scanner-ip-address.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/scanner-ip-address.md index 9caadedb648a..9bc96da10b0d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/scanner-ip-address.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-access-and-connectivity/scanner-ip-address.md @@ -32,19 +32,19 @@ All other customers: * **52.16.191.244** (AWS IP) -If you are unsure where your account is hosted, consider checking all IP addresses or contact the support team for assistance. +If you are unsure where your account is hosted, check all IP addresses or contact the support team for assistance. -If you have your own single tenant or dedicated infrastructure, reach out to the support team. +If you have your own single tenant or dedicated infrastructure, contact the support team. ## Deprecated IP addresses -The following IP addresses are deprecated, and no traffic should originate from them: +The following IP addresses are deprecated. No traffic originates from them: * 35.190.194.212 (GCP IP) * 35.187.52.245 (GCP IP) ## Related information -Another alternative to identify Snyk API & Web requests is through the user-agent header. For more information, see [Identify scanner requests](identify-scanner-requests.md). +You can also identify Snyk requests through the user-agent header. For more information, visit [Identify scanner requests](identify-scanner-requests.md). -If you are using a Web Application Firewall (WAF) in front of your target, it can block scan requests from Snyk API & Web IP addresses and cause the scan to fail. To avoid that, see [Configure IPs in WAFs](configure-ips-in-wafs.md). +If you use a Web Application Firewall (WAF) in front of your target, it can block scan requests from Snyk IP addresses and cause the scan to fail. To avoid that, visit [Configure IPs in WAFs](configure-ips-in-wafs.md). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/actions-on-scans.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/actions-on-scans.md index f0d93dadcb8a..b42a4d6c8e05 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/actions-on-scans.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/actions-on-scans.md @@ -1,20 +1,20 @@ # Actions on scans -A set of actions is available in the Targets section to manage scans in Snyk API & Web. +The **Targets** section provides a set of actions to manage scans in Snyk API & Web. -On each line in the Targets list, choose the scan action to execute for that target. You can also manage scans directly from the target details by clicking the target name. +On each line in the **Targets** list, choose the scan action to run for that target. You can also manage scans directly from the target details by clicking the target name. -Regardless of where you are in Snyk API & Web, you have the following actions to manage scans: +Snyk provides the following actions to manage scans, regardless of where you are in the product: | Action | What it does | |--------|-------------| | **Scan Now** | Starts a scan. | | **Scan Later** | Schedules a scan. | | **Stop** | Stops a running scan. | -| **Pause** | Pauses a running scan. If a scan is paused for seven days without being resumed, Snyk API & Web automatically stops it. | +| **Pause** | Pauses a running scan. If a scan is paused for seven days without being resumed, Snyk automatically stops it. | | **Resume** | Resumes a paused scan. | -Depending on the state of the scan, you may be able to perform the following actions: +Depending on the state of the scan, you can perform the following actions: * You can only start a scan if no scan is running on that target. * You can only pause a scan if it is running. @@ -30,4 +30,4 @@ Depending on the state of the scan, you may be able to perform the following act | The scan is running. | Stop
Pause
Scan Later | | The scan is paused. | Resume
Stop
Scan Later | -While starting or stopping a scan is generally executed as soon as you select those options, pausing or resuming a scan might take a while for the scanner to perform the necessary actions. Pausing and resuming scans is only available for some account plans. +Snyk starts or stops a scan as soon as you select those options. Pausing or resuming a scan can take a while, because the scanner must perform the necessary actions. Pausing and resuming scans is available only for some account plans. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/fail-on-auth-failure.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/fail-on-auth-failure.md index e29d30a80083..79241731b4e6 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/fail-on-auth-failure.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/fail-on-auth-failure.md @@ -1,11 +1,11 @@ # Fail on authentication failure -Snyk API & Web allows you to force your scans to fail if authentication is unsuccessful. +In Snyk API & Web, you can force your scans to fail if authentication is unsuccessful. To enable this feature: 1. Configure authentication for your Web or API target. -1. Select the checkbox that says **When login fails, fail the scan immediately and notify me**. +1. Select the **When login fails, fail the scan immediately and notify me** check box. 1. Click **Save**. -On your next scan, Snyk API & Web will try to authenticate. If this is not possible, or if reauthentication is not possible, the scan fails immediately, and you will be notified by email so that you can take action. +On your next scan, Snyk tries to authenticate. If authentication or reauthentication is not possible, the scan fails immediately, and Snyk notifies you by email so that you can take action. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/partial-scans-overview.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/partial-scans-overview.md index f0a65b45aee5..5d4d40e07228 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/partial-scans-overview.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/partial-scans-overview.md @@ -1,8 +1,8 @@ # Run partial scans -If you want to test only a subset of your Web target, Snyk API & Web allows you to run partial scans. +To test only a subset of your Web target, run partial scans in Snyk API & Web. -Partial scans can be very helpful, especially on a continuous integration and continuous delivery (CI/CD) pipeline, since they provide faster feedback, allowing you to deliver code changes more frequently and reliably, without disregarding the security of your target. +Partial scans are helpful, especially on a continuous integration/continuous delivery (CI/CD) pipeline, because they provide faster feedback. They let you deliver code changes more frequently and reliably, without disregarding the security of your target. You can run partial scans in different ways: @@ -13,7 +13,7 @@ You can run partial scans in different ways: ## Reduced scope -To set up the reduced scope, go to your target's settings, open the **Scanner** tab, and locate the **PARTIAL SCANS: REDUCED SCOPE** section. Add the URLs you want Snyk API & Web to analyze during partial scans. Note that only the target's hostname and defined extra hosts are allowed. +To set up the reduced scope, navigate to your target settings, open the **Scanner** tab, and locate the **PARTIAL SCANS: REDUCED SCOPE** section. Add the URLs you want Snyk to analyze during partial scans. Only the target hostname and defined extra hosts are allowed. Assuming your target's URL is `https://example.com/`, some examples of possible reduced scopes are as follows: @@ -25,39 +25,39 @@ Assuming your target's URL is `https://example.com/`, some examples of possible * `https://auth-api.example.com/auth*` {% hint style="info" %} -Add the wildcard character `*`, so that all pages under that scope are analyzed and scanned as well. Otherwise, only the file or path itself will be scanned. +Add the wildcard character `*` so that all pages under that scope are analyzed and scanned as well. Otherwise, Snyk scans only the file or path itself. {% endhint %} -You can add as many URLs as you need in order to define the intended reduced scope. If you have an API residing on a different hostname than your target (Extra Host), you can also add it here. +You can add as many URLs as you need to define the intended reduced scope. If you have an API residing on a different hostname than your target (Extra Host), you can also add it here. -By limiting the scope of the scan, it is possible that some of the sub-scopes (URLs) defined are not found. The root of your target will always be visited by the crawler in order to find possible valid endpoints. If you want to test some endpoints that are not accessible through your target's root, go to your target settings, open the **Scanner** tab, locate the **SEEDS LIST** section, and add the URLs where those endpoints are present. +When you limit the scope of the scan, the crawler might not find some of the defined sub-scopes (URLs). The crawler always visits the root of your target to find possible valid endpoints. To test endpoints that are not accessible through your target root, navigate to your target settings, open the **Scanner** tab, locate the **SEEDS LIST** section, and add the URLs where those endpoints are present. -For instance, assuming you want to test the endpoint `https://example.com/users/*/edit`, which allows you to edit your users' information, you may need to add the list of users' URL, `https://example.com/users`, as a seed on your seeds list. +For example, to test the endpoint `https://example.com/users/*/edit`, which allows you to edit your users' information, add the list of users' URL, `https://example.com/users`, as a seed on your seeds list. ## Navigation sequences -Another way to run partial scans is to define navigation sequences. You can decide that your scans should only run navigation sequences. +Another way to run partial scans is to define navigation sequences. You can set your scans to run only navigation sequences. -This can be done by going to your target's settings, opening the **Scanner** tab, and checking the appropriate checkboxes under the **NAVIGATION SEQUENCES** section: **On demand scans must only run navigation sequences** and **Scheduled scans must only run navigation sequences**. +To do this, navigate to your target settings, open the **Scanner** tab, and select the appropriate check boxes under the **NAVIGATION SEQUENCES** section: **On demand scans must only run navigation sequences** and **Scheduled scans must only run navigation sequences**. -During the navigation sequences only scan, the crawler will navigate solely through the selected sequences, running their recorded actions and subsequent requests, instead of analyzing the whole target. In other words, during these scans, all intercepted requests during the sequence will be analyzed. If you need to reduce the scope, you can complement this setting with the reduced scope setting detailed above. +During a navigation-sequences-only scan, the crawler navigates solely through the selected sequences, running their recorded actions and subsequent requests, instead of analyzing the whole target. In other words, during these scans, the crawler analyzes all requests intercepted during the sequence. To reduce the scope, complement this setting with the reduced scope setting described earlier. ## Incremental scans -Besides using the reduced scope and navigation sequences to narrow down the scope of scans, you can also enable incremental scans. With incremental scans, you are limiting your scans to new URLs (that is, pages that have not been scanned before) and to updated URLs (which are pages that have changed since the previous scan). +Besides using the reduced scope and navigation sequences to narrow the scope of scans, you can also enable incremental scans. Incremental scans limit your scans to new URLs (pages that have not been scanned before) and updated URLs (pages that have changed since the previous scan). -Incremental scans are a great way to understand the impact of new developments or changes made to your target, since they provide you with fast and meaningful feedback. +Incremental scans help you understand the impact of new developments or changes made to your target, because they provide fast and meaningful feedback. To enable incremental scans: -1. Go to your target's settings and open the **Scanner** tab. +1. Navigate to your target settings and open the **Scanner** tab. 2. Locate the **PARTIAL SCANS: INCREMENTAL** section. 3. Activate this feature. ## Using the API for partial scans -The Snyk API & Web API allows you to run partial scans on your targets without permanently configuring the reduced scope in target settings. +The Snyk API & Web API lets you run partial scans on your targets without permanently configuring the reduced scope in target settings. -When you call the endpoint to start a vulnerability scan, you can send the reduced scope you want Snyk API & Web to scan in your start scan request. This approach is useful for running different partial scans dynamically without changing target configuration each time. +When you call the endpoint to start a vulnerability scan, you can send the reduced scope you want Snyk to scan in your start scan request. This approach is useful for running different partial scans dynamically without changing target configuration each time. For more information about using the API, visit the [Snyk API & Web API documentation](https://developers.probely.com/api/reference/targets-scan-now-create/). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/pause-scans.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/pause-scans.md index ec6eb39375e8..d015d271f669 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/pause-scans.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/pause-scans.md @@ -6,7 +6,7 @@ You can pause and resume scans on demand and automatically using blackout period To pause an ongoing scan: -1. Click the caret icon within the **Stop** button to open the options menu and choose **Pause** for any ongoing scan. +1. Click the caret icon within the **Stop** button to open the options menu, and select **Pause** for any ongoing scan.
