diff --git a/scan-fix-and-prevent/README.md b/scan-fix-and-prevent/README.md index e13e87d3e00e..a41f0f31bebf 100644 --- a/scan-fix-and-prevent/README.md +++ b/scan-fix-and-prevent/README.md @@ -1,10 +1,10 @@ # Overview -You can use Snyk to scan and secure your codebase and cloud infrastructure configurations, taking advantage of the Snyk capabilities in Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Infrastructure as Code (IaC) analysis. +You can use Snyk to scan and secure your codebase and cloud infrastructure configurations, using the Snyk capabilities in Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Infrastructure as Code (IaC) analysis. ## Select scanning methods -Snyk supports scanning methods that correspond to Snyk products. Choose the right scanning method for the job you want to do, to find and fix issues not only early in the Software Development Life Cycle, but also after your web application or API is live. +Snyk supports scanning methods that correspond to Snyk products. Choose the right scanning method for the job you want to do, to find and fix issues not only early in the software development lifecycle, but also after your web application or API is live. * [Snyk Open Source](scan-with-snyk/snyk-open-source/): scan your open-source libraries for vulnerabilities and license issues.\ For more information, see [Open Source Security Explained](https://snyk.io/series/open-source-security/). @@ -28,7 +28,7 @@ Scans may be limited on your account, depending on your[ Pricing Plan](https://a ## The scanning process -Snyk takes a developer-first approach to secure your development work by integrating directly into your IDEs, workflows, and automation pipelines to add security expertise to your toolkit. This approach allows you to: +Snyk takes a developer-first approach to secure your development work by integrating directly into your IDEs, workflows, and automation pipelines to add security expertise to your toolkit. With this approach, you can: * Use Snyk to focus on early enablement, not later enforcement. * Run scans while working on a Project, before you commit any code. This minimizes rework by finding issues that require changes early on. diff --git a/scan-fix-and-prevent/manage-assets/assets-inventory-components.md b/scan-fix-and-prevent/manage-assets/assets-inventory-components.md index 3269a5122d46..061c9e4c9aeb 100644 --- a/scan-fix-and-prevent/manage-assets/assets-inventory-components.md +++ b/scan-fix-and-prevent/manage-assets/assets-inventory-components.md @@ -1,6 +1,6 @@ # Assets inventory components -Each inventory layout is presented in a table format, detailing the available key attributes: +Snyk presents each inventory layout in a table format, detailing the available key attributes: * [Assets](assets-inventory-components.md#asset) * [Issues](assets-inventory-components.md#issues) @@ -27,19 +27,19 @@ Assets in Snyk Essentials are meaningful, real-world components in an applicatio An asset can be the parent of multiple items. For example, a repository asset usually contains one or more package assets. -The Asset column incorporates the name of the repository asset, package, scanned artifact, or container images. Click on the arrow next to the parent asset name to expand the list of all contained items. +The Asset column incorporates the name of the repository asset, package, scanned artifact, or container images. Click the arrow next to the parent asset name to expand the list of all contained items. You can copy the name of an asset or browse the repository. Each asset has a menu at the end of the row. Click the menu, then select **Copy** to copy the URL or **Browse** to navigate to the asset repository. ### Repository assets -Repository assets represent SCM repositories. A repository asset is created by discovering the repositories directly in the SCM, when such integration is configured. Alternatively, a repository asset can be created by scanning a repository, (by Snyk or third-party tools) as long as the scanned code is identified with a specific repository (in Snyk, this means filling in the `gitRemoteURL` parameter). +Repository assets represent SCM repositories. A repository asset is created by discovering the repositories directly in the SCM, when such integration is configured. Alternatively, scanning a repository can create a repository asset (by Snyk or third-party tools) as long as the scanned code is identified with a specific repository (in Snyk, this means filling in the `gitRemoteURL` parameter). -If you scan the code locally using CLI, with no association to a repository, then a repository asset will not be created. For more details about CLI commands, see [Scanning methods](../scan-with-snyk/snyk-essentials.md#scanning-methods). +If you scan the code locally using CLI, with no association to a repository, then Snyk does not create a repository asset. For more details about CLI commands, see [Scanning methods](../scan-with-snyk/snyk-essentials.md#scanning-methods). ### Container Image assets -You can identify a container image based on the Image ID. If multiple container images have the same Image ID, then only one image asset is generated for that Image ID, enriched with information from all the identified container images for that ID. +You can identify a container image based on the Image ID. If multiple container images have the same Image ID, then Snyk generates only one image asset for that Image ID, enriched with information from all the identified container images for that ID. Snyk Essentials retrieves all image assets from Snyk Container. Reimport the images to ensure you scan the latest image. If you run a new scan on a Project that contains image assets, it rescans the same image for new vulnerabilities. To identify new image assets, you need to first reimport, and then scan the Project. Check the [Detect application vulnerabilities in container images](../scan-with-snyk/snyk-container/use-snyk-container/detect-application-vulnerabilities-in-container-images.md) page for more details. @@ -47,7 +47,7 @@ Snyk Essentials retrieves all image assets from Snyk Container. Reimport the ima Packages in Snyk Essentials are defined as software or libraries that are managed by package management systems. -Package assets are created when you scan the dependencies of a Project through package management systems or by using the Snyk CLI. This enables Snyk Essentials to identify and analyze the security vulnerabilities of the packages used within a Project, offering insights into possible risk exposures and providing recommendations for mitigation. +Snyk creates package assets when you scan the dependencies of a Project through package management systems or by using the Snyk CLI. This lets Snyk Essentials identify and analyze the security vulnerabilities of the packages used in a Project, offering insights into possible risk exposures and providing recommendations for mitigation. ### Scanned artifacts @@ -78,28 +78,28 @@ The Summary tab is a concentrated view of asset properties. The Summary screen p * SCM Repository freshness - provides the current status of your repositories, including the date of the last commit. * **Organization** - specifies the Organizations associated with the asset. * **Labels** - provides the list of all labels available for that asset. -* **Tags** - provides a key-value pair that allows you to attach structured metadata to your assets. +* **Tags** - provides a key-value pair that lets you attach structured metadata to your assets. * **Issues** - categorizes the identified types of open issues. * **App Context**\* - asset metadata from App Context integrations, such as Backstage catalog or ServiceNow CMDB, can include the following attributes: catalog name, category, application, owner, and so on. \*App Context information is visible only when the asset is part of a Project for which the application context was configured. {% hint style="info" %} -After you apply the filters, the assets list will only display the assets that directly match the filter conditions, and, if available, a list of children assets related to the selected one is displayed, with the information shown in a table format, with a focus on the following topics: Asset (name), Issues, Controls, Class. +After you apply the filters, the assets list displays only the assets that directly match the filter conditions, and, if available, a list of children assets related to the selected one, with the information shown in a table format, with a focus on the following topics: Asset (name), Issues, Controls, Class. {% endhint %} ### Related Assets -The Related assets tab provides a detailed view of assets related to the selected one. Use this tab to assess scanning coverage or asset ownership. You can see the details of a related asset by clicking on one of them. Usually, these are Package assets. When looking at Related Assets, you can notice a link to the parent repository at the top. If you click on the parent asset link, you will revert to the initial view of the parent asset. +The Related assets tab provides a detailed view of assets related to the selected one. Use this tab to assess scanning coverage or asset ownership. You can see the details of a related asset by clicking one of them. Usually, these are Package assets. When looking at Related Assets, you can notice a link to the parent repository. If you click the parent asset link, you revert to the initial view of the parent asset. ### Related Projects -The Related Projects tab provides a collection of Snyk Projects that are associated with a specific asset within the platform. These projects are arranged in a table format, enabling you to view relevant information that assists in managing and assessing vulnerabilities related to the asset. Each Project is displayed with the following details: +The Related Projects tab provides a collection of Snyk Projects that are associated with a specific asset in the platform. Snyk arranges these projects in a table format, letting you view relevant information that assists in managing and assessing vulnerabilities related to the asset. Each Project is displayed with the following details: * **Projects by Target**: A list of Projects grouped by targets. You can see both the Project name and the target name under which the Project is grouped. * **Target Reference**: An optional identifier that may not always be available. * **Test Surface**: Indicates the source of the Project scan, specifying whether it originated from SCM or the CLI. -* **Issues**: Provides insight into the number and severity of identified issues within the Project. +* **Issues**: Provides insight into the number and severity of identified issues in the Project. * **Organization**: Displays the Snyk Organization to which the Project belongs. * **Tested**: Shows the relative time since the last scan (for example, "3 hours ago") along with a tooltip that reveals the full date and time upon hovering. @@ -107,17 +107,17 @@ The Related Projects tab provides a collection of Snyk Projects that are associa ### Attributes -The Attributes tab shows miscellaneous attributes, like the Asset ID or Asset Type, that are fetched from the data source, but do not have a dedicated column. The benefit of having this info is not only by presenting it but mostly by making it searchable. You can search for an attribute by either using the inventory search bar or the filters. +The Attributes tab shows miscellaneous attributes, like the Asset ID or Asset Type, that Snyk fetches from the data source but that do not have a dedicated column. The benefit of having this information is not only in presenting it but mostly in making it searchable. You can search for an attribute using either the inventory search bar or the filters. ## Issues -The Issues column is designed to present a comprehensive list of issues that have been identified within your assets. These findings are the result of scans performed by Snyk as well as internal tools you may have deployed. This detailed list not only helps in understanding the security posture of your assets but also in prioritizing remediation efforts based on the severity and impact of each issue. By having visibility into these issues, you can take proactive steps toward improving the overall security of your applications and infrastructure. +The Issues column presents a comprehensive list of issues identified in your assets. These findings result from scans that Snyk and internal tools you have deployed perform. This detailed list helps you understand the security posture of your assets and prioritize remediation efforts based on the severity and impact of each issue. With visibility into these issues, you can take proactive steps toward improving the overall security of your applications and infrastructure. Most of the issues are mapped to an asset. However, some of the issues are associated with an asset but not directly linked to it. This is the case with image assets. -You can see these assets under the **Inventory** view, and they will also be reflected under the **Asset and Source Code** column from the **Insights UI** view. +You can see these assets under the **Inventory** view, and they also appear under the **Asset and Source Code** column from the **Insights UI** view. -The **Issues** column from the Asset view is designed to present an aggregated count of open issues. These counts are carefully categorized based on the severity level of the issues found in assets, their children's assets, or associated packages. The severity is divided into four distinct levels: +The **Issues** column from the Asset view presents an aggregated count of open issues. Snyk categorizes these counts based on the severity level of the issues found in assets, their children's assets, or associated packages. The severity is divided into four distinct levels: * **C** (Critical): Issues that represent a serious threat and should be addressed immediately to prevent potential exploits or major disruptions. * **H** (High): These are significant issues that, while not immediately dangerous, could potentially lead to critical vulnerabilities if not resolved in a timely manner. @@ -128,7 +128,7 @@ This classification streamlines prioritization, helping you focus on critical ar ## Coverage Controls -The Controls column displays all of the Snyk products that were executed on a specific repository asset. This column displays, in circles, a logo for each Snyk product. The logo icon itself has an indication of the highest severity of issues from this source. For example, if the highest severity issue is **C** (critical), you can see a red dot on the control icon. +The Controls column displays all of the Snyk products that ran on a specific repository asset. This column displays, in circles, a logo for each Snyk product. The logo icon itself indicates the highest severity of issues from this source. For example, if the highest severity issue is **C** (critical), you can see a red dot on the control icon. The Controls logos can have one of the following states: @@ -145,7 +145,7 @@ Click a Controls logo to see **Last test** details and the **Issues** count, spl ## Tags -Provides a key-value tagging capability that allows you to attach specific, structured metadata to your assets. Use this feature lets you granular filtering, robust policy creation, and better alignment with your internal systems. +Provides a key-value tagging capability that lets you attach specific, structured metadata to your assets. This feature lets you use granular filtering, robust policy creation, and better alignment with your internal systems. **Example**: A structured tag provides both a key and a value, such as `platform:aws` or `region:eu-central-1`. @@ -153,7 +153,7 @@ Provides a key-value tagging capability that allows you to attach specific, stru In Snyk Web UI, you can filter assets by their tags using **Advanced filters**. You can define filters based on specific criteria, such as a property of an asset, a condition, and a value. -* Filter by `Tags`: The new `Tags` filter is a key-value pair filter. This filter allows you to select a specific tag key such as `department` and then choose a corresponding value such as `finance` to narrow down the asset list. +* Filter by `Tags`: The new `Tags` filter is a key-value pair filter. This filter lets you select a specific tag key such as `department` and then choose a corresponding value such as `finance` to narrow down the asset list. ## Labels @@ -163,7 +163,7 @@ Asset labels are metadata that is applied to repository assets and build artifac * **User-defined labels** are customizable, as you can define their logic through Assets Policies. For example, you can set labels to represent a repository that comes from a specific source, such as GitHub. Labels associated with assets are identified in the UI with the **Asset policy label's** name. * **System labels** are automatically assigned by Snyk based on asset names or detected keywords (for example, `codeowners`). -A repository asset label can be added through Policies or be system-generated by Snyk Essentials to provide more context. Click on a labels field to view all labels. +You can add a repository asset label through Policies, or Snyk Essentials can system-generate it to provide more context. Click a labels field to view all labels. {% hint style="info" %} BitBucket Cloud cannot automatically detect the language used in the source code from the repositories. In Snyk Essentials, you can only see the language labels that have been manually added for BitBucket Cloud.