Stop button dropdown menu showing Pause option
2. You can pause a scan from various pages: @@ -15,13 +15,13 @@ To pause an ongoing scan: * Scan results page * List of scans 3. Alternatively, you can pause a scan by calling the API. -4. Once you pause a scan, Snyk API & Web will stop crawling or scanning your site. It takes a while to pause a scan, and its status changes to **Pausing**. +4. After you pause a scan, Snyk API & Web stops crawling or scanning your site. Pausing a scan takes a while, and its status changes to **Pausing**. ## Stop a paused scan You can **Stop** a paused scan, or **Resume** and pick up from where it left off. -If a paused scan is not resumed in the next seven days, it is automatically stopped (canceled). Snyk API & Web will notify and remind you to resume a scan you paused on demand. +If a paused scan is not resumed in the next seven days, Snyk automatically stops (cancels) it. Snyk notifies and reminds you to resume a scan you paused on demand. ## Blackout period: pause and resume scans automatically @@ -35,4 +35,4 @@ To set a blackout period: 4. Select the day or days of the week to apply that schedule. 5. Save your settings. -For example, you can configure scans to run only from 6:00 to 23:00 each day, pausing them overnight and resuming the next morning. +For example, you can configure scans to run only from 6:00 AM–11:00 PM each day, pausing them overnight and resuming the next morning. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/scan-duration.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/scan-duration.md index cbbab82f13c8..4105ecad860f 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/scan-duration.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/scan-duration.md @@ -1,7 +1,7 @@ # Scan duration -The duration of a scan depends on a number of factors and it is not easy to estimate it beforehand. It depends on: +The duration of a scan depends on several factors and is not easy to estimate beforehand. It depends on: -* **Number of pages of your site** - Scanning involves a certain number of tests per page, so the more you have, the more time it will take. However, this is not linear since the number of tests per page also depends on a number of factors. -* **Number of inputs (injection points) per page** - The more injection points you have on a page, the more tests will be performed. An input is, for instance, a form field. If you have a page with a large form, it will take more time to scan it. -* **Performance of the server that hosts your site** - If your server is slow (for example, if it takes several seconds to load a page), it will take more time to scan your site. If, on the other hand, your server's response time is fast, it will speed up the scan. The velocity of the scanner is adjusted automatically based on your site's response time. If the average response time increases, the scanner will slow down. If the average response time is stable, the scanner will increase the number of requests per second. +* Number of pages of your site: Scanning involves a certain number of tests per page, so the more pages you have, the more time the scan takes. However, this is not linear, because the number of tests per page also depends on several factors. +* Number of inputs (injection points) per page: The more injection points you have on a page, the more tests the scanner performs. An input is, for example, a form field. A page with a large form takes more time to scan. +* Performance of the server that hosts your site: If your server is slow (for example, if it takes several seconds to load a page), scanning your site takes more time. If your server response time is fast, the scan speeds up. The scanner adjusts its velocity automatically based on your site response time. If the average response time increases, the scanner slows down. If the average response time is stable, the scanner increases the number of requests per second. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/scan-targets-in-bulk.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/scan-targets-in-bulk.md index 338b6cd1239c..bfde92d813a3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/scan-targets-in-bulk.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/scan-targets-in-bulk.md @@ -1,15 +1,15 @@ # Scan targets in bulk -When managing scans, you can execute scan actions for multiple targets in bulk instead of doing it individually. +When managing scans, you can run scan actions for multiple targets in bulk instead of individually. -To execute bulk scan actions: +To run bulk scan actions: -1. Go to the Targets section. -1. Tick the checkboxes to select the targets from the list. If all selected targets have scans in the same state, the button for bulk scan actions becomes available. -1. Click the button and choose the scan action to execute in bulk. +1. Navigate to the **Targets** section. +1. Select the check boxes for the targets in the list. If all selected targets have scans in the same state, the button for bulk scan actions becomes available. +1. Click the button and select the scan action to run in bulk. -You can **Scan**, **Pause**, **Resume**, or **Stop** scans this way. Whichever action you choose is executed for all the selected targets, and their status is updated accordingly. +You can **Scan**, **Pause**, **Resume**, or **Stop** scans this way. Snyk runs the action you select for all the selected targets and updates their status accordingly. -You can also schedule scans in bulk. For that, see [Schedule scan](schedule-scan.md). +You can also schedule scans in bulk. For more information, visit [Schedule scan](schedule-scan.md). -Bulk operations are only available for the Enterprise plan. +Bulk operations are available only for the Enterprise plan. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/schedule-scan.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/schedule-scan.md index 0c03ef8f7d05..9451d8cb4ae0 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/schedule-scan.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-management/schedule-scan.md @@ -9,15 +9,15 @@ Creating a scheduled scan involves two steps: ## Select the action to schedule a scan -To start the creation of a scheduled scan for a single target, go to the Targets section and do one of the following: +To start creating a scheduled scan for a single target, navigate to the **Targets** section and do one of the following: -* From the scan actions available on the page, click the caret icon within the **Scan** button, and choose **Schedule scan**. -* Alternatively, go to the target details page (any tab), click the caret icon within the **Scan** button, and choose **Schedule scan**. +* From the scan actions available on the page, click the caret icon within the **Scan** button, and select **Schedule scan**. +* Alternatively, navigate to the target details page (any tab), click the caret icon within the **Scan** button, and select **Schedule scan**. -To start the creation of a scheduled scan for multiple targets, go to the Targets section and do the following: +To start creating a scheduled scan for multiple targets, navigate to the **Targets** section and do the following: -1. Tick the checkboxes to select the targets from the list. If all selected targets have scans in the same state, the button for bulk scan actions becomes available. -1. Click the caret icon within the **Scan** button, and choose **Schedule scan**. +1. Select the check boxes for the targets in the list. If all selected targets have scans in the same state, the button for bulk scan actions becomes available. +1. Click the caret icon within the **Scan** button, and select **Schedule scan**. ## Configure the scheduled scan @@ -29,14 +29,14 @@ Fill out the form to configure the scheduled scan: * **None** - The scan runs only once. * **Daily** - The scan runs every day. * **Weekly** - The scan runs every week on the day of the week of the **Start date**. - * **Monthly/Quarterly** - The scan runs every month