\ @@ -173,9 +173,9 @@ For more information, you can refer to the official documentation provided by Bi A system-generated label includes the following information: -* **Technology** - The languages detected by Snyk Essentials in the source code within a repository asset. +* **Technology** - The languages detected by Snyk Essentials in the source code in a repository asset. * **SCM Topic** - The topics found in the integrated SCM repositories. Snyk Essentials supports topics from GitHub and GitLab. -* **Asset type label** - The label explaining the type of the asset. For example, ‌container assets will be assigned an image asset label. +* **Asset type label** - The label explaining the type of the asset. For example, ‌Snyk assigns container assets an image asset label. * **SCM Repository freshness** - The status of the repository and the date of the last commit. * **Active**: Had commits in the last 3 months. * **Inactive**: The last commits were made in the last 3 - 6 months. @@ -193,11 +193,11 @@ Labels are organized into three main categories: System labels are automatically generated from the SCM repositories. System labels can be classified into three main categories: * Languages: - * This applies to GitHub, GitLab, Azure DevOps, and BitBucket as long the data is available in the repository. + * This applies to GitHub, GitLab, Azure DevOps, and BitBucket as long as the data is available in the repository. * GitHub, GitLab, and Azure DevOps have automated language detection. Instead, BitBucket requires users to set up the language in their repositories. * SCM Topic: * This applies to GitHub and GitLab. -* Multiple different rules based on the words we found in the repositories: +* Multiple different rules based on the words Snyk found in the repositories: * This applies to GitHub, GitLab, Azure DevOps, and BitBucket. ### Labeling policy @@ -215,7 +215,7 @@ You can use pre-defined system labels and asset labels to mark the repositories In the Snyk web interface, you can filter assets by their labels using the **Advanced Filters** option. You can define filters based on highly specific criteria, such as a property of an asset, a condition, and a value. -* Filter by `labels`: This filter allows you to select a specific label. +* Filter by `labels`: This filter lets you select a specific label. ## Developers @@ -225,11 +225,9 @@ You can see the list of all the developers that worked on that specific asset. T Reflects the business criticality of the asset from A (most critical) to D (least critical), as you defined it in the Policies view. -You can manually change the business criticality of an asset. Click the criticality level and select another one from the list. +You can manually change the business criticality of an asset. To update it, click the criticality level and select another one from the list. -You can change the business criticality of an asset. To manually update it, select the criticality level and select another one from the list. - -After manually setting the value of a class, you have the option to lock the value to prevent any potential overriding by a policy that has the Set Asset Class as an action. You can lock the value from the general or summary views of an asset. You can unlock the class value at any time by clicking the lock icon. A pop-up is displayed, asking you for confirmation about unlocking the value. +After manually setting the value of a class, you can lock the value to prevent a policy that has Set Asset Class as an action from overriding it. You can lock the value from the general or summary views of an asset. You can unlock the class value at any time by clicking the lock icon. A pop-up appears, asking you to confirm unlocking the value. The Asset Class column is available on the Insights UI for risk-based prioritization, and it has the same functionality as it does here. At the moment, the Asset Class column is available only for repository assets, and applicable only for Snyk Code. @@ -237,11 +235,11 @@ The Asset Class column is available on the Insights UI for risk-based prioritiza Synchronization between the Asset Class and the Insights UI can take up to 3 hours. {% endhint %} -The class value can be auto-generated with policies. You just need to create a policy that has as an action **Set Asset Class**. +Policies can auto-generate the class value. Create a policy that has **Set Asset Class** as an action. ## Risk factors -The Risk Factors column lists the potential vulnerabilities and security threats associated with each asset. These risk factors help users identify specific risks, enabling them to prioritize and address issues more effectively. By understanding the particular risks tied to their assets, users can take more informed remedial actions. +The Risk Factors column lists the potential vulnerabilities and security threats associated with each asset. These risk factors help you identify specific risks, letting you prioritize and address issues more effectively. By understanding the particular risks tied to your assets, you can take more informed remedial actions. Here is a list of the available risk factors: @@ -251,7 +249,7 @@ Here is a list of the available risk factors: ## Source -The Source column in Snyk Essentials helps users identify the origin of their assets, which can be directly from Snyk, through SCM systems, or using third-party integrations. This feature simplifies asset management and risk prioritization by providing clear visibility into the origin of each asset and it enables more effective security strategies and remediation efforts. +The Source column in Snyk Essentials helps you identify the origin of your assets, which can be directly from Snyk, through SCM systems, or using third-party integrations. This feature simplifies asset management and risk prioritization by providing clear visibility into the origin of each asset, and it supports more effective security strategies and remediation efforts. ## SCM Integrations @@ -264,7 +262,7 @@ The column is hidden by default, and you can enable it in the **Columns** sectio ## SCM Repository freshness -The SCM Repository freshness column provides you with an immediate understanding of the current status of your repositories, including the date of the last commit. This assists you in quickly identifying active and dormant Projects and helps you make decisions regarding maintenance, security patching, and resource allocation. +The SCM Repository freshness column provides you with an immediate understanding of the current status of your repositories, including the date of the last commit. This helps you quickly identify active and dormant Projects and make decisions regarding maintenance, security patching, and resource allocation. The repository freshness displays the repository status according to the last commit date: @@ -275,15 +273,15 @@ The repository freshness displays the repository status according to the last co ## Clusters -The Clusters column lists all cluster names where an image is deployed and is using the runtime integrations as the source of the information. When an image is removed from a cluster, the cluster name is also deleted from the collection. Clusters are also available under Filters and allow you to filter assets in the Inventory view or to create policies in the Policies view. +The Clusters column lists all cluster names where an image is deployed and uses the runtime integrations as the source of the information. When you remove an image from a cluster, the cluster name is also deleted from the collection. Clusters are also available under Filters and let you filter assets in the Inventory view or create policies in the Policies view. {% hint style="info" %} -The Cluster column is populated only when the Snyk Runtime Sensor is utilized. +The Cluster column is populated only when you use the Snyk Runtime Sensor. {% endhint %} ## Organizations -The Organizations column lists all Snyk Organizations associated with each asset. This includes the names of Organizations that contain Projects linked to the asset, enabling users to filter and organize their asset inventory based on their organizational structures. Organizations are also available under Filters and allow you to filter assets in the Inventory view or to create policies in the Policies view. +The Organizations column lists all Snyk Organizations associated with each asset. This includes the names of Organizations that contain Projects linked to the asset, letting you filter and organize your asset inventory based on your organizational structures. Organizations are also available under Filters and let you filter assets in the Inventory view or create policies in the Policies view. ## Visibility @@ -300,6 +298,6 @@ Use this metadata to prioritize risk and apply visibility-based coverage control The Actions column provides a workflow to set up the SCM integration at the Group level to access full context enrichment. To identify the type of integration, check the [SCM Integrations column](assets-inventory-components.md#scm-integrations). This use case applies where a Group-level integration is not configured. -If a Group level integration has not been set up, repositories discovered at the Organization level display a **Set up integration** button under the **Actions** column. If you set up the integration at the Group level, this option becomes unavailable. +If a Group-level integration is not set up, repositories discovered at the Organization level display **Set up integration** under the **Actions** column. If you set up the integration at the Group level, this option becomes unavailable. To add context enrichment, find an asset and select **Set up integration**. For configuration details, see [Snyk SCM Integrations](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/organization-level-integrations). diff --git a/scan-fix-and-prevent/manage-assets/assets-inventory-filters.md b/scan-fix-and-prevent/manage-assets/assets-inventory-filters.md index 053295df15da..af39efd8c437 100644 --- a/scan-fix-and-prevent/manage-assets/assets-inventory-filters.md +++ b/scan-fix-and-prevent/manage-assets/assets-inventory-filters.md @@ -11,7 +11,7 @@ Quick filters are predefined filters that you can apply to assets. Available qui * **Assets with Repository freshness** **`ACTIVE` and `COVERAGE GAP`**: displays only the assets from active repositories and with a coverage gap for the selected Snyk products. * **Assets with Asset Class `A` and `COVERAGE GAP`**: displays only Class A assets that have a coverage gap for the selected Snyk products. -You can change or add additional filters by clicking **Advanced Filters**. +To change or add filters, click **Advanced Filters**. ## Advanced filters @@ -23,7 +23,7 @@ When you select advanced filters, you can specify one or more sets of criteria: * **Condition:** depends on the asset selected (such as `contains` or `does not contain` for `asset name`). * **Value:** depends on the **Property** and **Condition**. -You can add as many filters as needed by clicking **Add Filter**. +To add as many filters as needed, click **Add Filter**. {% hint style="info" %} If you are using Snyk Essentials for the first time, Snyk recommends starting with the **Coverage** filter to determine where Snyk is already implemented. @@ -86,7 +86,7 @@ You can filter unenriched repositories directly from the banner by selecting the #### Unenriched assets with Group SCM integration -If you use a Group-level integration, the banner shows assets not discovered through that integration. Although the integration is in place, some assets are not being pulled in. Possible reasons for unrenriched assets: +If you use a Group-level integration, the banner shows assets not discovered through that integration. Although the integration is in place, some assets are not being pulled in. Possible reasons for unenriched assets: * Organization-level integration has broader permissions than the Group-level integration. * A repository previously tested by Snyk was deleted in the SCM before the Group-level integration was set up. @@ -96,7 +96,7 @@ If you use a Group-level integration, the banner shows assets not discovered thr ## Troubleshooting -### The assets are not discovered by Group or Organization-level integrations. +### The assets are not discovered by Group or Organization-level integrations The assets are not discovered by Group or Organization-level integrations, but are discovered only through Snyk targets (for example, CLI Projects or old deleted repositories). @@ -128,4 +128,4 @@ If your profile includes the Organization, check the token permissions and ensur For GitLab and BitBucket, ensure that the Group-level tokens have access and the right permissions for the Organization. -If the source of the asset is another vendor, ensure the repository URLs match in order to avoid creating duplicate assets. +If the source of the asset is another vendor, ensure the repository URLs match to avoid creating duplicate assets. diff --git a/scan-fix-and-prevent/manage-assets/assets-inventory-layouts.md b/scan-fix-and-prevent/manage-assets/assets-inventory-layouts.md index bd6395e668de..ac41b52aa2d5 100644 --- a/scan-fix-and-prevent/manage-assets/assets-inventory-layouts.md +++ b/scan-fix-and-prevent/manage-assets/assets-inventory-layouts.md @@ -2,7 +2,7 @@ Snyk defines an asset as a meaningful, real-world component in an application’s SDLC, where meaningful means either carries a risk or aggregates risk of other components (for example, repositories that contain packages), and real-world means that the concept exists outside of Snyk, for example, repository (which is a generally applicable term). In most cases, assets carry a risk or aggregate risk of other components, such as repositories that contain packages. -Snyk Essentials inventory tabs are organizing your repository assets in meaningful ways, enabling you to: +Snyk Essentials inventory tabs organize your repository assets in meaningful ways, letting you: * Gain full repository asset visibility from your SCM tools, including details about configured teams and repository code committers. * Track controls coverage for Snyk products. @@ -15,7 +15,7 @@ Each line in the inventory represents an asset. ## Inventory tabs -To get better context and clarity over your asset inventory, Snyk Essentials allows flexible structuring with inventory tabs. Snyk Essentials includes five inventory tabs and groups assets by different contexts. You can find all inventory tabs under the Inventory menu option at the Group level: +To get better context and clarity over your asset inventory, Snyk Essentials lets you structure assets flexibly with inventory tabs. Snyk Essentials includes five inventory tabs and groups assets by different contexts. You can find all inventory tabs under the Inventory menu option at the Group level: * **Overview:** Provides quick insights into discovered repositories, enabling AppSec teams to effectively operationalize their program using Snyk. * **All Assets:** All the discovered assets are grouped by their type. @@ -31,7 +31,7 @@ You can filter the information for all the inventory tabs and use any of the ava The Overview tab in Snyk Inventory provides insights into the discovered repositories, highlighting key features and characteristics such as the total number of discovered repositories and the distribution of tested and not tested repositories, the number of dormant repositories or coverage details based on the asset policies. -Provides quick insights into discovered repositories, enabling AppSec teams to effectively operationalize their program using Snyk. This helps reduce coverage gaps, organize and leverage asset context, and ensure compliance with coverage policies. +Provides quick insights into discovered repositories, enabling AppSec teams to effectively operationalize their program using Snyk. This helps reduce coverage gaps, organize and use asset context, and ensure compliance with coverage policies. #### Repositories tested @@ -43,7 +43,7 @@ Use this widget to get a clear overview of all discovered repositories and see h Follow the next steps to remediate the coverage gaps: -1. Click "Coverage gap" to see all affected repositories. +1. Click **Coverage gap** to see all affected repositories. 2. Determine the reasons for the policy non-compliance. 3. Remediate and bring repositories into compliance. 4. Set up an asset policy. @@ -54,17 +54,17 @@ Use this widget to see all dormant repositories with critical and high-risk issu #### Languages with most issues -Use this widget to identify the programming languages that often present issues within your codebase. If you hover over any of the listed languages, you can see and access the Snyk Learn training focused on setting up, integrating, and customizing the selected language. +Use this widget to identify the programming languages that often present issues in your codebase. If you hover over any of the listed languages, you can see and access the Snyk Learn training focused on setting up, integrating, and customizing the selected language. #### Class A repositories with most high and critical issues -Use this widget to see a maximum of top ten high-risk Class A repositories with the biggest impact on the business (class A). This tool helps your development team identify and prioritize remediation efforts with asset context. By addressing high-risk areas promptly, you improve the stability and security of your Project, ultimately enhancing software quality. +Use this widget to see a maximum of the top 10 high-risk Class A repositories with the biggest impact on the business. This tool helps your development team identify and prioritize remediation efforts with asset context. By addressing high-risk areas promptly, you improve the stability and security of your Project, ultimately enhancing software quality. ### All Assets The **All Assets** tab under the Inventory menu provides a central view of all your assets, offering a comprehensive overview of your security posture. You can access a list of your assets and customize the view to meet your needs. Select the columns that you want to be visible, use filters to refine the information, and export the details to share them with others. -This unified view allows you to efficiently monitor assets and prioritize remediation for stronger application security. +This unified view lets you efficiently monitor assets and prioritize remediation for stronger application security. ### Asset Hierarchy @@ -73,17 +73,17 @@ Assets are sorted by issue counts, and where applicable, package assets are list The **Asset Hierarchy** is visible only when no filters are applied, allowing you to see a clear, unfiltered view of your assets and their relationships. -This layout helps in understanding the relationship between different assets and their associated issues, providing a comprehensive view of the asset landscape within your Organization. +This layout helps in understanding the relationship between different assets and their associated issues, providing a comprehensive view of the asset landscape in your Organization. ### Teams -The **Teams** tab in Snyk **Inventory** organizes assets from SCM repositories by team. Assets are grouped here according to the teams assigned to them within the SCM organizations. +The **Teams** tab in Snyk **Inventory** organizes assets from SCM repositories by team. Assets are grouped here according to the teams assigned to them in the SCM organizations. -Only SCM organizations that have teams and repositories assigned to a team will appear in this layout. This helps in visualizing and managing repository assets according to team structures, making it easier to track and prioritize security efforts based on team responsibilities. +Only SCM organizations that have teams and repositories assigned to a team appear in this layout. This helps in visualizing and managing repository assets according to team structures, making it easier to track and prioritize security efforts based on team responsibilities. ### Technology -The **Technology** tab in Snyk **Inventory** groups SCM repository assets by the technology they use, such as programming languages and frameworks. This categorization is detected and tagged by Snyk Essentials, allowing you to easily identify and manage assets based on the used technologies. +The **Technology** tab in Snyk **Inventory** groups SCM repository assets by the technology they use, such as programming languages and frameworks. Snyk Essentials detects and tags this categorization, letting you identify and manage assets based on the used technologies. This feature helps in understanding the technological landscape of your repositories and can be useful for prioritizing security efforts and managing risks associated with different technologies. @@ -96,7 +96,7 @@ Assets in the inventory are presented with key attributes in the following colum * **Asset** - The name of the repository asset, scanned artifact, and the Git remote URL, if available. Scanned artifacts are missing Git remote URLs. * **Issue** - The number of issue counts on open assets aggregated across all relevant tools of the same severity of the asset itself and its child assets or packages. The severity level is classified into **C** (critical), **H** (high), **M** (medium), and **L** (low). * **Controls** - A report detailing all products detected by the Snyk Essentials on a specific repository asset and all products that should be but are not covered by Snyk Essentials. -* **Tags** - You will be able to add a unique key-value tag to provide a more powerful and granular context for your assets. This attribute lets you attach specific, unique metadata to your assets, which enables precise filtering, robust policy creation, and alignment with your internal systems. +* **Tags** - Add a unique key-value tag to provide a more powerful and granular context for your assets. This attribute lets you attach specific, unique metadata to your assets, which enables precise filtering, robust policy creation, and alignment with your internal systems. * **Labels** - Snyk Essentials automatically labels repository assets with information about the used technologies (Python, Terraform, and so on) in the repository, and repository latest updates. You can also use policies to label repository assets. * **Developers** - Includes the SCM profile details for code committers to the repository asset. * **Class** - Reflects the business criticality of the asset from A (most critical) to D (least critical), as defined by the user in the Policies view. You can manually change the class or automatically change it by applying a policy. You can lock the value you have manually set for a Class to prevent policies from overriding it. @@ -109,7 +109,7 @@ Assets in the inventory are presented with key attributes in the following colum * **Actions** - Provides a workflow to set up an SCM integration, enriching the asset context with information such as labels, developers, and repository freshness. This use case is available when a Group-level integration is not configured. {% hint style="info" %} -The Clusters column is hidden by default. To enable it, click Columns, select Clusters from the dropdown list, then click Apply to save the changes. +The Clusters column is hidden by default. To enable it, click **Columns**, select **Clusters** from the dropdown list, then click **Apply** to save the changes. {% endhint %} ### **Asset Sources, Types, and Scanned Artifacts** @@ -138,4 +138,4 @@ You can see the scanned artifacts in the Inventory Type view. The scanned artifa Packages are defined as software or libraries that are managed by package management systems. -Package assets are created when you scan the dependencies of a Project through package management systems or by using the Snyk CLI. This enables Snyk Essentials to identify and analyze the security vulnerabilities of the packages used within a Project, offering insights into possible risk exposures and providing recommendations for mitigation. +Snyk creates package assets when you scan the dependencies of a Project through package management systems or by using the Snyk CLI. This lets Snyk Essentials identify and analyze the security vulnerabilities of the packages used in a Project, offering insights into possible risk exposures and providing recommendations for mitigation. diff --git a/scan-fix-and-prevent/manage-assets/configure-repository-monitoring.md b/scan-fix-and-prevent/manage-assets/configure-repository-monitoring.md index 0917e36dae23..e1c985d28487 100644 --- a/scan-fix-and-prevent/manage-assets/configure-repository-monitoring.md +++ b/scan-fix-and-prevent/manage-assets/configure-repository-monitoring.md @@ -19,7 +19,7 @@ Repository monitoring configuration provides the following capabilities: * Centralized asset monitoring: view monitoring status for all products, identify health status, and see required actions (such as enabling Snyk Code or resolving SCM integration issues) in one view. * Bulk import: import repositories directly from the Group **Inventory** page into specific Snyk Organizations. * On-demand retesting: trigger a retest for specific repositories directly from **Inventory**. -* Actionable error resolution: clear guidance ia available when testing fails due to integration issues or entitlements. After the underlying issue is resolved, testing resumes automatically. +* Actionable error resolution: clear guidance is available when testing fails due to integration issues or entitlements. After you resolve the underlying issue, testing resumes automatically. ## Configure settings for repository monitoring @@ -58,7 +58,7 @@ It is not possible to manage these settings at Organization level for assets tra * **Testing exclusions (optional)**: manage file exclusions for Snyk Open Source and Snyk Container Projects. Exclusions apply at the asset level. You cannot exclude specific files for the same repository in different Snyk Organizations. {% hint style="info" %} -For Snyk Code, you can manage exclusions using the `.snyk` files, in order to maintain developer-first workflows. +For Snyk Code, you can manage exclusions using the `.snyk` files to maintain developer-first workflows. {% endhint %} Click **Continue**. diff --git a/scan-fix-and-prevent/manage-assets/manage-assets.md b/scan-fix-and-prevent/manage-assets/manage-assets.md index 86e39bdf394c..b214ca9d98e8 100644 --- a/scan-fix-and-prevent/manage-assets/manage-assets.md +++ b/scan-fix-and-prevent/manage-assets/manage-assets.md @@ -46,6 +46,6 @@ Through this interconnected framework, Snyk ensures robust asset protection and ### Assets Enrichments by SCM Integration -The table below outlines the asset enrichments provided by each SCM Integration. It highlights which capabilities are available today that are not available due to the SCM provider. +The following table outlines the asset enrichments provided by each SCM Integration. It highlights which capabilities are available today that are not available due to the SCM provider.
CapabilityGitHubGitLabBitBucket CloudBitBucket ServerAzure DevOps
Org/Workspace✅​✅​✅​✅​✅​
SCM Projects
Contributors
Teams
Languages (tags)✅ When manually set up
Tags✅ GitHub topics / GitHub custom properties✅ GitLab topics
Visibility
Archive Repos
diff --git a/scan-fix-and-prevent/manage-risk/analytics/README.md b/scan-fix-and-prevent/manage-risk/analytics/README.md index 42087c7c843e..6428bdda9439 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/README.md +++ b/scan-fix-and-prevent/manage-risk/analytics/README.md @@ -7,7 +7,7 @@ The Snyk Analytics experience is available only for Enterprise plan customers wi Build custom dashboards, access enhanced metrics, and explore analytics at the Tenant, Group, or Organization level. -The Snyk Analytics allows you to: +Snyk Analytics lets you: * Select and arrange widgets from the inventory to create a personalized dashboard. * Access the [Saved Views](reports-tab/#saved-views) feature. @@ -43,5 +43,5 @@ In the Snyk 2.0 UI, **Analytics** is the centralized location for all Group or O Snyk 2.0 introduces UI enhancements to the platform navigation and is available in Early Access. This is being rolled out gradually, so not all users see the new navigation at the same time. -If you are an existing user, you can switch between the new and classic navigation at any time using the toggle in your user profile menu. For more information, visit [Snyk 2.0 platform improvements](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/snyk-2.0-platform-improvements). +If you are an existing user, you can switch between the new and classic navigation at any time using the toggle in your user profile menu. For more information, see [Snyk 2.0 platform improvements](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/snyk-2.0-platform-improvements). {% endhint %} diff --git a/scan-fix-and-prevent/manage-risk/analytics/overview-tab.md b/scan-fix-and-prevent/manage-risk/analytics/overview-tab.md index 1605ca0bb8b8..a70cd5582fff 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/overview-tab.md +++ b/scan-fix-and-prevent/manage-risk/analytics/overview-tab.md @@ -13,7 +13,7 @@ This section displays aggregate totals for the selected time range and calculate The following widgets are enabled by default: * **Open issues**: The total count of unresolved vulnerabilities. -* **Ignored issues**: The total count of vulnerabilities suppressed by Snyk ignore policies. +* **Ignored issues**: The total count of vulnerabilities that Snyk ignore policies suppress. * **New issues**: The volume of vulnerabilities introduced during the selected timeframe. * **Resolved issues**: The total count of vulnerabilities fixed during the selected timeframe. * **Unique vulnerabilities**: The distinct count of individual vulnerability types, regardless of how many times they appear across your environments. @@ -22,13 +22,13 @@ Additionally, you can add the following widgets: * **Projects Monitored**: Number of Snyk Projects continuously monitored for open-source vulnerabilities and license issues after using the `snyk monitor` CLI command. * **Agentic Scans**: Number of Snyk Studio scans for the selected timeframe. -* **Developers running agentic scans: S**nyk Studio adoption rate. +* **Developers running agentic scans:** Snyk Studio adoption rate. * **Total PR checks**: Number of pull request (PR) checks for the selected timeframe. * **PR check success rate**: Outcomes of PR checks. An increasing success rate over time demonstrates that developers produce more secure code earlier in the software development lifecycle. * **Snyk Organizations**: Track Snyk rollout progress by viewing the total number of new Snyk Organizations created over time. * **Zero-Day Open Issues**: Use this centralized dashboard to assess immediate risk and track your response during a major zero-day security incident. * **Developers testing in the IDE/CLI**: Number of developers who run a Snyk scan during the selected timeframe. -* **SCA Preventable issues**: It shows the number of new open-source (SCA) vulnerabilities introduced into your codebase that you can block earlier, for example, during pull request checks. +* **SCA Preventable issues**: Shows the number of new open-source (SCA) vulnerabilities introduced into your codebase that you can block earlier, for example, during pull request checks. * **Tested repositories in CI/CD**: Number of repositories tested in the continuous integration and continuous delivery (CI/CD) pipeline. ### Coverage @@ -95,7 +95,7 @@ The following widgets are enabled by default: * **Organizations introducing most new SCA preventable issues**: Pinpoints where known, avoidable open-source risks enter your codebase. Use this to target specific teams for training on secure coding practices or Snyk use. * **New issues by introduction category**: Classifies the avoidability of new vulnerabilities. Use the **Preventable Issue** segment to measure how many issues Snyk scans could have blocked earlier, helping you justify stricter PR checks. -You can also add the **New SCA preventable issues introduced over time** widget. This widget classifies the avoidability of new vulnerabilities. Use the Preventable Issue segment to measure how many issues Snyk scans can block earlier to help you justify stricter pull request checks. +You can also add the **New SCA preventable issues introduced over time** widget. This widget classifies the avoidability of new vulnerabilities. Use the **Preventable Issue** segment to measure how many issues Snyk scans can block earlier to help you justify stricter pull request checks. ## Customize the dashboard diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/README.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/README.md index 1b748cadd55e..dc2fac5d3dee 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/README.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/README.md @@ -19,36 +19,36 @@ Reports are organized into multiple categories: Snyk reports provide the visibility and analytics needed to drive data-based conversations between development and security. -Security professionals can easily access, analyze, and share Snyk security data to track developer adoption and success, identify where the greatest amount of risk lies to prioritize remediation effectively, and understand the overall risk posture across the Organization's application portfolio. +Security professionals can access, analyze, and share Snyk security data to track developer adoption and success, identify where the greatest amount of risk lies to prioritize remediation effectively, and understand the overall risk posture across the Organization's application portfolio. Snyk Reports offer analytics across all of your Projects, displaying detailed and aggregated data about Projects and issues. Data displayed in each report is scoped to the Snyk Organization or Group in which you are working. -Snyk Reports are highly flexible, enabling you to display specifically selected data in the appropriate view to answer key security questions. +Snyk Reports are highly flexible and let you display specifically selected data in the appropriate view to answer key security questions. {% hint style="info" %} -Deactivated Projects and their respective results will not appear in the Reports area. +Deactivated Projects and their respective results do not appear in the Reports area. {% endhint %} You can view dependencies and license information for all Projects in your Group or Organization. For more details, navigate to the [Dependencies and licenses](../../dependencies-and-licenses/) page. Navigate to **Analytics** > **Reports** to see all available reports. -After you selected a specific report, you can switch to a different report from the dropdown in the upper left corner. +After you select a specific report, you can switch to a different report from the dropdown in the upper left corner. ## Snyk reporting filters -All reports are filterable by a number of attributes, enabling users to create the appropriate horizontal or vertical slice of the business for their use case. You can see the available filters in the dropdown furthest right at the top. +You can filter all reports by a number of attributes to create the appropriate horizontal or vertical slice of the business for your use case. You can see the available filters in the dropdown furthest right at the top. If you do not select or enter any values for a particular key, the filter is not applied. ### Exclude filters -In addition to selecting values to include, you can exclude specific values using the `is not` option available across many report filters. This allows you to: +In addition to selecting values to include, you can exclude specific values using the `is not` option available across many report filters. You can: * **Remove unwanted results** (for example, exclude certain Organizations, Project types, or asset names). * **Spot gaps more easily** (for example, find Projects not in a collection, or assets missing specific tags). -To use an exclude filter, first select the filter, then select the drop-down menu next to the filter name, and select `is Not` . Select the items you'd like to exclude. +To use an exclude filter, first select the filter, then