or quarter on the day (number) defined in the **Start date**. In this case, a **Repeat scans every** checkbox is displayed to configure a different day: - * In the first dropdown, choose the week of the month (First, Second, Third, Fourth, or Last). - * In the second dropdown, choose the day of the week (Monday, Tuesday, and so on). + * **Monthly/Quarterly** - The scan runs every month or quarter on the day (number) defined in the **Start date**. In this case, Snyk displays a **Repeat scans every** check box to configure a different day: + * In the first dropdown, select the week of the month (**First**, **Second**, **Third**, **Fourth**, or **Last**). + * In the second dropdown, select the day of the week (**Monday**, **Tuesday**, and so on). * **Override the target settings** - Define the target settings to use: - * If not checked, the scheduled scan will use the settings defined for each target. - * If checked, choose the settings the scheduled scan will use for all targets. Only the settings that are common to all targets can be configured. + * If not selected, the scheduled scan uses the settings defined for each target. + * If selected, choose the settings the scheduled scan uses for all targets. You can configure only the settings that are common to all targets. -This option is only available if all targets are of the same type: either Web or API. +This option is available only if all targets are of the same type: either Web or API. After completing the form, click **Add** to create the scheduled scan. @@ -44,5 +44,5 @@ After completing the form, click **Add** to create the scheduled scan. There are two areas in Snyk API & Web to list and manage scheduled scans: -* **Global to the account** - List and manage scheduled scans for all the targets of the account. Go to the **Scans** section and select the **Scheduled** tab. -* **A specific target** - List and manage scheduled scans for a specific target. Go to the **Targets** section, click the target to show its details, and click the **Scheduled Scans** tab. +* **Global to the account** - List and manage scheduled scans for all the targets of the account. Navigate to the **Scans** section and select the **Scheduled** tab. +* **A specific target** - List and manage scheduled scans for a specific target. Navigate to the **Targets** section, click the target to show its details, and click the **Scheduled Scans** tab. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/README.md index 07af415e2900..c47f8447091b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/README.md @@ -2,9 +2,9 @@ Configure how Snyk API & Web scans your targets to optimize security testing for your applications: -* [Built-in scan profiles and their differences](built-in-scan-profiles.md) - Understand Lightning, Safe, Normal, and Full profiles -* [How to customize a scan profile](customize-scan-profile.md) - Create custom profiles for specific needs -* [How to switch the scan profile](switch-scan-profile.md) - Change profiles for existing targets -* [Understanding custom headers](custom-headers.md) - Add custom HTTP headers to scan requests +* [Built-in scan profiles and their differences](built-in-scan-profiles.md) - Understand the Lightning, Safe, Normal, and Full profiles +* [Customize a scan profile](customize-scan-profile.md) - Create custom profiles for specific needs +* [Switch the scan profile](switch-scan-profile.md) - Change profiles for existing targets +* [Custom headers](custom-headers.md) - Add custom HTTP headers to scan requests * [Configure the risk acceptance workflow](configure-risk-acceptance-workflow.md) - Set up processes for accepting risks * [Test BOLA vulnerabilities](test-bola-vulnerabilities.md) - Configure targets for Broken Object Level Authorization (BOLA) testing diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/built-in-scan-profiles.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/built-in-scan-profiles.md index 44399bb75377..523c5762d56e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/built-in-scan-profiles.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/built-in-scan-profiles.md @@ -13,7 +13,7 @@ The **Lightning** scan profile is designed for speed, taking less than a minute ## Safe -The **Safe** scan profile is designed to minimize the potential impact on the target application by testing for all supported vulnerabilities but using a limited set of payloads. Additionally, the scanner only employs GET requests and does not include POST, PUT, or DELETE requests. Nevertheless, the crawler will still make requests using these methods if necessary, for example, to log in to the application. +The **Safe** scan profile minimizes the potential impact on the target application by testing for all supported vulnerabilities using a limited set of payloads. The scanner uses only GET requests and does not include POST, PUT, or DELETE requests. The crawler still makes requests using these methods when necessary, for example, to log in to the application. ## Normal @@ -21,8 +21,8 @@ The **Normal** scan profile tests for all supported vulnerabilities and uses a m ## Full -The **Full** scan profile includes all tests from the **Normal** profile and utilizes an even more extensive set of payloads. +The **Full** scan profile includes all tests from the **Normal** profile and uses an even more extensive set of payloads. ## Customization -Snyk API & Web also allows the customization of scan profiles in case you need to adjust and fine-tune the scans for your targets. Visit [Customize a scan profile](customize-scan-profile.md) for more details. +Snyk also lets you customize scan profiles when you need to adjust and fine-tune the scans for your targets. For details, visit [Customize a scan profile](customize-scan-profile.md). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/configure-risk-acceptance-workflow.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/configure-risk-acceptance-workflow.md index d1f2df8fd6ca..ffa97911b935 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/configure-risk-acceptance-workflow.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/configure-risk-acceptance-workflow.md @@ -10,26 +10,26 @@ As the Account Owner, you can define which fields are mandatory when a user acce 1. From the side menu in your Snyk API & Web account, navigate to **Settings > Scan Settings**. 2. Locate the **RISK ACCEPTANCE WORKFLOW** module. -3. Select the checkboxes for the fields you want to require: - * **Expiration date** - Requires the user to set a date on which the risk acceptance will automatically expire. If you select this, you can also set a **maximum acceptance period** (in days) to limit how far in the future the expiration date can be. +3. Select the check boxes for the fields you want to require: + * **Expiration date** - Requires the user to set a date on which the risk acceptance automatically expires. If you select this, you can also set a **maximum acceptance period** (in days) to limit how far in the future the expiration date can be. * **Approver name** - Requires the user to enter the name of the person who approved the finding. * **Approval date** - Requires the user to enter the date when the finding was approved. 4. Click **Save** to apply your changes. ## Accept a finding's risk -Once the workflow is configured, any user accepting a finding's risk is prompted to provide the required information. +After you configure the workflow, Snyk prompts any user accepting a finding's risk to provide the required information. 1. Navigate to any page where findings are listed (for example, the global **Findings** page or a target's details page). -2. Select one or more findings you wish to accept. +2. Select one or more findings you want to accept. 3. From the **State** dropdown menu, select **Accepted Risk**. -4. A dialog box is displayed, listing the custom fields you configured. +4. A dialog opens, listing the custom fields you configured. 5. Fill out the required information and click **Accept risk**.