select the dropdown menu next to the filter name, and select `is Not` . Select the items you'd like to exclude. The resulting filter shows "{filterName} is not: {excluded items}" @@ -60,7 +60,7 @@ A specific filter type can only be used once - it is not possible to have both a In a given filter, all values selected are separated by an OR operator. For example, if you select the values `Critical` and `High` for the `Issue Severity` filter, Snyk displays issues that have a severity of either `Critical` or `High`. -With exclude filters, if you select `Is not Critical` in the Issue Severity filter, Snyk will display issues of all other severities except Critical. +With exclude filters, if you select `Is not Critical` in the Issue Severity filter, Snyk displays issues of all other severities except Critical. Filters are separated by an AND operator. For example, if you select the `Critical` value for the `Issue Severity` filter and the `Resolved` value for the `Issue Status` filter, Snyk displays issues that are both `critical` severity and `resolved`. @@ -68,7 +68,7 @@ This same logic applies when using exclusions. For example, if you exclude `Crit ### Stateful URLs for filtered views -Every time a filter value is applied, the app.snyk.io URL is updated to persist the state of the page. You can bookmark and copy the URL, and share it with anyone who has the appropriate Snyk Organization or Group access. For easy sharing, use the **Copy URL** button in the upper-right corner of the report list. +Every time you apply a filter value, Snyk updates the app.snyk.io URL to persist the state of the page. You can bookmark and copy the URL, and share it with anyone who has the appropriate Snyk Organization or Group access. For easy sharing, click **Copy URL** in the upper-right corner of the report list. Exclude filter selections are also saved in the URL, so your "not equal to" filters persist when you share or bookmark a view. @@ -89,41 +89,41 @@ Click **Export to PDF** to download a PDF of the report content and its context. * Viewed scope (Snyk Organization or Group) * Applied filters -Exporting a PDF enables you to share a report with users who do not log in to the Snyk Web UI, for example, an executive or external auditor. The PDF export offers point-in-time attestation with the necessary context. +Exporting a PDF lets you share a report with users who do not log in to the Snyk Web UI, for example, an executive or external auditor. The PDF export offers point-in-time attestation with the necessary context. For tabular data on reports, the PDF export shows only the first 50 results. The PDF export includes links to view the report in the browser. ### Download a Snyk report to a CSV file -You can use the **Download CSV** button on the right in the report to download data presented in tables to CSV. This information can be used, for example, for prioritization or for a one-time analysis in a spreadsheet. +Click **Download CSV** in the report to download data presented in tables to CSV. You can use this information, for example, for prioritization or for a one-time analysis in a spreadsheet. All columns displayed in the UI are included in the CSV output. In addition, any columns that contain hyperlinks in the UI are split into two columns: one containing the text and the other containing the linked URL. There is no row limit, but there is a 5GB file size limit. -The **Download CSV** button is disabled if there are no vulnerabilities in the report, either because the Organization has no vulnerable Projects or because the applied filters remove all vulnerabilities. In this case, the report can still be exported to PDF if proof of zero vulnerabilities is required. +**Download CSV** is disabled if there are no vulnerabilities in the report, either because the Organization has no vulnerable Projects or because the applied filters remove all vulnerabilities. In this case, you can still export the report to PDF if you need proof of zero vulnerabilities. ## Column sorting Sort columns in tables by clicking the arrows next to the column header. Click once to sort in ascending order, twice to sort in descending order, and three times to remove the sort from that column. Multi-column sorting is supported. -When columns are sorted, the app.snyk.io URL is updated to persist the state of the page, allowing for bookmarking, copying, and sharing. +When you sort columns, Snyk updates the app.snyk.io URL to persist the state of the page, allowing for bookmarking, copying, and sharing. ## Modify Snyk report columns -In some reports, tables may include an option to modify columns. When this option is available, you can use it to select the columns to display in the UI. The export features (PDF and CSV) respect the selected columns. +In some reports, tables include an option to modify columns. When this option is available, you can use it to select the columns to display in the UI. The export features (PDF and CSV) respect the selected columns. -When columns are modified, the app.snyk.io URL is updated to persist the state of the page, allowing for bookmarking, copying, and sharing. +When you modify columns, Snyk updates the app.snyk.io URL to persist the state of the page, allowing for bookmarking, copying, and sharing. ## Saved views -The Saved Views feature enables collaboration based on shared, consistent, and customizable reports. This feature is available at Organization and Group level, in the **Analytics** menu, under the **Reports** tab. It allows you to customize and save filter settings for your reports, which you can then reuse. +The Saved Views feature enables collaboration based on shared, consistent, and customizable reports. This feature is available at Organization and Group level, in the **Analytics** menu, under the **Reports** tab. It lets you customize and save filter settings for your reports, which you can then reuse. -To make it easier to share the view outside of the Snyk platform, the URL of a saved view remains the same after it is created, regardless of any changes you make to it. +To make it easier to share the view outside of the Snyk platform, the URL of a saved view remains the same after you create it, regardless of any changes you make to it. ### Prerequisites -To create, edit, and remove a saved view, you must have **Edit reports** permission. Saved views are not private. After being created, Saved Views are visible to all users with **View reports** permission. Only Organization and Group Admins can assign these permissions. For more information, see [User role management](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/user-role-management). +To create, edit, and remove a saved view, you must have **Edit reports** permission. Saved views are not private. After you create them, Saved Views are visible to all users with **View reports** permission. Only Organization and Group Admins can assign these permissions. For more information, see [User role management](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/user-role-management). To assign report permissions: @@ -154,7 +154,7 @@ To update a saved view: 2. Navigate to the **Analytics** menu > **Reports** tab and select the report that contains the saved view you want to update. 3. From the **Standard view** filter, select and load the view you want to update. 4. Make any necessary changes to the report view. -5. Save the changes by clicking **Save** next to the Saved Views dropdown. This overwrites the existing view. +5. Click **Save** next to the Saved Views dropdown to save the changes. This overwrites the existing view. ### Rename, delete, or copy the URL of a view diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/compliance-reports.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/compliance-reports.md index c6e673cddc1d..ebd80cd7a7ca 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/compliance-reports.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/compliance-reports.md @@ -9,7 +9,7 @@ The Compliance reports section includes the following reports: ## CWE Top 10 KEV report -The [CWE Top 10 KEV Weaknesses](https://cwe.mitre.org/top25/archive/2023/2023_kev_list.html) list identifies the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (KEV) Catalog, a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. +The [CWE Top 10 KEV Weaknesses](https://cwe.mitre.org/top25/archive/2023/2023_kev_list.html) list identifies the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) [Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (KEV) Catalog, a database of security flaws in software applications and weaknesses that attackers have exposed and exploited. The report is based on the version released in 2023 by Mitre. The supported products are Snyk Open Source, Snyk Container, and Snyk Code. @@ -27,7 +27,7 @@ Each control in the list (A1, A2, and so on) is based on a list of Common Weakne The CWEs are mapped to Snyk-IDs (), which are mapped to issues. -For example, the critical vulnerability [SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720) is classified as [CWE-94](https://cwe.mitre.org/data/definitions/94.html), which is part of the OWASP TOP 10 [A03:2025 - Injection](https://owasp.org/Top10/2025/A05_2025-Injection/). All the issues related to this vulnerability will be under the A03 category. +For example, the critical vulnerability [SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720) is classified as [CWE-94](https://cwe.mitre.org/data/definitions/94.html), which is part of the OWASP TOP 10 [A03:2025 - Injection](https://owasp.org/Top10/2025/A05_2025-Injection/). All the issues related to this vulnerability appear under the A03 category. Learn more by using the [OWASP TOP 10 Learning path](https://learn.snyk.io/learning-paths/owasp-top-10/) on Snyk Learn. @@ -56,7 +56,7 @@ The report identifies PCI-DSS risks and violations based on the following PCI-DS 1. **Requirement 6.2.4:** Engineers use various techniques to prevent or mitigate common software attacks and related vulnerabilities in bespoke and custom software. This includes but is not limited to the following methods: * Injection attacks, including SQL, LDAP, XPath, or other command, parameter, object, fault, or injection-type flaws. * Attacks on data and data structures, including attempts to manipulate buffers, pointers, input data, or shared data. - * Attacks on cryptography usage, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation. + * Attacks on cryptography use, including attempts to exploit weak, insecure, or inappropriate cryptographic implementations, algorithms, cipher suites, or modes of operation. * Attacks on business logic, including attempts to abuse or bypass application features and functionalities through the manipulation of APIs, communication protocols and channels, client-side functionality, or other system or application functions and resources. This includes cross-site scripting (XSS) and cross-site request forgery (CSRF). * Attacks on access control mechanisms, including attempts to bypass or abuse identification, authentication, or authorization mechanisms or attempts to exploit weaknesses in the implementation of such mechanisms. * Attacks using any “high-risk” vulnerabilities identified in the vulnerability identification process, as defined in Requirement 6.3.1. @@ -141,9 +141,9 @@ The breakdown table helps identify the number of vulnerabilities by attack categ Use the table to pinpoint major attack categories or Snyk Organizations that lead to PCI-DSS violations. You can click on the figures to explore the specific issues in more detail. {% hint style="info" %} -After you investigate and see the actual issues behind the figures, you may proceed by: +After you investigate and see the actual issues behind the figures, you can proceed by: -* Vulnerability triage and prioritization. -* Conclude the prevalent CWEs and CVEs by sorting on the CWE/CVE column and filtering those CWEs/CVEs in the [Vulnerabilities Detail Report](compliance-reports.md#vulnerabilities-detail-report) to surface all the vulnerability occurrences across targets and Projects. -* Run a vulnerability eradication campaign or assign Snyk Learn training to relevant engineering teams. +* Triaging and prioritizing vulnerabilities +* Determining the prevalent CWEs and CVEs by sorting on the CWE/CVE column and filtering those CWEs/CVEs in the [Vulnerabilities Detail Report](compliance-reports.md#vulnerabilities-detail-report) to surface all the vulnerability occurrences across targets and Projects +* Running a vulnerability eradication campaign or assigning Snyk Learn training to relevant engineering teams {% endhint %} diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/education-reports.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/education-reports.md index 3240ae2b070b..48a287bed969 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/education-reports.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/education-reports.md @@ -15,21 +15,21 @@ The Education reports section includes the following reports: Learn Engagement report is available only in the Learning Management add-on offering. For more information, contact your Snyk account team. {% endhint %} -The goal of the engagement report is to provide insights into your security education and training programs overall progress, and give you insights into which parts of your Organization are engaging with Snyk Learn content. You can use the data and insights to better optimise your program, find security champions, generate reports for compliance and show progress to your executive sponsors. +The goal of the engagement report is to provide insights into your security education and training programs overall progress, and give you insights into which parts of your Organization are engaging with Snyk Learn content. You can use the data and insights to better optimize your program, find security champions, generate reports for compliance, and show progress to your executive sponsors. ### Access the report -The Learn Engagement report can be accessed at the Group level from the **Change Report** dropdown in the Reports menu. +You can access the Learn Engagement report at the Group level from the **Change Report** dropdown in the Reports menu. ### Report features -The report allows you to track: +The report lets you track: * Learn engagement snapshot analytics * Assignment Progress * Adoption rankings * Content usage breakdown -* Filtering: custom time periods, users, organizations, organization role, and Lesson titles. +* Filtering: custom time periods, users, organizations, organization role, and Lesson titles {% hint style="info" %} [Learning Programs](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/developer-education-with-snyk-learn/snyk-learn/snyk-learn-learning-programs) are not included in the Engagement Report @@ -43,7 +43,7 @@ The first section of the report focuses on showing key engagement statistics and ### Adoption rankings -The adoption ranking section shows your organization and individual user engagement with Snyk Learn. This is ranked by "Lessons complete" and also has the estimated duration the org/user has spent on Snyk Learn lessons. Estimated duration calculated using the estimated duration presented at the start of each lesson, and includes estimated time from any progress on "in-progress" lessons in the selected period. +The adoption ranking section shows your organization and individual user engagement with Snyk Learn. This is ranked by "Lessons complete" and also has the estimated duration the org/user has spent on Snyk Learn lessons. Snyk calculates the estimated duration using the estimated duration presented at the start of each lesson, and includes estimated time from any progress on "in-progress" lessons in the selected period. {% hint style="info" %} The user level adoption ranking is a great way to identify potential security champions who are proactively engaging in security education and training. @@ -67,17 +67,17 @@ The goal of the impact and opportunities report is to provide insights into the ### Access the report -The Learning Impact & Opportunities report can be accessed at the Group level from the **Change Report** dropdown in the Reports menu. +You can access the Learning Impact and Opportunities report at the Group level from the **Change Report** dropdown in the Reports menu. ### Report features -The report allows you to track: +The report lets you track: * Impact of education and training on code issue remediation * Impact of education and training on code issue prevention * Recommendations for further training opportunities -* Coverage rates of users trained in identified training opportunities. -* Filtering: custom time periods, users, organizations, lesson title, CWE, issue severity. +* Coverage rates of users trained in identified training opportunities +* Filtering: custom time periods, users, organizations, lesson title, CWE, issue severity ### Learning impact snapshot @@ -91,12 +91,12 @@ The "Learning Impact on Issue Prevention" chart measures the relationship betwee ### Top 10 CWEs - open issues / issues introduced in the period -This section of the report shows recommendation for training for your top open code issues, and most frequently introduced issues, by volume. Note issues are only included when Snyk Learn has a related lesson for the CWE category. +This section of the report shows recommendations for training for your top open code issues, and most frequently introduced issues, by volume. Note that Snyk includes issues only when Snyk Learn has a related lesson for the CWE category. -You will see coverage for all users within organisation scope of the report filters. This shows you how many people have ever completed a related Snyk Learn lesson on the topic. +You see coverage for all users in organization scope of the report filters. This shows you how many people have ever completed a related Snyk Learn lesson on the topic.
{% hint style="info" %} -The recommendations in this section allow you to focus on the most impactful training opportunities. Use the filters to further customise the recommendations based on issue severity or for specific Organizations. +The recommendations in this section let you focus on the most impactful training opportunities. Use the filters to further customize the recommendations based on issue severity or for specific Organizations. {% endhint %} diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/exposure-and-coverage-reports.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/exposure-and-coverage-reports.md index bc0dbe3bfe2c..84714630dcc2 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/exposure-and-coverage-reports.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/exposure-and-coverage-reports.md @@ -12,7 +12,7 @@ The Asset Dashboard provides a comprehensive overview of your application and se The Asset Dashboard is a central hub for managing and reviewing assets, making tracking inventory size easier over time and understanding the interaction between different asset types. -While Snyk Inventory enables the discovery and management of your assets that should be secured, the Snyk Asset Dashboard allows you to go beyond the details and better understand the main building blocks of your inventory.\ +While Snyk Inventory enables the discovery and management of your assets that should be secured, the Snyk Asset Dashboard lets you go beyond the details and better understand the main building blocks of your inventory.\ \ The Asset Dashboard shows all the asset data that is available in your inventory and helps you answer various questions, such as: @@ -55,31 +55,31 @@ Hover over any column to see how the coverage percentage is calculated. ### Asset class breakdown -The asset class breakdown widget surfaces the distribution of repositories and container images by [asset class](../../../manage-assets/assets-inventory-components.md#class). Reviewing this widget allows you to determine the percentage of business-critical assets in your inventory and drill down to see the actual assets. +The asset class breakdown widget surfaces the distribution of repositories and container images by [asset class](../../../manage-assets/assets-inventory-components.md#class). Reviewing this widget lets you determine the percentage of business-critical assets in your inventory and drill down to see the actual assets. {% hint style="info" %} **Tips** * Having the context of the asset class is crucial for prioritizing assets. It is recommended to categorize your inventory by implementing [classification policies](../../policies/assets-policies/use-cases-for-policies/classification-policy.md) to proactively classify existing and newly introduced assets. -* Using the filters enables narrowing down the asset class distribution within specific applications or code owners, as well as focusing on active repositories or a set of assets based on the asset tags. +* Using the filters enables narrowing down the asset class distribution in specific applications or code owners, as well as focusing on active repositories or a set of assets based on the asset tags. {% endhint %}

Asset Class Breakdown

### Top 10 technologies breakdown -The top 10 technologies widget identifies the leading programming languages and frameworks used in repositories. Using the available filters enables you to determine the most commonly used technologies in active or business-critical repositories. Moreover, you can investigate specific applications or code owners. +The top 10 technologies widget identifies the leading programming languages and frameworks used in repositories. Using the available filters lets you determine the most commonly used technologies in active or business-critical repositories. You can also investigate specific applications or code owners. {% hint style="info" %} **Tips** * The technology data is available in the [asset tags](../../../manage-assets/assets-inventory-components.md#tags). -* Click a presented technology to open the inventory page in a new browser tab. This will allow you to review the related repositories in detail. +* Click a presented technology to open the inventory page in a new browser tab. This lets you review the related repositories in detail. {% endhint %} ### Top 10 package managers breakdown -The top 10 package managers widget allows you to identify the leading package managers in your inventory. The quantities represent assets of package type. A [package asset](../../../manage-assets/assets-inventory-layouts.md#packages) is defined as software or library that is managed by package management systems. +The top 10 package managers widget lets you identify the leading package managers in your inventory. The quantities represent assets of package type. A [package asset](../../../manage-assets/assets-inventory-layouts.md#packages) is software or a library that package management systems manage. ### Repository freshness @@ -102,7 +102,7 @@ You can use the asset class filter to identify business-critical assets that are ### Application context availability -The application context availability widget allows you to discover gaps in the context of assets. The available columns include: +The application context availability widget lets you discover gaps in the context of assets. The available columns include: * **Application Context** - displays the analyzed context attribute. * **Unique Values** - shows how many unique instances exist for an attribute. For example, you can check how many unique applications or code owners are available for any of the listed attributes. @@ -113,9 +113,9 @@ The application context availability widget allows you to discover gaps in the c * Before reviewing this widget, ensure that the results are cleaned up by filtering out the "dummy" attribute values, such as "unknown", "-", and so on.\ You can clean up the values by selecting only the relevant values. -* Filtering by asset class allows you to identify business-critical repositories without a known code owner or associated application. -* Filtering by the "active" value of the repository freshness filter allows you to discover context gaps in repositories that are actively being developed. -* Reviewing the unique values allows you to spot gaps in context. For example, you may realize that the number of unique code owners does not match the number of teams. +* Filtering by asset class lets you identify business-critical repositories without a known code owner or associated application. +* Filtering by the "active" value of the repository freshness filter lets you discover context gaps in repositories that are actively being developed. +* Reviewing the unique values lets you spot gaps in context. For example, you may realize that the number of unique code owners does not match the number of teams. {% endhint %}

Application Context Availability

@@ -127,15 +127,15 @@ The asset source breakdown widget visualizes the quantities of detected assets f {% hint style="info" %} **Tips** -* The widget displays the net quantities of detected assets for each source. If an asset is detected in more than one source, it will be counted once for each detected source. -* When asset inventory quantities seem incomplete or exceed expectations, this widget will help you discover which integrations should be examined and potentially configured differently. +* The widget displays the net quantities of detected assets for each source. If Snyk detects an asset in more than one source, it counts the asset once for each detected source. +* When asset inventory quantities seem incomplete or exceed expectations, this widget helps you discover which integrations to examine and potentially configure differently. {% endhint %}

Asset source breakdown

## Issues Detail report -The Issues Detail report displays all known issues in all of your Projects that are being monitored by Snyk. The report provides issue details and which of your Projects are affected, providing links to fix information. +The Issues Detail report displays all known issues in all of your Projects that Snyk monitors. The report provides issue details and which of your Projects are affected, providing links to fix information. The Issues Detail report displays the number of issues as well as the number of unique vulnerabilities that make up the issues. @@ -147,9 +147,9 @@ For a table of only the unique vulnerabilities, use **Change Report** to switch ## Risk exposure report -This report gives you a single, consolidated view of your security risks. It allows you to quickly understand your risk exposure, track your progress in reducing it, and pinpoint high-risk areas. +This report gives you a single, consolidated view of your security risks. It lets you quickly understand your risk exposure, track your progress in reducing it, and pinpoint high-risk areas. -The Risk Exposure Report helps AppSec teams make quicker, more informed decisions. Rather than reviewing multiple reports, it provides a clear overview of the security landscape, allowing you to: +The Risk Exposure Report helps AppSec teams make quicker, more informed decisions. Rather than reviewing multiple reports, it provides a clear overview of the security landscape, letting you: * Make faster decisions by quickly identifying your biggest security challenges and where to focus your attention. * Prioritize effectively by using data to guide your mitigation efforts toward the areas that contribute the most risk. @@ -161,9 +161,9 @@ The Risk Exposure Report helps AppSec teams make quicker, more informed decision Choose your preferred severity source and automatically update selected severity throughout the report: -* **Snyk**: utilizing Snyk proprietary CVSS calculations and other factors, including the relative importance of the Linux distributor. -* **NVD CVSS**: leveraging severity scores from the National Vulnerability Database (NVD). -* **Non-SCA Severities:** For non-SCA issues (for example, Code, IaC), Snyk severity calculates High, Medium, and Low levels for specific code vulnerabilities and makes use of the Common Configuration Scoring System (CCSS) for IaC severity determinations +* **Snyk**: uses Snyk proprietary CVSS calculations and other factors, including the relative importance of the Linux distributor. +* **NVD CVSS**: uses severity scores from the National Vulnerability Database (NVD). +* **Non-SCA Severities:** For non-SCA issues (for example, Code, IaC), Snyk severity calculates High, Medium, and Low levels for specific code vulnerabilities and uses the Common Configuration Scoring System (CCSS) for IaC severity determinations The report includes two main sections to provide a comprehensive view of your risk landscape: diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/issue-columns-dictionary.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/issue-columns-dictionary.md index bc3e114ca3ce..9048451fd9a4 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/issue-columns-dictionary.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/issue-columns-dictionary.md @@ -1,6 +1,6 @@ # Issue columns dictionary -Snyk reporting includes many filters and columns, allowing users to develop refined views of the data and obtain the required insights with ease. Reaching accurate conclusions requires understanding the columns used and the meaning of the filters. This dictionary explains the meaning of the issue columns in Snyk Issues Detail report. +Snyk reporting includes many filters and columns, letting you develop refined views of the data and obtain the required insights. Reaching accurate conclusions requires understanding the columns used and the meaning of the filters. This dictionary explains the meaning of the issue columns in Snyk Issues Detail report. {% hint style="info" %} Each inner list is sorted alphabetically @@ -33,10 +33,10 @@ Describes the main attributes of the issue. * **PRODUCT NAME** - Snyk product name. * **SEVERITY** - Indicates the issue severity according to the analysis by a specific Snyk product. * **SCORE** - A score based on an analysis model. Priority score is released in General Availability, while Risk Score is in Early Access. For details, see [Priority Score vs Risk Score](../../prioritize-issues-for-fixing/priority-score-vs-risk-score.md). -* **REACHABILITY** - The reachability of the issue indicates whether the issue is related to a code element (function, module, class, etc) that are being called by the application and thus has a greater risk of exploitability. Allowed values: +* **REACHABILITY** - The reachability of the issue indicates whether the issue is related to a code element (function, module, class, and so on) that the application calls and thus has a greater risk of exploitability. Allowed values: * **Reachable** - A direct or indirect path was found from your application to the vulnerable code. * **No path found** - No path found from your application to the vulnerable code. Note that this value might change over time. - * **Not applicable** - Reachability is not relevant to the specific issue. This value will appear for languages that are not yet supported and for issues that are not Snyk Open Source vulnerabilities. + * **Not applicable** - Reachability is not relevant to the specific issue. This value appears for languages that are not yet supported and for issues that are not Snyk Open Source vulnerabilities. ## Issue vulnerability details @@ -62,7 +62,7 @@ The vulnerability details refer to various issue attributes that are being defin * **PROBLEM ID** - Snyk Vuln DB ID that uniquely identifies the vulnerability. * **PROBLEM TITLE** - The vulnerability name as described by Snyk. * **SEMVER VULNERABLE RANGE** - The vulnerable range of package versions (based on semantic versioning). -* **SNYK CVSS SCORE -** Snyk's CVSS (Common Vulnerability Scoring System) score. +* **SNYK CVSS SCORE -** The Snyk CVSS (Common Vulnerability Scoring System) score. * **VULNERABILITY PUBLICATION DATE** - Timestamp indicating when the vulnerability was published by Snyk. ## Issue context columns @@ -90,7 +90,7 @@ The context columns help you understand the impact and risk for an issue based o ### Asset context {% hint style="info" %} -When filtering issues by assets context, issues of archived assets will be excluded from the results +When filtering issues by assets context, Snyk excludes issues of archived assets from the results {% endhint %} * **ASSET CLASS**- specifies the business criticality of the asset (A, most critical - D, least critical). @@ -111,7 +111,7 @@ When filtering issues by assets context, issues of archived assets will be exclu Navigate to the [Application context for SCM integrations](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/application-context-for-scm-integrations) page for more details about enriching the application context data. {% hint style="info" %} -When filtering issues by application context, issues of archived assets will be excluded from the results +When filtering issues by application context, Snyk excludes issues of archived assets from the results {% endhint %} * **APPLICATION** - represents the application or service that the asset is associated with. diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/prevention-reports.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/prevention-reports.md index f4e595483417..966b11ad49fe 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/prevention-reports.