Mark as Accepted Risk dialog with required fields
## Verify the outcome -After you submit the form, the state of the selected findings changes to **Accepted Risk**. This action, along with all the information you provided, is recorded in both the individual finding logs and the account audit log. +After you submit the form, the state of the selected findings changes to **Accepted Risk**. Snyk records this action, along with all the information you provided, in both the individual finding logs and the account audit log. -If an **expiration date** was set for a finding, its state is automatically reverted from **Accepted Risk** back to **Not Fixed** once that date is reached, ensuring it is re-evaluated in future scans. +If you set an **expiration date** for a finding, Snyk automatically reverts its state from **Accepted Risk** back to **Not Fixed** after that date is reached, so the finding is re-evaluated in future scans. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/custom-headers.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/custom-headers.md index 848999b41559..ab7a1fa74afc 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/custom-headers.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/custom-headers.md @@ -1,14 +1,14 @@ # Custom headers -When performing a dynamic application security testing (DAST) scan, your scanner acts like an automated user, navigating your site and testing for vulnerabilities. However, modern security infrastructures (like Web Application Firewalls) or complex authentication requirements can often block these automated requests unless they are properly identified. +When performing a dynamic application security testing (DAST) scan, your scanner acts like an automated user, navigating your site and testing for vulnerabilities. However, modern security infrastructures (such as Web Application Firewalls) or complex authentication requirements can block these automated requests unless they are properly identified. -This guide explains why you need custom headers and how to set them up in Snyk API & Web. +This page explains why you need custom headers and how to set them up in Snyk API & Web. ## What are custom headers used for? In a DAST scan, custom headers serve three primary purposes: -1. **Identifying requests** - Because all requests include the defined custom headers, this can be used for many things, such as bypassing Web Application Firewalls. By adding a unique custom header (for example, `X-SnykApiWeb-Scan: true`), you can tell your Web Application Firewall to allow the scanner's traffic while still protecting the site from actual malicious bots. +1. **Identifying requests** - Because all requests include the defined custom headers, you can use them for many purposes, such as bypassing Web Application Firewalls. By adding a unique custom header (for example, `X-SnykApiWeb-Scan: true`), you can tell your Web Application Firewall to allow the scanner's traffic while still protecting the site from malicious bots. 2. **Authentication and authorization** - Some APIs require specific headers for every request to prove identity, such as `Authorization: Bearer ` or custom API keys. 3. **Environment signaling** - You can use headers to trigger specific behaviors in your application during a scan, such as disabling certain checks like CAPTCHAs or preventing the app from sending real emails during the test. @@ -24,7 +24,7 @@ In Snyk API & Web, you can configure custom headers at the **Target** level. Thi 4. Locate the **CUSTOM HEADERS** module: * Enter the custom header name (for example, `X-Scan-Origin`). * Enter the corresponding value (for example, `Snyk-DAST-Scanner`). - * Choose whether to test this header during the scan. When unchecked (default), the header is sent as-is with every request but is not tested for vulnerabilities. When checked, the scanner also treats the header value as an attack surface and runs security checks against it. + * Choose whether to test this header during the scan. When the check box is clear (default), the scanner sends the header as-is with every request but does not test it for vulnerabilities. When the check box is selected, the scanner also treats the header value as an attack surface and runs security checks against it. 5. Click **Add** to save the custom header. You can also set up static custom headers for authentication purposes. Visit the [authentication documentation](../../configure-targets/configure-authentication/README.md) for more details. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/customize-scan-profile.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/customize-scan-profile.md index 4fddf84b51be..301ea6e903eb 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/customize-scan-profile.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/customize-scan-profile.md @@ -1,12 +1,12 @@ # Customize a scan profile -Snyk API & Web provides a variety of [built-in scan profiles](built-in-scan-profiles.md) to choose from and define how your targets are scanned. Each of these built-in scan profiles is a group of scanning conditions that are pre-configured by Snyk API & Web to provide certain pre-defined scanning behaviors. +Snyk API & Web provides a variety of [built-in scan profiles](built-in-scan-profiles.md) to choose from and define how Snyk scans your targets. Each built-in scan profile is a group of scanning conditions that Snyk pre-configures to provide certain pre-defined scanning behaviors. You can also create custom scan profiles to adjust and fine-tune scans for your targets. ## Create or edit a custom scan profile -In Snyk API & Web, customize a scan profile as follows: +To customize a scan profile in Snyk API & Web: 1. Open the **Settings** dropdown menu on the bottom-left corner of the navigation bar and click **Scan Profiles**. 1. On the Scan Profiles screen, you have three options to customize a scan profile: @@ -21,27 +21,27 @@ In Snyk API & Web, customize a scan profile as follows: ### Global * **Target type** - Choose the type of target for which this scan profile is available: Web applications or standalone APIs. - * **HTTP methods** - Choose the type of HTTP methods to be used in scanning requests. This allows the choice of an ideal set of methods for targets with websites or applications that are in production. - * **Scan Speed** - Choose the throughput of scanning requests regarding the target's response time to avoid overloading the target with too many requests and optimizing the resources consumed by a scan. Regardless of the scan speed, if Snyk API & Web detects that the target is not able to handle the requests throughput during a scan, the scanner will automatically throttle down to attain optimal performance. + * **HTTP methods** - Choose the type of HTTP methods to use in scanning requests. This lets you choose an ideal set of methods for targets with websites or applications that are in production. + * **Scan Speed** - Choose the throughput of scanning requests relative to the target's response time. This avoids overloading the target with too many requests and optimizes the resources a scan consumes. Regardless of the scan speed, if Snyk detects that the target cannot handle the request throughput during a scan, the scanner automatically throttles down to attain optimal performance. * **Request Delay** - Set the time delay (in milliseconds) between requests for each scanning thread. This is an approximate value and is more accurate for slower Scan speed settings. The maximum delay allowed is 5000ms. If not defined, there is no delay between requests. - * **Limit scan duration** - Set the maximum time the scan is allowed to run. If not set, there is no limit. The usage of this setting might cause the scan to miss vulnerabilities. + * **Limit scan duration** - Set the maximum time the scan can run. If not set, there is no limit. Using this setting can cause the scan to miss vulnerabilities. ### Crawler - * **Crawler deduplication** - Snyk API & Web uses a Simhash algorithm to detect similar pages and scan only a few of them. A page is considered similar if it shares the same HTML element structure. This feature is enabled by default. Disabling the checkbox turns it off and can increase the scan duration significantly. - * **URL pattern detection** - Snyk API & Web detects patterns in URLs identifying similar pages and scans only a few of them. For instance, pages like `/2023-10-08-probely-scanner-finds-another` and `/2022-03-18-cibersecurity-is-important` share the pattern `/YYYY-MM-DD-` followed by several words separated by a hyphen. This feature is enabled by default. Disabling the checkbox turns it off and can increase the scan duration significantly. + * **Crawler deduplication** - Snyk uses a Simhash algorithm to detect similar pages and scan only a few of them. A page is considered similar if it shares the same HTML element structure. This feature is enabled by default. Clearing the check box turns it off and can increase the scan duration significantly. + * **URL pattern detection** - Snyk detects patterns in URLs identifying similar pages and scans only a few of them. For example, pages such as `/2023-10-08-probely-scanner-finds-another` and `/2022-03-18-cibersecurity-is-important` share the pattern `/YYYY-MM-DD-` followed by several words separated by a hyphen. This feature is enabled by default. Clearing the check box turns it off and can increase the scan duration significantly. * **Maximum URLs crawled** - Set the maximum number of URLs the crawler visits. The maximum value available is 50,000. The default of 5,000 is a good compromise between coverage and scan time. ### Scanner * **Scanner Payloads** - Choose the diversity of payloads and headers used for testing vulnerabilities to fine-tune the number of scanning requests made to each URL of the target. Regardless of the scanner payloads, the vulnerabilities considered for testing are the same. - * **Vulnerabilities** - Choose the vulnerabilities to be verified by the scanner: all or a specific subset. + * **Vulnerabilities** - Choose the vulnerabilities for the scanner to verify: all or a specific subset. -1. Click **SAVE** to finish the customization of the scan profile. +1. Click **SAVE** to finish customizing the scan profile. -Once created, custom scan profiles are available in the list of profiles in the target settings. You only have to [switch the scan profile](switch-scan-profile.md) of the target to the desired custom scan profile. +After you create a custom scan profile, it is available in the list of profiles in the target settings. To use it, [switch the scan profile](switch-scan-profile.md) of the target to that custom scan profile. ## Delete a custom scan profile -You can delete a custom scan profile by clicking **Delete** on the list of scan profiles. Snyk API & Web will prompt you to confirm your action. If one or more targets still use the profile to be deleted, Snyk API & Web also indicates which will be the replacement scan profile to set in those targets. +To delete a custom scan profile, click **Delete** in the list of scan profiles. Snyk prompts you to confirm your action. If one or more targets still use the profile you are deleting, Snyk also indicates the replacement scan profile to set in those targets. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/switch-scan-profile.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/switch-scan-profile.md index e0b8ea3d44ad..772ad30b0ff4 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/switch-scan-profile.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/switch-scan-profile.md @@ -4,21 +4,17 @@ Switch between different scan profiles for your targets. Snyk API & Web provides a variety of [scan profiles](built-in-scan-profiles.md) that you can choose from, depending on how thoroughly you want to scan your target. -You may decide to run a **Normal** scan on your target to start with and then decide to run a **Full** scan later after fixing some vulnerabilities. Or it might be the case that, at a specific moment in time, you want to run a **Safe** scan, in order to reduce the possible impact on your target. - -All of this is possible. The only thing you need to do is switch the scan profile before you start a new scan. +For example, you can run a **Normal** scan on your target to start with, then run a **Full** scan later after fixing some vulnerabilities. You can also run a **Safe** scan at a specific time to reduce the possible impact on your target. To do any of this, switch the scan profile before you start a new scan. ## Switch scan profile in the Web UI To switch the scan profile in the Snyk API & Web interface: -1. Access your target settings and click the **Profile** tab. A list of all available scan profiles is displayed according to your target's type and current verification state. +1. Access your target settings and click the **Profile** tab. Snyk displays a list of all available scan profiles according to your target's type and current verification state. 1. Choose the scan profile you want and click **Save**. -The next scan will use the selected profile. +The next scan uses the selected profile. ## Switch scan profile using the API -If you are using the Snyk API & Web API, you can also send a different scan profile in the request the next time you start a target scan. Learn more about this through the [API documentation](https://developers.probely.com/). - -Regardless of how you choose your scan profile and start a target scan, make sure to use the profile that makes the most sense to you and your target. +If you are using the Snyk API & Web API, you can also send a different scan profile in the request the next time you start a target scan. Learn more in the [API documentation](https://developers.probely.com/). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/test-bola-vulnerabilities.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/test-bola-vulnerabilities.md index 2123be248dc4..71c3c3100787 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/test-bola-vulnerabilities.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scan-settings/test-bola-vulnerabilities.md @@ -2,7 +2,7 @@ Learn how to set up your target to be tested against Broken Object Level Authorization vulnerabilities. -Broken Object Level Authorization (BOLA) is a critical security vulnerability that occurs when unauthorized access to other users' resources is possible by changing part of a request, for example, changing a bank account number in a URL to access another user's data or resources. +Broken Object Level Authorization (BOLA) is a critical security vulnerability that occurs when a user can gain unauthorized access to other users' resources by changing part of a request, for example, changing a bank account number in a URL to access another user's data or resources. You can use Snyk API & Web to test your APIs against this type of vulnerability by configuring the API target authentication and setting up two different users. @@ -15,15 +15,15 @@ Setting up your target to be tested against BOLA vulnerabilities involves two st 1. Configure additional user for authorization testing 2. Select the appropriate scan profile -This article describes these steps in detail. +The following sections describe these steps in detail. ## Step 1: Configure additional user for authorization testing To configure the API Target authentication for BOLA testing: 1. Visit [Configure OpenAPI authentication](../../configure-targets/configure-authentication/configure-openapi-authentication.md) or [Configure GraphQL authentication](../../configure-targets/configure-authentication/configure-graphql-authentication.md) and follow the instructions for your authentication scenario. -2. When configuring authentication, check the **Add additional user for authorization testing** checkbox. -3. Configure the authentication for the second user using the same method (authentication payload or static headers/cookies). To reduce false positives, the second user should have the same level of privileges as the first user, or lower. +2. When configuring authentication, select the **Add additional user for authorization testing** check box. +3. Configure the authentication for the second user using the same method (authentication payload or static headers/cookies). To reduce false positives, the second user must have the same level of privileges as the first user, or lower. 4. Complete the authentication configuration and ensure the toggle is set to **On**. ## Step 2: Select the appropriate scan profile @@ -33,11 +33,11 @@ After configuring the API target authentication, choose the appropriate scan pro 1. Access the Profile tab of that target's settings. 2. Choose either the **API normal** or **API full** scan profiles. -Once both sets of users are configured for API targets and the appropriate scan profile is selected, Snyk API & Web will test against BOLA vulnerabilities. +After you configure both sets of users for API targets and select the appropriate scan profile, Snyk tests against BOLA vulnerabilities. ## Does the privilege level of the users matter? -Yes. The second user (the attacker) should not have access to the first user's resources. +Yes. The second user (the attacker) must not have access to the first user's resources. The two users can have different privilege levels (for example, admin versus regular user), or they can have the same level, as long as the first user owns resources that should not be accessible to the second. That is what allows the scanner to test for BOLA vulnerabilities. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/README.md index a461ccaae527..903a2dcfdf0d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/README.md @@ -1,6 +1,6 @@ # Scanning agent -The scanning agent is a lightweight component that you install in your network to enable scanning of internal targets. It creates a secure connection between Snyk API & Web and your internal infrastructure, allowing you to scan applications behind firewalls, VPNs, or in private networks: +The scanning agent is a lightweight component that you install in your network to enable scanning of internal targets. It creates a secure connection between Snyk API & Web and your internal infrastructure, so you can scan applications behind firewalls, VPNs, or in private networks: * [Install a scanning agent](install-scanning-agent.md) - Set up the agent in your environment * [Scan internal applications](scan-internal-applications.md) - Configure and scan internal targets \ No newline at end of file diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/install-scanning-agent.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/install-scanning-agent.md index 5714f49fc8b3..2b339f701e60 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/install-scanning-agent.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/install-scanning-agent.md @@ -2,7 +2,7 @@ Install a Scanning Agent to scan your internal applications with minimal changes to network and security configurations. -The Scanning Agent allows you to scan internal applications without exposing them to the internet. For more information about how the Scanning Agent works, see [Scan internal applications with a Scanning Agent](scan-internal-applications.md). +The Scanning Agent lets you scan internal applications without exposing them to the internet. For more information about how the Scanning Agent works, visit [Scan internal applications with a Scanning Agent](scan-internal-applications.md). Installing the Scanning Agent involves the following steps: @@ -11,10 +11,10 @@ Installing the Scanning Agent involves the following steps: ## Prerequisites -Before you begin, ensure you have the following: +Ensure you have the following before you begin: * An active Snyk API & Web account with permissions to create Scanning Agents. -* The minimal system resources and specific network requirements as listed in the [Farcaster Agent GitHub Repository README](https://github.com/Probely/farcaster-onprem-agent/blob/main/README.md). +* The minimal system resources and specific network requirements listed in the [Farcaster Agent GitHub Repository README](https://github.com/Probely/farcaster-onprem-agent/blob/main/README.md). ## Create the Scanning Agent Token @@ -23,14 +23,14 @@ To create the Scanning Agent Token in your Snyk API & Web account: 1. Open the **Settings** dropdown menu in the bottom-left corner of the navigation bar and select **Scanning Agents**. If you cannot see this option, contact your account owner. 2. Click **Add Agent**. 1. Type the name of the Scanning Agent. - 2. If the Scanning Agent is restricted to targets of some teams, select the checkbox and choose those teams from the dropdown. + 2. If the Scanning Agent is restricted to targets of some teams, select the check box and choose those teams from the dropdown. 3. Click **Generate**.
Add Scanning Agent dialog showing agent token and installation options