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/prevention-reports.md @@ -21,7 +21,7 @@ To use this report, you must ensure you have installed the following prerequisit * Visual Studio 2019, 2022 and Snyk Security Plugin 1.1.47 or newer * Eclipse 2023.12 or newer and Snyk Security plugin 2.1.0 or newer -This report shows the adoption of Snyk testing in local development through the IDE plugins, using the CLI locally or incorporating Snyk Studio into agentic workflows. The report is available under the Change Report dropdown at the Group and Organization levels. +This report shows the adoption of Snyk testing in local development through the IDE plugins, using the CLI locally or incorporating Snyk Studio into agentic workflows. The report is available under the **Change Report** dropdown at the Group and Organization levels. {% hint style="info" %} This report focuses on the local developer experience and does not include the use of CI/CD. In addition, it does not show Organizations or developers that have never used the CLI, IDE, or Snyk Studio (through MCP). @@ -77,7 +77,7 @@ The following prerequisites and data limits apply: * Snyk Studio (MCP) * IDE * CLI -* SARIF files greater than 500 KB will not be included in the report’s results. +* SARIF files greater than 500 KB are not included in the report results. With this report, you get visibility into: @@ -105,7 +105,7 @@ A fix is generated when these conditions are met: Severity overrides are applied, and custom severities are reflected in the report. -Fixes and the fix rate can diverge. For example, if a developer or team gets numerous security findings that they do not fix, the fix rate may be lower than the total fixes. If a developer opens 5 branches, finds 5 issues, and fixes one of them, the fix rate is 20% and the total fixes are 1. +Fixes and the fix rate can diverge. For example, if a developer or team gets numerous security findings that they do not fix, the fix rate may be lower than the total fixes. If a developer opens five branches, finds five issues, and fixes one of them, the fix rate is 20% and the total fixes are one. ## Pull request checks usage & performance report @@ -115,7 +115,7 @@ Fixes and the fix rate can diverge. For example, if a developer or team gets num Snyk Pull request checks usage & performance report is in Generally Availability for Enterprise plan customers. For more information, visit [Plans and pricing](https://snyk.io/plans/). {% endhint %} -This report enables you to track and analyze the results and adoption of Snyk pull request checks. +This report lets you track and analyze the results and adoption of Snyk pull request checks. By monitoring trends in successful, failed, and errored PR checks, AppSec teams can detect and investigate spikes in failures and identify source and target configurations that need attention. Comparing current adoption against a previous period also surfaces whether coverage is improving or regressing over time while identifying the coverage gaps that need to be addressed. @@ -123,7 +123,7 @@ By monitoring trends in successful, failed, and errored PR checks, AppSec teams High level metrics provide an overview of how often PR checks are passing along with how often checks are being marked as successful to override a failed status. The PR checks by status over time trend gives you a weekly view of PR check outcomes while additional views break these outcomes down by specific scan types. -A high rate of failed PR checks may indicate emerging risk areas while a high rate of overridden checks may signal that developers are bypassing security gates and warrant further investigation. An increasing success rate over time can demonstrate that developers are producing more secure code earlier in your software development life cycle. +A high rate of failed PR checks may indicate emerging risk areas while a high rate of overridden checks may signal that developers are bypassing security gates and warrant further investigation. An increasing success rate over time can demonstrate that developers are producing more secure code earlier in your software development lifecycle.
@@ -151,7 +151,7 @@ PR check enablement for all targets and projects imported through an integration **Integrations With Scan Enabled** under the Group view counts enablement by integration settings for all integrations that exist under all the organizations under that group. -Repository status will be "N/A" under the repository view when a repository is new to Snyk or if the specific Snyk product does not apply (there are no projects for that product type imported for the target repository). +Repository status is "N/A" under the repository view when a repository is new to Snyk or if the specific Snyk product does not apply (there are no projects for that product type imported for the target repository).
@@ -248,7 +248,7 @@ Snyk Generated Pull Requests report is available only for Enterprise plan custom ### Access the report -The Generated Pull Requests report can be accessed at both Group and Organization level from the **Change Report** drop down in the Reports menu. +You can access the Generated Pull Requests report at both Group and Organization level from the **Change Report** dropdown in the Reports menu. This report type provides an overview of how [Fix](../../../scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-fix-prs.md), [Backlog](../../../scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-backlog-prs-for-previously-known-vulnerabilities.md), and [Upgrade PRs](../../../scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-upgrade-prs-for-new-dependency-upgrades.md) are used and highlights the efficiency of PR merges. @@ -262,7 +262,7 @@ The analytics report covers the following: * Visibility of issues. * Breakdown by repository for PR status. -The report summary enables you to check the total number of Snyk PRs created, the total pull requests merged, and the mean time to merge for those pull requests. +The report summary lets you check the total number of Snyk PRs created, the total pull requests merged, and the mean time to merge for those pull requests. ### Report features @@ -284,4 +284,4 @@ The **Projects/Org/Repository** table displays the number of Total, Open, Merged Select a repository name to open a modal containing additional metrics for that specific repository. -The repository breakdown details the number of PRs segmented by PR type and PR status. Merge rate is presented as a percentage for each row. It also lists the Projects within that repository, with the number of issues categorised by severity. +The repository breakdown details the number of PRs segmented by PR type and PR status. Merge rate is presented as a percentage for each row. It also lists the Projects in that repository, with the number of issues categorized by severity. diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/remediation-reports.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/remediation-reports.md index d35f2d88c650..884616427731 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/remediation-reports.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/remediation-reports.md @@ -13,38 +13,38 @@ The Issues Summary report highlights the value that Snyk is providing by enablin The report provides a glimpse into how well teams are optimizing the use of the Snyk platform for their workflow and provides a means to measure and improve security. -This report enables you to easily understand the current state and trends of the highest security risk items. This report also provides a quick view into where risk is coming from and where remediation efforts are most and least effective. +This report lets you understand the current state and trends of the highest security risk items. This report also provides a quick view into where risk is coming from and where remediation efforts are most and least effective. {% hint style="info" %} -Use the date filter in the upper right corner of the Issues Summary report to see key metrics and charts for a specified interval. The selected date range also impacts the compared period, which allows you to measure ‌progress across various key metrics. +Use the date filter in the upper-right corner of the Issues Summary report to see key metrics and charts for a specified interval. The selected date range also impacts the compared period, which lets you measure ‌progress across various key metrics. {% endhint %} -At the top of the report, you can follow key metrics associated with security issues in the selected date range with a comparison to the previous sequential period's results. This allows you to get insights on trends. See the tooltips in Snyk Web UI for definitions of the metrics. +At the top of the report, you can follow key metrics associated with security issues in the selected date range with a comparison to the previous sequential period's results. This gives you insights on trends. See the tooltips in Snyk Web UI for definitions of the metrics. The **Issues Identified and Resolved** trend captures the accumulated security issues that were identified and resolved during the selected date range. The gap between the two lines indicates the open issues backlog. -This visual trend allows you to identify if too many issues are being introduced, meaning that prevention should become a higher priority. Conversely, if not enough issues are being resolved, it means that you need to further analyze metrics such as MTTR and SLA. +This visual trend lets you identify if too many issues are being introduced, meaning that prevention should become a higher priority. Conversely, if not enough issues are being resolved, it means that you need to further analyze metrics such as MTTR and SLA. {% hint style="info" %} The Total Open issues metric at the top completes the picture for this trend, by showing the total open issues at the end of the selected period compared with the total open issues at the beginning of the selected date range. {% endhint %} -Reviewing the **Exposure Window** trend allows you to identify the capacity of security issues that are open within predefined periods. This is a relevant metric to follow when filtering by attributes such as severity, exploit maturity, or asset class. and ensuring that the most critical issues for sensitive assets are being remediated on time. +Reviewing the **Exposure Window** trend lets you identify the capacity of security issues that are open in predefined periods. This is a relevant metric to follow when filtering by attributes such as severity, exploit maturity, or asset class, and ensuring that the most critical issues for sensitive assets are being remediated on time. -The **Time to Resolve by Week** trend provides visibility on the number of issues remediated within predefined periods, allowing you to measure remediation performance over time. +The **Time to Resolve by Week** trend provides visibility on the number of issues remediated in predefined periods, letting you measure remediation performance over time. The **Risk breakdown** table helps you make data-driven decisions about where you need to focus. The tables allow you to review ‌performance metrics from several angles. Use the dimension picker to browse: -* **Projects** - Available at the Organization level. Allows you to pinpoint Projects that require your attention. +* **Projects** - Available at the Organization level. Lets you pinpoint Projects that require your attention. * **Organizations** - Available at the Group level. Surface Snyk Organizations based on their performance. * **Asset Classes** - Ensure that efforts are prioritized to secure the most sensitive assets first. -* **Introduction Categories** - Allows to determining if preventable issues are handled properly by looking at the percentage change of new preventable issues, as well as assessing the impact of new monitored assets on your AppSec Program. You can view this under the Baseline Issue category. +* **Introduction Categories** - Lets you determine if preventable issues are handled properly by looking at the percentage change of new preventable issues, as well as assessing the impact of new monitored assets on your AppSec Program. You can view this under the Baseline Issue category. ## SLA Management report -The report presents default SLA targets for each severity level based on common security standards, such as FedRAMP. These SLA targets can be modified to meet your own security requirements. +The report presents default SLA targets for each severity level based on common security standards, such as FedRAMP. You can modify these SLA targets to meet your own security requirements. The SLA status of an issue can be: @@ -58,12 +58,12 @@ You can control the SLA targets and the transition of issues to the “At Risk The SLA report includes additional filters under the SLA category, allowing for better identification of the age of issues in relation to the SLA target: -* **SLA status** - allows the filtering of the report according to a specific SLA status. -* **Issue age** - allows discovery of issues in a range of ages. -* **Time until breach** - identifies issues that will breach the SLA target in days. +* **SLA status** - filters the report according to a specific SLA status. +* **Issue age** - discovers issues in a range of ages. +* **Time until breach** - identifies issues that breach the SLA target in days. {% hint style="info" %} -The report is, by default, showing only issues that are with high or critical severity. Update the severity filter if you want to view the SLA status for additional severities. +By default, the report shows only issues with high or critical severity. Update the severity filter if you want to view the SLA status for additional severities. {% endhint %} You can share the report with predefined SLA targets by sharing the report URL or return to a predefined SLA report by bookmarking the web page in your browser. @@ -72,7 +72,7 @@ In the **Open issues** section, the **SLA severity breakdown** shows a distribut The **SLA trend** shows the cumulative SLA status of issues over time. -The **SLA breakdown table** allows you to compare the SLA compliance results of Organizations in the Group view, or Targets in the Organization view. The table is sorted by default according to the quantity of breached issues. +The **SLA breakdown table** lets you compare the SLA compliance results of Organizations in the Group view, or Targets in the Organization view. By default, the table is sorted according to the quantity of breached issues. The **Breached and at-risk open issues** table helps you prioritize issues based on their aging and SLA compliance status. You can use the **Modify Column** picker to add additional columns and learn more about the specific issues. @@ -86,7 +86,7 @@ You can review the SLA results for resolved issues and perform a retrospective a The Vulnerabilities Detail report is similar to the Issues Detail report but shows issues grouped by Snyk Problem ID ([see Snyk Vulnerability DB](https://security.snyk.io/vuln)). -You can easily see how many instances of a vulnerability exist and how many Projects are affected. Use this report to understand which vulnerabilities are most prevalent for both resolution and prevention use cases. +You can see how many instances of a vulnerability exist and how many Projects are affected. Use this report to understand which vulnerabilities are most prevalent for both resolution and prevention use cases. For a table of Total Issues, use Change Reports to switch to the Issues Detail report. @@ -102,12 +102,12 @@ This report addresses primary scenarios for managing and resolving emerging zero Use this report to discover your exposure to issues highlighted in a zero-day publication across various Targets and Projects. The report helps you prioritize zero-day issues and monitor the progress of remediation efforts against any remaining occurrences. -The [Security team at Snyk](https://snyk.io/platform/security-intelligence/) continuously updates the [Vulnerability Database](https://security.snyk.io/) with new vulnerabilities several times a day. When the team discovers a major new zero-day vulnerability—typically in a widely used package with high severity that affects many customers—it will be announced and addressed as a zero-day event. For more information about responding to these events, visit [Assessing active security incidents](remediation-reports.md#assessing-active-security-incidents). +The [Security team at Snyk](https://snyk.io/platform/security-intelligence/) continuously updates the [Vulnerability Database](https://security.snyk.io/) with new vulnerabilities several times a day. When the team discovers a major new zero-day vulnerability—typically in a widely used package with high severity that affects many customers—Snyk announces and addresses it as a zero-day event. For more information about responding to these events, visit [Assessing active security incidents](remediation-reports.md#assessing-active-security-incidents). Typically, prioritization is determined by either the Snyk [Risk Score](../../prioritize-issues-for-fixing/risk-score.md) or the NVD CVSS Score, with emphasis on addressing vulnerabilities in sensitive targets. Apply filters based on Project Lifecycle, Environment, or Project Criticality to identify and address these targets promptly. Gaining such insights depends on the [availability of Project attributes](../../../snyk-platform-administration/snyk-projects/project-attributes.md#available-attributes-and-their-values). For continuous monitoring of remediation progress and efficacy, refer to the trend diagrams.