-1. A pop-up window displays important information that, for security reasons, will not appear again. Make sure you do the following: +1. A pop-up window displays important information that, for security reasons, does not appear again. Do the following: * Under **AGENT TOKEN**, copy and save the token securely. - * Under **Installation**, go to the tabs for the way you want to install the agent: + * Under **Installation**, navigate to the tabs for the way you want to install the agent: * **DOCKER** - To use Docker, copy and save securely the following: 1. The Docker command to install the agent. 2. The Docker command to check the agent logs. @@ -50,7 +50,7 @@ You can install the agent using Docker, Docker-Compose, Kubernetes, Windows, or ### Example: Install the agent using Docker on Linux -Before installing the agent container on a Linux system, you can check that your host can run it by executing the following command: +Before installing the agent container on a Linux system, you can check that your host can run it by running the following command: ```bash curl -LO https://raw.githubusercontent.com/Probely/farcaster-onprem-agent/main/farconn/host-check.sh @@ -67,13 +67,13 @@ Launching test container... [ok] 1. Use the Docker command from the token creation step to install the agent. 1. Depending on your network configuration, you might need to set additional environment variables. See the list of [configuration options](https://github.com/Probely/farcaster-onprem-agent/blob/main/README.md#configuration-options) in the GitHub repository. -2. After starting the Agent, it should connect to Snyk API & Web. Run the command you saved from the token creation step to check that the Agent connected successfully: +2. After starting the agent, it connects to Snyk API & Web. Run the command you saved from the token creation step to check that the agent connected successfully: ```bash docker logs -f probely-agent ``` -If everything is running correctly, you should see output similar to: +If everything is running correctly, you see output similar to: ``` Downloading agent configuration ... done @@ -87,7 +87,7 @@ Starting WireGuard gateway ... done Running... ``` -Once up and running, you can set the Scanning Agent in your targets as described in [Scan internal applications with a Scanning Agent](scan-internal-applications.md), and run scans on those targets to scan your internal applications. +After the agent is up and running, you can set the Scanning Agent in your targets as described in [Scan internal applications with a Scanning Agent](scan-internal-applications.md), and run scans on those targets to scan your internal applications. ## Troubleshooting diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/scan-internal-applications.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/scan-internal-applications.md index bd2c2c4f4149..677a7999d4b4 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/scan-internal-applications.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/overview-scanning-agent/scan-internal-applications.md @@ -1,10 +1,10 @@ # Scan internal applications -Scan your internal applications with Snyk API & Web's Scanning Agent, a secure, clean, and straightforward solution to scan non-public applications. +Scan your internal applications with the Snyk API & Web Scanning Agent, a secure, clean, and straightforward solution to scan non-public applications. ## What is a Scanning Agent for? -Snyk API & Web's Scanning Agent allows you to scan internal applications for vulnerabilities without exposing them to the internet or even to Snyk IP addresses. It is the ideal approach to scan any application that is only reachable from within your network, including development, staging, pre-release, and internal production applications that support your business. +The Snyk Scanning Agent lets you scan internal applications for vulnerabilities without exposing them to the internet or even to Snyk IP addresses. It is the ideal approach to scan any application that is only reachable from within your network, including development, staging, pre-release, and internal production applications that support your business. You can use a single Scanning Agent to scan multiple internal targets, but you can also have different Scanning Agents, each one reaching a part of your network. There is no need for a single Scanning Agent to connect to the whole network. @@ -12,7 +12,7 @@ You can use a single Scanning Agent to scan multiple internal targets, but you c A Scanning Agent creates an encrypted and authenticated tunnel where traffic flows securely between Snyk API & Web and your network. -To make sure Snyk meets your security expectations, the following principles are followed: +To ensure Snyk meets your security expectations, Snyk follows these principles: * All code is open source and [publicly available](https://github.com/Probely/farcaster-onprem-agent/). * You have complete control over the Scanning Agent, including the right to change it. @@ -23,31 +23,31 @@ To make sure Snyk meets your security expectations, the following principles are ## Install a Scanning Agent -To install a Scanning Agent, refer to [Install a Scanning Agent](install-scanning-agent.md) and the installation reference and source code for the installer available at [Snyk API & Web's GitHub repositories](https://github.com/Probely/farcaster-onprem-agent/). +To install a Scanning Agent, refer to [Install a Scanning Agent](install-scanning-agent.md) and the installation reference and source code for the installer available in the [Snyk API & Web GitHub repositories](https://github.com/Probely/farcaster-onprem-agent/). ## Scan a target with a Scanning Agent -When a Scanning Agent is configured and running, you must choose which targets will use it: +When a Scanning Agent is configured and running, you must choose which targets use it: -1. In Snyk API & Web, go to the **Targets** menu. +1. In Snyk API & Web, navigate to the **Targets** menu. 2. Identify the target in the list for which you want to set the Scanning Agent and click the **gear icon** to open its settings. -3. Under the **Scanner** tab, go to the **SCANNING AGENT** section and select the Scanning Agent you want to use. +3. Under the **Scanner** tab, navigate to the **SCANNING AGENT** section and select the Scanning Agent you want to use. 4. Click **Save**. -Clicking **Unlink** removes the Scanning Agent for the target. +Click **Unlink** to remove the Scanning Agent for the target. -You can also assign or remove a Scanning Agent to or from multiple targets in the targets list. Select the targets you want to configure, and the options will appear. +You can also assign or remove a Scanning Agent to or from multiple targets in the targets list. Select the targets you want to configure, and the options appear.
Bulk assign or remove scanning agents from multiple targets
-Targets configured to use a Scanning Agent will show a cloud icon. +Targets configured to use a Scanning Agent show a cloud icon. ## Scanning Agent status -A Scanning Agent can have one of the following status: +A Scanning Agent can have one of the following statuses: | Status | Description | | --------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Connected | The scanning agent is connected. It was working in the last 180 seconds. | -| Connected with issues | The scanning agent is connected, but it may have poor network performance if it uses, for example, an HTTP proxy or a direct TCP connection to Snyk API & Web. For more information, see the [TCP Meltdown](https://web.archive.org/web/20220103191127/http://sites.inka.de/bigred/devel/tcp-tcp.html) problem and check the documentation on [launching the agent](https://github.com/Probely/farcaster-onprem-agent?tab=readme-ov-file#launch-the-agent). | -| Disconnected | The scanning agent is disconnected, maybe due to misconfiguration. Check the scanning agent configuration or the firewall rules, for example. For more information, check the [Installation](https://github.com/Probely/farcaster-onprem-agent?tab=readme-ov-file#installation) and [Network Requirements](https://github.com/Probely/farcaster-onprem-agent?tab=readme-ov-file#network-requirements) documentation. | +| Connected with issues | The scanning agent is connected, but it can have poor network performance if it uses, for example, an HTTP proxy or a direct TCP connection to Snyk API & Web. For more information, visit the [TCP Meltdown](https://web.archive.org/web/20220103191127/http://sites.inka.de/bigred/devel/tcp-tcp.html) problem and check the documentation on [launching the agent](https://github.com/Probely/farcaster-onprem-agent?tab=readme-ov-file#launch-the-agent). | +| Disconnected | The scanning agent is disconnected, possibly due to misconfiguration. Check the scanning agent configuration or the firewall rules, for example. For more information, check the [Installation](https://github.com/Probely/farcaster-onprem-agent?tab=readme-ov-file#installation) and [Network Requirements](https://github.com/Probely/farcaster-onprem-agent?tab=readme-ov-file#network-requirements) documentation. | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/what-happens-during-a-scan.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/what-happens-during-a-scan.md index e42753036db3..a8a0a2ac4a2f 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/what-happens-during-a-scan.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/start-scanning/what-happens-during-a-scan.md @@ -1,33 +1,33 @@ # What happens during a scan -During a target scan, Snyk API & Web goes through the target's URLs and interacts with every element found, filling out forms and clicking on buttons, among other actions, to perform extensive tests on your target to identify as many vulnerabilities as possible. +During a target scan, Snyk API & Web goes through the target's URLs and interacts with every element found, filling out forms and clicking buttons, among other actions, to perform extensive tests on your target and identify as many vulnerabilities as possible. -Due to the thorough interactions Snyk API & Web scans have with a target, you should expect many requests and an influx of information into the target. +Because of these thorough interactions, expect many requests and an influx of information into the target. ## Scan components -There are three major components at play in a target scan, each one with a specific job: +A target scan involves three major components, each with a specific job: * The **fingerprinter** identifies the technologies used on the target. -* The **crawler** goes through the target's URLs and interacts with every element found, clicking on buttons and filling in forms, among other things. +* The **crawler** goes through the target's URLs and interacts with every element found, clicking buttons and filling in forms, among other things. * The **scanner** finds vulnerabilities within the target's URLs. ## Scan states A target scan has several possible states: -* As soon as a scan is requested, it gets **Queued**. -* Once a queued scan begins, its state is changed to **Started**. -* After the fingerprinter, the crawler, and the scanner have completed their jobs, the scan ends and its state is set to **Completed**. +* As soon as you request a scan, it gets the **Queued** state. +* After a queued scan begins, its state changes to **Started**. +* After the fingerprinter, the crawler, and the scanner complete their jobs, the scan ends with the **Completed** state. ### Additional scan states -There are some extra states: +A scan can have these additional states: -* If an ongoing scan is stopped by a user, the scan state is changed to **Canceled**. -* If the target is unreachable or there is a connection timeout, the scan ends with **Failed**, with a message indicating the error. The same state is used if a scan fails during its execution. -* If some vulnerabilities need to be manually confirmed by the Snyk API & Web team, the scan is set to **Under Review**. After this manual review, the scan changes to **Completed**. +* If a user stops an ongoing scan, the scan state changes to **Canceled**. +* If the target is unreachable or a connection times out, the scan ends with the **Failed** state and a message indicating the error. Snyk uses the same state if a scan fails during execution. +* If the Snyk team must manually confirm some vulnerabilities, the scan gets the **Under Review** state. After this manual review, the scan changes to **Completed**. ## After the scan completes -Once a scan is successfully finished, its scan reports and coverage reports can be generated. +After a scan finishes successfully, you can generate its scan reports and coverage reports. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/authentication/troubleshooting-login-failed-with-login-form.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/authentication/troubleshooting-login-failed-with-login-form.md index 15c03dce8bfd..ac5ca3eafe19 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/authentication/troubleshooting-login-failed-with-login-form.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/authentication/troubleshooting-login-failed-with-login-form.md @@ -8,7 +8,7 @@ When running scans on a target with a login form, Snyk API & Web fails to log in ## Troubleshoot the problem -Go through the following steps to identify possible causes and solutions. +Work through the following steps to identify possible causes and solutions. ### Step 1: Test the current credentials @@ -73,6 +73,6 @@ If a WAF blocks access to the authentication page, Snyk API & Web cannot authent | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | A WAF is blocking access to the authentication page with the login form. | Add Snyk API & Web IPs to the WAF's allowlist. Visit [Configure IPs in WAFs](../../start-scanning/overview-scan-access-and-connectivity/configure-ips-in-wafs.md). | -After following these steps and applying the solutions, scans should be able to log in to your target. +After following these steps and applying the solutions, scans can log in to your target. For more information, visit [Configure authentication](../../configure-targets/configure-authentication/). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/authentication/troubleshooting-login-failed-with-login-sequence.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/authentication/troubleshooting-login-failed-with-login-sequence.md index b0de031f45b5..69dce4942d8a 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/authentication/troubleshooting-login-failed-with-login-sequence.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/authentication/troubleshooting-login-failed-with-login-sequence.md @@ -8,7 +8,7 @@ When running scans on a target that uses a login sequence to complete a complex ## Troubleshoot the problem -Go through the following step to identify possible causes and solutions. +Work through the following step to identify possible causes and solutions. ### Check the login sequence @@ -37,6 +37,6 @@ Check the following causes and solutions: | Input fields in the login sequence have incorrect attributes or CSS selectors. | Record a new login sequence and update it in target authentication. Visit [Login sequence](../../configure-targets/configure-authentication/configure-login-sequence.md). | | Input fields in the login sequence have incorrect values. | Record a new login sequence with correct credential values and update it in target authentication. Visit [Login sequence](../../configure-targets/configure-authentication/configure-login-sequence.md). | -After following these steps and applying the solutions, Snyk API & Web should be able to log in to your target. +After following these steps and applying the solutions, Snyk can log in to your target. For more information, visit [Configure authentication](../../configure-targets/configure-authentication/). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-dns.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-dns.md index 1a1a5869a49c..57ad9c307e4c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-dns.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-dns.md @@ -1,6 +1,6 @@ # Troubleshoot domain verification with DNS -In order for Snyk API & Web to run full-fledged scans on your target, you need to verify its domain. Visit [Verify domain ownership](../../configure-targets/verify-domain-ownership/) to learn more about why domain verification is required. +For Snyk API & Web to run full scans on your target, you must verify its domain. Visit [Verify domain ownership](../../configure-targets/verify-domain-ownership/) to learn why domain verification is required. ## The problem @@ -11,22 +11,22 @@ Domain verification using CNAME or TXT records in your DNS fails with the follow ## Troubleshoot the problem -To troubleshoot this problem, go through the following steps to identify the possible causes and respective solutions to fix it. +Work through the following steps to identify the possible causes and solutions. ### Check the TTL value Check the Time to Live (TTL) as follows: -1. Go to [Google Admin Toolbox Dig](https://toolbox.googleapps.com/apps/dig/) and type the target's URL. -2. Depending on your domain verification method, click on **CNAME** or **TXT** to see the TTL value. +1. Navigate to [Google Admin Toolbox Dig](https://toolbox.googleapps.com/apps/dig/) and type the target's URL. +2. Depending on your domain verification method, click **CNAME** or **TXT** to see the TTL value. If the TTL value is high, the DNS configuration with the CNAME or TXT record has not been propagated yet, and the domain verification fails. | Cause | Solution | | ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | -| The DNS configuration with the CNAME or TXT record has not been propagated yet. | Wait more time for the DNS configuration to propagate, or go to your authoritative DNS server (for example, Cloudflare) and reduce the TTL value. | +| The DNS configuration with the CNAME or TXT record has not been propagated yet. | Wait for the DNS configuration to propagate, or navigate to your authoritative DNS server (for example, Cloudflare) and reduce the TTL value. | -After following these steps, identifying the causes, and applying the respective solutions, you should be able to verify your domain using DNS. +After following these steps and applying the solutions, you can verify your domain using DNS. ## Related articles diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-meta-tag.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-meta-tag.md index 405ac0ba6cd8..bf8ac11c604e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-meta-tag.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-meta-tag.md @@ -1,6 +1,6 @@ # Troubleshoot domain verification with meta tag -In order for Snyk API & Web to run full-fledged scans, you need to verify your domains. Visit [Verify domain ownership](../../configure-targets/verify-domain-ownership/) to learn more about why domain verification is required. +For Snyk API & Web to run full scans, you must verify your domains. Visit [Verify domain ownership](../../configure-targets/verify-domain-ownership/) to learn why domain verification is required. ## The problem @@ -8,7 +8,7 @@ Domain verification using a meta tag fails with the error: `Meta tag not found.` ## Troubleshoot the problem -To troubleshoot this problem, go through the following steps to identify the possible causes and respective solutions to fix it. +Work through the following steps to identify the possible causes and solutions. ### Check the index page source @@ -16,10 +16,10 @@ Test if the meta tag is present in the index page source in one of the following * Use the browser: 1. Type the URL to the index page: `https://`, for example: `https://example.com`. - 2. Right-click on the page and select **View Page Source**. + 2. Right-click the page and select **View Page Source**. * Use a curl command like this: `curl -i https://`, for example: `curl -i https://example.com`. -Analyze the HTML of the index page source, check the following possible causes, and apply the respective solution: +Analyze the HTML of the index page source, check the following possible causes, and apply the solution: | Cause | Solution | | ---------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | @@ -27,7 +27,7 @@ Analyze the HTML of the index page source, check the following possible causes, | The meta tag is on the index page, but not inside the `` tag. | Review the implementation to have the meta tag before the closing `` tag on the index page. | | The meta tag is on the index page inside the `` tag, but it is being injected using JavaScript (for example, a Single-Page Application). | Review the implementation to add the meta tag before the closing `` tag on the index page without using JavaScript. | -After following these steps, identifying the causes, and applying the respective solutions, you should be able to verify your domain using a meta tag. +After following these steps and applying the solutions, you can verify your domain using a meta tag. ## Related articles diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-txt-file.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-txt-file.md index 0f2c500ef338..7a346e664c45 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-txt-file.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/domain-verification/troubleshooting-verify-domain-txt-file.md @@ -1,6 +1,6 @@ # Troubleshoot domain verification with TXT file -To run full-fledged scans, you must verify domain ownership. Visit [Verify domain ownership](../../configure-targets/verify-domain-ownership/) to learn why verification is required. +To run full scans, you must verify domain ownership. Visit [Verify domain ownership](../../configure-targets/verify-domain-ownership/) to learn why verification is required. ## The problem @@ -8,7 +8,7 @@ Domain verification using a TXT file fails with the error: `Token file not found ## Troubleshoot the problem -Go through the following steps to identify possible causes and solutions. +Work through the following steps to identify possible causes and solutions. ### Step 1: Test direct access @@ -75,7 +75,7 @@ Check the following cause and solution: | Cause | Solution | | -------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | -| The file's URL is redirected to another URL. | Create a target with the domain of the redirected URL. In the example above, create a target for `www.example.com` instead of `example.com`. | +| The file's URL is redirected to another URL. | Create a target with the domain of the redirected URL. In the preceding example, create a target for `www.example.com` instead of `example.com`. | ### Step 3: Test blockers @@ -97,6 +97,6 @@ Check the following causes and solutions: | A human check is blocking access to the file. | Remove the human check when accessing the TXT file. | | A WAF is blocking access to the file. | Add Snyk API & Web IPs to the WAF's allowlist. Visit [Configure IPs in WAFs](../../start-scanning/overview-scan-access-and-connectivity/configure-ips-in-wafs.md). | -After following these steps and applying the solutions, you should be able to verify the domain using a TXT file. +After following these steps and applying the solutions, you can verify the domain using a TXT file. For more information, visit [Verify with TXT file](../../configure-targets/verify-domain-ownership/verify-with-txt-file.md). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/network-timeout-errors.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/network-timeout-errors.md index 38796f428768..ce197eeb4f5a 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/network-timeout-errors.