\ -The **Accumulative Issues Backlog Trend** diagram shows the weekly changes in the zero-day backlog by accumulating the weekly delta between identified and resolved issues. Use this diagram to ensure that your R\&D teams are reducing the zero-day backlog consistently, which will be indicated by a negative trend line. +The **Accumulative Issues Backlog Trend** diagram shows the weekly changes in the zero-day backlog by accumulating the weekly delta between identified and resolved issues. Use this diagram to ensure that your R\&D teams are reducing the zero-day backlog consistently, which a negative trend line indicates. In parallel, review the **Issues Identified versus Resolved over Time** diagram to conclude whether additional emphasis should be placed on preventing the introduction of new issues or on accelerating the remediation efforts. @@ -144,4 +144,4 @@ To understand the exposure, review the **Assets involved in the incident** table * The number of dependencies in a Project that match a known affected package. * When viewed at the Tenant-level, the Group and Organization of the asset. When viewed at the Group-level, the Organization of the asset. -After the zero-day incident is no longer active and your retests have been completed, the **Active security incident assessment** banner will disappear. Review the **All Issues** table to remediate any outstanding issues associated with this zero-day event. +After the zero-day incident is no longer active and your retests are complete, the **Active security incident assessment** banner disappears. Review the **All Issues** table to remediate any outstanding issues associated with this zero-day event. diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/README.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/README.md index aee50f04762c..bcda816f7790 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/README.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/README.md @@ -4,27 +4,27 @@ With the new Snowflake Data Share integration, your data science, BI, and AppSec Use this integration to enable teams to rapidly build exploratory and custom analytics using the Snowflake-supported ecosystem of tools. Customers can connect Snyk data to BI tools like Power BI, Tableau, and Looker Data Studio, or build custom Streamlit apps. -Having Snyk curated datasets directly in your Snowflake account is optimized for reporting use cases. It also allows you to combine Snyk data with additional data sources, which contributes to a complete AppSec view of your Organization. +Having Snyk curated datasets directly in your Snowflake account is optimized for reporting use cases. It also lets you combine Snyk data with additional data sources, which contributes to a complete AppSec view of your Organization. -## What is Snowflake dData Share? +## What is Snowflake Data Share? -[Snowflake Data Share](https://docs.snowflake.com/en/user-guide/data-sharing-intro.html) allows companies to provide data to their customers in a secure, simple, and quick manner. With Snowflake data shares, the data is not exchanged between the accounts; instead, the data consumer is granted read-only access to the shared database through their own Snowflake account. +[Snowflake Data Share](https://docs.snowflake.com/en/user-guide/data-sharing-intro.html) lets companies provide data to their customers in a secure, simple, and quick manner. With Snowflake data shares, the accounts do not exchange the data. Instead, the data consumer gets read-only access to the shared database through their own Snowflake account. ### Snowflake cost impact * Storage\ - As data is not being transferred during data sharing, there will be **no** additional storage costs attributed to your Snowflake account. + Because data sharing does not transfer data, no additional storage costs are attributed to your Snowflake account. * Compute Resources\ - Snowflake will charge for compute resources that are used to query the data share. + Snowflake charges for compute resources used to query the data share. ## Main use cases -The Snowflake Data Share can be used for various use cases and can answer countless security and business-related questions. Some of these use cases include: +You can use the Snowflake Data Share for various use cases and to answer countless security and business-related questions. Some of these use cases include: * Enhance the AppSec posture visibility for the CISO and management team.\ - Streamline Snyk data to your BI platforms and existing security dashboards and reflect performance metrics and KPI's, for example, MTTR, SLA compliance, remediation trends, and so on. + Streamline Snyk data to your BI platforms and existing security dashboards and reflect performance metrics and KPIs, for example, MTTR, SLA compliance, remediation trends, and so on. * Answer specific questions or surface unique insights.\ - Better understand risk exposure trends, such as tracking total issues above a specific risk score, only affects certain Project collections or tags across all Snyk Groups, whilst filtering for only main or master branches.\ + Better understand risk exposure trends, such as tracking total issues above a specific risk score, only affects certain Project collections or tags across all Snyk Groups, while filtering for only main or master branches.\ Measure the performance of the fix behavior against the SLA. For example, enter customer SLA targets and track progress toward them.\ Build custom prevention reporting to understand shift-left impact. For example, view trends in preventable Open Source vulnerabilities across all Snyk Groups, filtered by specific severities and risk scores. @@ -32,25 +32,25 @@ The Snowflake Data Share can be used for various use cases and can answer countl ### Request Snowflake Data Share access -Follow the steps below to request Snowflake Data Share access: +To request Snowflake Data Share access: 1. Contact your Snyk Account Executive to request access -2. Provide your Snyk contact person with the following Snowflake account details (find [here](https://docs.snowflake.com/en/user-guide/admin-account-identifier#finding-the-organization-and-account-name-for-an-account) the guidelines to trace your credentials): +2. Provide your Snyk contact person with the following Snowflake account details (see the [guidelines to trace your credentials](https://docs.snowflake.com/en/user-guide/admin-account-identifier#finding-the-organization-and-account-name-for-an-account)): * Account Name. * Organization Name. * If you prefer to limit the data share to a specific set of Snyk Groups, mention the relevant Group IDs (the ID is available in the Snyk Group Settings). -3. After Snyk receives the Snowflake account details, the team will prepare the Data Share. You should expect to see your data within 24 hours. +3. After Snyk receives the Snowflake account details, the team prepares the Data Share. Expect to see your data in 24 hours. ### Prepare to consume Snowflake Data Share -The data share will be provided as a Privately Shared Listing. If it is the first time that you consume Snowflake data share, proceed with the steps below; otherwise, proceed to [Create a database from Snyk Data Share](https://docs.snowflake.com/en/user-guide/data-share-consumers#creating-a-database-from-a-share): +Snyk provides the data share as a Privately Shared Listing. If it is the first time that you consume Snowflake data share, follow these steps. Otherwise, proceed to [Create a database from Snyk Data Share](https://docs.snowflake.com/en/user-guide/data-share-consumers#creating-a-database-from-a-share): 1. Your Snowflake Organization admin (requires ORGADMIN role) should [accept Snowflake Provider and Consumer Terms of Service](https://other-docs.snowflake.com/en/collaboration/consumer-becoming#accept-the-snowflake-provider-and-consumer-terms-of-service). 2. [Set up the required privileges](https://other-docs.snowflake.com/en/collaboration/consumer-becoming#set-up-required-privileges) (requires ACCOUNTADMIN role or another role with CREATE DATABASE and IMPORT SHARE privileges). ### Create a database from the Data Share -To get access and be able to query the data share, follow the steps below to create a database from the data share: +To get access and query the data share, create a database from the data share: 1. A Snowflake user with ACCOUNTADMIN role (or a role with CREATE DATABASE and IMPORT SHARE privileges) should [view the available shares](https://docs.snowflake.com/en/user-guide/data-share-consumers#viewing-available-shares). 2. [Create a database from the Snyk data share](https://docs.snowflake.com/en/user-guide/data-share-consumers#creating-a-database-from-a-share).\ @@ -64,7 +64,7 @@ To start populating your dashboard with Snyk data, Snyk has provided [use cases After you are familiar with building queries, Snyk encourages you to create custom queries tailored to your specific requirements. {% hint style="warning" %} -Do not use a `select *` statement. Snyk frequently updates the data shares offering with new fields. Wildcard selectors cause unexpected schema changes that break downstream automations, ETL pipelines, or reporting scripts to fail. To ensure long-term stability, explicitly define the columns required for your queries. +Do not use a `select *` statement. Snyk frequently updates the data shares offering with new fields. Wildcard selectors cause unexpected schema changes that break downstream automations, ETL pipelines, or reporting scripts. To ensure long-term stability, explicitly define the columns required for your queries. {% endhint %} {% hint style="info" %} @@ -75,7 +75,7 @@ For more information on how to use queries in Snowflake Data Share, see [Query D ### Data scope and accessibility -* The Snowflake Data Share is scoped to the data of a requested set of Snyk Groups. A customer can request access to all Snyk groups or to specific ones. +* The Snowflake Data Share is scoped to the data of a requested set of Snyk Groups. A customer can request access to all Snyk Groups or to specific ones. * Snyk shares all the data that is available for the requested Snyk Groups as exists in the Snyk database, with no additional limitations in the data share itself. * The data share itself is provided as a read-only database and is accessible according to Snowflake's standard role-based access control. @@ -98,4 +98,4 @@ Snowflake Change Tracking is enabled on all the tables that are included in our * **Retention period:** Changes are retained for two days. * **How to use:** You can query the change tracking metadata using the CHANGES clause provided by Snowflake. -For more information on how to utilize this feature, see [Snowflake's Change Tracking Documentation](https://docs.snowflake.com/en/sql-reference/constructs/changes). +For more information on how to use this feature, see the [Snowflake Change Tracking documentation](https://docs.snowflake.com/en/sql-reference/constructs/changes). diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/build-your-first-dashboard.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/build-your-first-dashboard.md index 5973d3cceaa1..4b6a9c03b0d1 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/build-your-first-dashboard.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/build-your-first-dashboard.md @@ -148,7 +148,7 @@ ORDER BY open_issues_aging DESC; -- Update based on the desired order The MTTR (Mean Time to Resolve) metric tracks the average time it takes to resolve a security issue. It is calculated based on issues that have already been resolved and is measured over a predefined period (typically monthly, quarterly, or annually) according to their last resolution date. -Analyzing the MTTR results provides insight into the the remediation velocity of engineering teams. However, it is important to always measure both MTTR and Aging, as issues that remain open for long periods won’t show up in the MTTR results until they are remediated. +Analyzing the MTTR results provides insight into the remediation velocity of engineering teams. However, it is important to always measure both MTTR and Aging, as issues that remain open for long periods do not show up in the MTTR results until they are remediated. ### Example query @@ -192,13 +192,13 @@ ORDER BY organization_display_name ASC; -- Update based on the desired o ### Business value -Remediating vulnerabilities is a crucial practice, however it slows down product development that drives companies' business. Due to this simple fact, engineering teams may neglect open vulnerabilities in favor of product development tasks. +Remediating vulnerabilities is a crucial practice. However, it slows down the product development that drives companies' business. As a result, engineering teams may neglect open vulnerabilities in favor of product development tasks. -Establishing a service-level agreement (SLA) for vulnerability remediation helps maintaining that fine balance and ensure that while moving forward with product development, evolving security risks are being addressed according to a clear and transparent policy. +Establishing a service-level agreement (SLA) for vulnerability remediation helps maintain that balance and ensures that while moving forward with product development, you address evolving security risks according to a clear and transparent policy. SLA targets define the acceptable exposure window for a vulnerability based on factors such as severity, business criticality of the asset, code ownership, or other risk factors. -Snyk issues data enables AppSec teams to track issue aging and identify which vulnerabilities have exceeded SLA targets. +Snyk issues data lets AppSec teams track issue aging and identify which vulnerabilities have exceeded SLA targets. ### Example query @@ -268,7 +268,7 @@ The example query can be extended to support various SLA use-cases, such as defi ### Business value -This section demonstrate how you can discover the adoption of Snyk IDE & CLI tests by your developers. Implementing AppSec testing during the development phase is regarded as one of the most cost-effective methods for preventing new security risks from reaching production. It is more efficient because developers are already in the right context to address issues before the code progresses further in the SDLC. Detecting issues in later stages requires developers to switch context and revisit the problem, which can be less efficient and more time-consuming. +This section demonstrates how you can discover the adoption of Snyk IDE and CLI tests by your developers. Implementing AppSec testing during the development phase is regarded as one of the most cost-effective methods for preventing new security risks from reaching production. It is more efficient because developers are already in the right context to address issues before the code progresses further in the SDLC. Detecting issues in later stages requires developers to switch context and revisit the problem, which can be less efficient and more time-consuming. ### Example query @@ -302,15 +302,15 @@ GROUP BY IDE, PRODUCT ### Business value -Preventing vulnerabilities from reaching production involves placing security gates throughout the software development lifecycle (SDLC). One of the most common gates is within the CI/CD pipeline, ensuring that any vulnerabilities missed in earlier stages are caught and blocked during the build process. +Preventing vulnerabilities from reaching production involves placing security gates throughout the software development lifecycle (SDLC). One of the most common gates is in the CI/CD pipeline, ensuring that any vulnerabilities missed in earlier stages are caught and blocked during the build process. -Leveraging Snyk Data Share enables you to assess the current adoption of tests and security gates within your CI/CD pipelines. +Using Snyk Data Share lets you assess the current adoption of tests and security gates in your CI/CD pipelines. ### Example query The query below returns the number of tested repositories, total tests, and the test % success rate per Snyk Product. -The results are based on tests executed in the CI/CD stage in the last 3 months. +The results are based on tests executed in the CI/CD stage in the last three months. ```sql SELECT @@ -345,7 +345,7 @@ A high rate of overridden checks may signal that developers are bypassing securi The query below returns the total number of pull requests, the count of PRs with at least one failed check, the count of PRs with at least one overridden check, the % of PRs with failed checks, and the % of PRs with overridden checks per target repository. -The results are based on PR checks executed in the last 4 months and filtered to only include monitored and non-deleted projects. +The results are based on PR checks executed in the last four months and filtered to only include monitored and non-deleted projects. You can also adapt this query to prioritize surfacing repositories that have a high rate of overridden checks. @@ -378,13 +378,13 @@ ORDER BY pct_prs_with_failed_checks DESC, pct_prs_with_overridden_checks DESC Tracking the volume of PR checks by their outcome over time can provide visibility into the overall health and trajectory of any shift-left strategy. By monitoring weekly trends in successful, failed, and errored checks, AppSec teams can detect and investigate spikes in failures and identify product configurations that need attention from error trends.