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/network-timeout-errors.md @@ -1,23 +1,23 @@ # Network timeout errors -A very important factor in running successful scans using Snyk API & Web is providing clear access to your target. +Providing clear access to your target is an important factor in running successful scans using Snyk API & Web. -Having restrictions without allowing the public IP addresses of Snyk API & Web might lead to failed scans, simply because the scanner gets timed out. +Restrictions that do not allow the public IP addresses of Snyk can lead to failed scans because the scanner times out. ## Reasons for network timeout errors -There are several reasons why this might be happening: +This can happen for several reasons: -* Since the outbound IP addresses are from a Cloud provider, and traffic produced by humans is not supposed to come from a Cloud provider, they might be blocked by default on your firewall or WAF. -* As a result of the intrusive testing during a scan, your WAF might believe it is an attack and block the IP address. -* You have a plugin (like Jetpack, Sucuri, Fail2Ban, and so on) that can actively filter and block requests. -* The request load (which can spread to multiple threads, making multiple requests per second) caused your firewall to block the IP to prevent spamming, or the requests could be slowing down your website because of all those requests. -* A rule configured in your infrastructure might cause the IP to be blocked. +* The outbound IP addresses come from a cloud provider, and traffic produced by humans is not supposed to come from a cloud provider, so your firewall or WAF can block them by default. +* During the intrusive testing in a scan, your WAF can interpret the traffic as an attack and block the IP address. +* You have a plugin (such as Jetpack, Sucuri, or Fail2Ban) that actively filters and blocks requests. +* The request load can spread across multiple threads, making multiple requests per second. This load can cause your firewall to block the IP to prevent spamming, or it can slow down your website. +* A rule configured in your infrastructure can cause the IP to be blocked. ## Resolution -The best solution to fix this issue is to allow the outbound IP addresses of Snyk API & Web to freely access your target by adding them to your infrastructure allowlists. All updated addresses are available in [Scanner outgoing IP addresses](../start-scanning/overview-scan-access-and-connectivity/scanner-ip-address.md). Some allowlisting examples are provided in [Configure Snyk API & Web IPs in WAFs](../start-scanning/overview-scan-access-and-connectivity/configure-ips-in-wafs.md). +To fix this issue, allow the outbound IP addresses of Snyk to access your target by adding them to your infrastructure allowlists. All updated addresses are available in [Scanner outgoing IP addresses](../start-scanning/overview-scan-access-and-connectivity/scanner-ip-address.md). For allowlisting examples, visit [Configure Snyk API & Web IPs in WAFs](../start-scanning/overview-scan-access-and-connectivity/configure-ips-in-wafs.md). -If you have any geo-location restriction in place, allow Ireland (possibly the EU) since it is where the servers are located. +If you have any geo-location restriction in place, allow Ireland and the EU, because the servers are located there. -If you believe that the scans are critically detrimental to your website's performance, reach out to Snyk support, and the scanner load will be fine-tuned to accommodate your needs. +If the scans are critically detrimental to the performance of your website, contact Snyk support to fine-tune the scanner load to your needs. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/scan-results/troubleshooting-low-coverage-in-a-scan.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/scan-results/troubleshooting-low-coverage-in-a-scan.md index bc213e7e6df2..4adacfebd4d5 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/scan-results/troubleshooting-low-coverage-in-a-scan.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/troubleshooting/scan-results/troubleshooting-low-coverage-in-a-scan.md @@ -1,6 +1,6 @@ # Troubleshoot low coverage in a scan -Scans should cover as much of the target scope as possible to identify the maximum number of vulnerabilities. If your scan shows low coverage, follow these troubleshooting steps to identify and resolve the issue. +A scan must cover as much of the target scope as possible to identify the maximum number of vulnerabilities. If your scan shows low coverage, follow these troubleshooting steps to identify and resolve the issue. For more information about coverage reports, visit [Coverage report](../../review-and-fix/overview-reports/coverage-report.md) and [Generate CSV coverage report](../../review-and-fix/overview-reports/generate-csv-coverage-report.md). @@ -10,11 +10,11 @@ When running a scan on a target, the coverage is low. ## Troubleshoot the problem -Go through the following steps to identify possible causes and solutions. +Work through the following steps to identify possible causes and solutions. ### Step 1: Check for target authentication -If the target has authentication, verify the scanner was able to log in. +If the target has authentication, verify the scanner logged in. 1. Navigate to the **Targets** page. 2. Click the target name to see its details. @@ -46,7 +46,7 @@ If the backing API has a URL different from the SPA, Snyk API & Web needs to kno ### Step 3: Check for a blocking WAF -Check if scan requests are being blocked by a Web Application Firewall (WAF) after the scan has started. +Check if a Web Application Firewall (WAF) is blocking scan requests after the scan has started. 1. Navigate to the **Targets** page. 2. Click the target name to see its details. @@ -64,7 +64,7 @@ If a WAF blocks access to URLs, Snyk API & Web cannot scan them. ### Step 4: Check for blocking WordPress plugin -If the target is WordPress, check if scan requests are being blocked by a WordPress security plugin (for example, WordFence). +If the target is WordPress, check if a WordPress security plugin (for example, WordFence) is blocking scan requests. 1. Navigate to the **Targets** page. 2. Click the target name to see its details. @@ -80,4 +80,4 @@ If a WordPress plugin is blocking access to URLs, Snyk API & Web cannot scan the | ----------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | A WordPress plugin (for example, WordFence) is blocking access to URLs. | Configure the WordPress plugin to allow requests from Snyk API & Web IPs. Visit [Scanner IP address](../../start-scanning/overview-scan-access-and-connectivity/scanner-ip-address.md) for the scanner's outgoing IP address. | -After following these steps and applying the solutions, scans should achieve the expected coverage for your targets. +After following these steps and applying the solutions, scans achieve the expected coverage for your targets. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/owasp-top-10-scanning.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/owasp-top-10-scanning.md index bb734e9091cd..aa6bb9f05795 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/owasp-top-10-scanning.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/owasp-top-10-scanning.md @@ -4,7 +4,7 @@ Snyk API & Web can scan for the 2021 and 2025 Open Web Application Security Proj ## Generate OWASP Top 10 reports -After the target scan, you can generate a target scan report for OWASP Top 10, which includes a table indicating which areas of the Top 10 were **TESTED** and which ones **PASSED** or not. +After the target scan, you can generate a target scan report for OWASP Top 10. The report includes a table indicating which areas of the Top 10 Snyk tested and which ones passed. Visit [Types of target scan reports you can generate with Snyk API & Web](https://help.probely.com/en/articles/2659844-types-of-target-scan-reports-you-can-generate-with-snyk-api-web) for more information about generating reports. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/vulnerability-types-detected.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/vulnerability-types-detected.md index b6c688bfe321..224c214d9c42 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/vulnerability-types-detected.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/vulnerability-types-detected.md @@ -1,10 +1,10 @@ # Vulnerability types detected -Snyk API & Web detects a comprehensive range of vulnerabilities across web applications and APIs. Visit this page periodically for an updated list. Note that some vulnerabilities are grouped together. +Snyk API & Web detects a comprehensive range of vulnerabilities across web applications and APIs. Visit this page periodically for an updated list. Note that Snyk groups some vulnerabilities together. ## Current vulnerability types -Snyk API & Web currently detects the following vulnerability types: +Snyk detects the following vulnerability types: * Broken Object Level Authorization (BOLA). * Reflected cross-site scripting. @@ -133,6 +133,6 @@ Snyk API & Web currently detects the following vulnerability types: ## Deprecated vulnerabilities -The following vulnerabilities are no longer detected: +Snyk no longer detects the following vulnerabilities: * Browser XSS protection disabled. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/vulnerability-updates.md b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/vulnerability-updates.md index 8dec217533d5..2b103704fb54 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/vulnerability-updates.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-api-web/vulnerabilities-detected/vulnerability-updates.md @@ -1,14 +1,14 @@ # Vulnerability updates -Snyk API & Web continuously adds and updates vulnerability detection to ensure cutting-edge protection and maintain the highest security standards. +Snyk API & Web continuously adds and updates vulnerability detection to maintain strong protection and high security standards. -## How Snyk API & Web stays current +## How Snyk stays current -The Snyk API & Web team continuously follows and investigates recent industry vulnerabilities, monitors security advisories, and collaborates with industry experts to stay on top of the latest cybersecurity threats. The engine team employs various methods to keep the vulnerabilities knowledge base constantly up-to-date, leveraging diverse sources and detection techniques. This multifaceted approach allows Snyk API & Web to maintain an extensive and current database of vulnerabilities, ensuring the highest level of protection against security threats. +The Snyk team continuously follows and investigates recent industry vulnerabilities, monitors security advisories, and collaborates with industry experts to stay current with cybersecurity threats. The engine team uses diverse sources and detection techniques to keep the vulnerability knowledge base up to date. This approach lets Snyk maintain an extensive, current database of vulnerabilities. ## Where to find vulnerability information -Stay informed and up-to-date about the latest developments through these resources: +Stay informed about the latest developments through these resources: -* Visit [Vulnerability types detected](vulnerability-types-detected.md) for a list of the vulnerability types detected by Snyk API & Web. -* Visit [Snyk Vulnerabilities Knowledge Base](https://probely.com/vulnerabilities/) for a detailed list of all vulnerabilities detected by Snyk API & Web. +* Visit [Vulnerability types detected](vulnerability-types-detected.md) for a list of the vulnerability types Snyk detects. +* Visit [Snyk Vulnerabilities Knowledge Base](https://probely.com/vulnerabilities/) for a detailed list of all vulnerabilities Snyk detects.