\ \ -An increasing success rate over time can demonstrate that developers are producing more secure code earlier in your software development life cycle. +An increasing success rate over time can demonstrate that developers are producing more secure code earlier in your software development lifecycle. ### Example query The query below returns weekly counts of PR check groups by if the status was success, failure, or error. The aggregation is done on the pr check group id and using the pr check group state. -The results are based on PR check groups created in the last 6 months and filtered to only include monitored and non-deleted projects. +The results are based on PR check groups created in the last six months and filtered to only include monitored and non-deleted projects. ```sql SELECT @@ -419,9 +419,9 @@ Ensuring PR checks are enabled across your repositories is critical to preventin The query below returns PR check enablement status per repository for the current 30-day period vs. the preceding 30-day period for both Snyk Code and Snyk Open Source. -PR check enablement is resolved by combining project-level and integration-level settings. Project-level settings overrides take priority when they exist. Otherwise the integration settings apply. A repository is considered covered if at least one organization importing it has PR Checks enabled for all projects associated with that product type for at least one integration. +Snyk resolves PR check enablement by combining project-level and integration-level settings. Project-level setting overrides take priority when they exist. Otherwise, the integration settings apply. A repository is considered covered if at least one organization importing it has PR Checks enabled for all projects associated with that product type for at least one integration. -Results will be N/A when a repository is new to Snyk or if the specific Snyk product does not apply. +Results are N/A when a repository is new to Snyk or if the specific Snyk product does not apply. ```sql WITH diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/data-share-data-dictionary.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/data-share-data-dictionary.md index 405c243f833d..13084c3dad7a 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/data-share-data-dictionary.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/reporting-and-bi-integrations-snowflake-data-share/data-share-data-dictionary.md @@ -2,7 +2,7 @@ Snyk Data Share is a comprehensive dataset encompassing various data pillars that support a wide range of use cases. You can use this dataset to present key security metrics such as issue backlog, aging, MTTR, SLA compliance, and test coverage, as well as to prioritize issues based on different factors, such as risk score, severity, CVSS, EPSS, and many more. -This dictionary is designed to help you navigate the dataset efficiently. It provides clear explanations of the purpose of each table and the specific data contained in each column, enabling you to leverage the dataset to meet your data reporting needs. +This dictionary is designed to help you navigate the dataset efficiently. It provides clear explanations of the purpose of each table and the specific data contained in each column, so you can use the dataset to meet your data reporting needs. ## Data Share Tables @@ -29,7 +29,7 @@ The diagram above represents the objects listed in the data dictionary as a data > Version in use: v1.0 -The `GROUPS` table contains the main attributes of Snyk Groups. This data can be utilized to perform aggregations on the Group level or zoom into the scope of specific groups. +The `GROUPS` table contains the main attributes of Snyk Groups. You can use this data to perform aggregations on the Group level or zoom into the scope of specific Groups. | Column name | Data type | Description | | -------------- | -------------- | ------------------------------------------------------------------------------------- | @@ -45,10 +45,10 @@ The `GROUPS` table contains the main attributes of Snyk Groups. This data can be > Version in use: v1.0 -The `ORGS` table contains the main attributes of Snyk Organizations. This data can be utilized to perform aggregations on the organizational level or to zoom into the scope of specific organizations. +The `ORGS` table contains the main attributes of Snyk Organizations. You can use this data to perform aggregations on the organizational level or to zoom into the scope of specific Organizations. {% hint style="info" %} -The `group_public_id` column allows you to query organizations in specific groups. +The `group_public_id` column lets you query Organizations in specific Groups. {% endhint %} | Column name | Data type | Description | @@ -66,10 +66,10 @@ The `group_public_id` column allows you to query organizations in specific group > Version in use: v1.0 -ProjectThe `PROJECTS` table contains the main attributes of Snyk Projects and the related target. Its data can be utilized for performing aggregations of filters on the Project or target levels, including based on Project collections, Project tags, or specific repo branches (using `target_ref`). +The `PROJECTS` table contains the main attributes of Snyk Projects and the related target. You can use its data to perform aggregations of filters on the Project or target levels, including based on Project collections, Project tags, or specific repo branches (using `target_ref`). {% hint style="info" %} -Snyk Reports only presents monitored projects that were not deleted. To match your results with Snyk Reports, filter your query with `IS_MONITORED = TRUE` and `DELETE IS NULL.` +Snyk Reports only presents monitored Projects that were not deleted. To match your results with Snyk Reports, filter your query with `IS_MONITORED = TRUE` and `DELETE IS NULL.` {% endhint %} | Column name | Data type | Description | @@ -107,12 +107,12 @@ Snyk Reports only presents monitored projects that were not deleted. To match yo > Version in use: v1.0 -The `ISSUES` table contains various attributes of Snyk Issues. Issues can be easily correlated with their originating Project, target, Organization or Group, utilizing the corresponding ID columns. On top of the issue's basic attributes, such as its introduction date, type, severity, score, there are columns that elaborate on the vulnerability attributes, such as the CVSS score, EPSS Score, NVD Score. +The `ISSUES` table contains various attributes of Snyk Issues. You can correlate issues with their originating Project, target, Organization, or Group using the corresponding ID columns. On top of the issue's basic attributes, such as its introduction date, type, severity, and score, there are columns that elaborate on the vulnerability attributes, such as the CVSS score, EPSS Score, and NVD Score. -Querying the issues table allows: +Querying the issues table lets you: -* Concluding various metrics and KPIs, among issue backlog, aging, MTTR and SLA compliance. -* Visualizing trends of identified, ignored, and resolved issues over time +* Conclude various metrics and KPIs, among them issue backlog, aging, MTTR, and SLA compliance +* Visualize trends of identified, ignored, and resolved issues over time * Prioritize issues based on multiple factors and considerations {% hint style="info" %} @@ -173,7 +173,7 @@ If you would like to match your results with Snyk Reports: > Version in use: v1.0 -The `Dependencies` table allows you to identify issues based on their availability in direct dependencies. +The `Dependencies` table lets you identify issues based on their availability in direct dependencies. | Column name | Data type | Description | | ----------------------------- | --------- | --------------------------------------------------------------------------------------------------------------------------------- | @@ -188,13 +188,13 @@ The `Dependencies` table allows you to identify issues based on their availabili > Version in use: v1.0 -The `USAGE_EVENTS` table contains CLI interaction data that is collected from Snyk's CLI interfaces (CLI, IDE plugins, CI/CD pipeline tools). The CLI interaction events can be correlated with the execution context, such as their target, Organization, or Group, utilizing the corresponding ID columns. +The `USAGE_EVENTS` table contains CLI interaction data collected from the Snyk CLI interfaces (CLI, IDE plugins, CI/CD pipeline tools). You can correlate the CLI interaction events with the execution context, such as their target, Organization, or Group, using the corresponding ID columns. -Querying the `USAGE_EVENTS` table allows you to measure: +Querying the `USAGE_EVENTS` table lets you measure: -* Developers' usage and adoption of Snyk IDE plugins +* Developers' use and adoption of Snyk IDE plugins * Snyk tests in CI/CD pipelines -* Snyk CLI utilization per the different commands: test, monitor, SBOM, etc. +* Snyk CLI use per the different commands: test, monitor, SBOM, and so on | Column name | Data type | Description | | ----------------------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | @@ -204,7 +204,7 @@ Querying the `USAGE_EVENTS` table allows you to measure: | `product_display_name` | varchar | The Snyk product used during this interaction, for example, Snyk Open Source, Snyk IaC, Snyk Code, Snyk Container. | | `runtime_application_name` | varchar | The application used to execute a snyk interaction, for example, PyCharm, Visual Studio, snyk-ls, snyk-cli. | | `runtime_application_version` | varchar | The version of the integration. | -| `runtime_application_data_schema_version` | varchar | The data schema version of Snyk's runtime interactions. The current version (v2) was released in Q2 2024. Prior versions' data may behave differently. | +| `runtime_application_data_schema_version` | varchar | The data schema version of the Snyk runtime interactions. The current version (v2) was released in Q2 2024. Data from earlier versions may behave differently. | | `interaction_type` | varchar | The type of interaction, could be **Scan done**. **Scan Done** indicates that a test was run no matter if the CLI or IDE ran it, other types can be freely chosen types. | | `interaction_categories` | array | The category vector used to describe the interaction in detail, for example, **oss**,**test**. | | `interaction_timestamp` | array | When the interaction was started in UTC. | @@ -228,7 +228,7 @@ Querying the `USAGE_EVENTS` table allows you to measure: > Version in use: v1.0 -The `ISSUE_JIRA_ISSUES` table allows correlation between Snyk issues and assigned Jira issues. As Snyk enables more than one type of Jira integration, it is important to emphasize that the Jira issues that are available in the dataset originated from this [Jira integration](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/jira-and-slack-integrations/jira-integration). +The `ISSUE_JIRA_ISSUES` table lets you correlate Snyk issues with assigned Jira issues. Because Snyk supports more than one type of Jira integration, note that the Jira issues available in the dataset originated from this [Jira integration](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/jira-and-slack-integrations/jira-integration). | Column name | Data type | Description | | ---------------------- | -------------- | ---------------------------------------------------------------------------------------------- | @@ -263,7 +263,7 @@ If you would like to match your results with Snyk Reports: * Aggregate results based on the `pr_check_group_id` and the `pr_check_group_state` {% endhint %} -
Column nameData typeDescription
public_idvarcharA universally unique identifier for a PR Check, assigned in the records source database.
pr_check_group_idvarcharIdentifier of the parent pull request check group.
test_idvarcharIdentifier of the test results associated with the test-service.
project_public_idvarcharA universally unique identifier for a project, assigned in the record's source database.
org_public_idvarcharA universally unique identifier for an organization, assigned in the record's source database.
group_public_idvarcharA universally unique identifier for a group, assigned in the record's source database.
asset_idvarcharIdentifier of the asset linked to the project.
parent_asset_idvarcharIdentifier of the repository parent asset linked to the project.
pr_check_created_attimestamp_ntzTimestamp when the pull request check was created.
pr_check_modified_attimestamp_ntzTimestamp when the pull request check was last updated.
check_group_created_attimestamp_ntzTimestamp when the parent check group was created.
check_group_modified_attimestamp_ntzTimestamp when the parent check group was last updated.
product_namevarcharThe Snyk Product associated with the check (for example, Snyk Open Source, Snyk Code).
pr_check_statevarcharThe check status for the particular product type. The status will be success if the check passed under the policy settings in force and failure if an issue violating the policy was found. An error status indicates there was a problem running the check.
pr_check_group_statevarcharThe status for the parent check group.
marked_as_successbooleanTrue if the check failed due to a policy violation but the result was manually overridden by a user. This allows PRs to be merged despite security findings.
pr_check_result_descriptionvarcharSummary of the check results.
settings_policyvarcharDescription of the policy applied to the check run (e.g. only_new vs all).
settings_severity_thresholdvarcharSettings for the severity threshold at which the pull request check fails.
is_settings_fail_only_fixablebooleanFlag indicating if the check was configured to fail only on fixable issues.
old_version_shavarcharCommit SHA for the base revision used in the scan.
new_version_shavarcharCommit SHA for the head revision used in the scan.
merge_base_version_shavarcharCommit SHA for the merge base between the compared revisions.
pull_data_refvarcharReference of the pull request that triggered the check.
error_messagevarcharHuman-readable error message when the check resulted in an error state.
error_codevarcharSnyk error catalog code identifying the type of error (for example, SNYK-PR-CHECK-0009).
error_statusvarcharHTTP status code associated with the error.
error_catalog_urlvarcharURL to the Snyk error catalog documentation page for the specific error code.
error_classificationvarcharACTIONABLE indicates that the input is not in a format or state usable by Snyk, but there are steps you can take to resolve the issue. UNSUPPORTED indicates that Snyk cannot handle the data sent. For example, a project that uses a version of Python that is no longer supported.
__updated_attimestamp_ntzWhen the data share data transformation last updated this record.
+
Column nameData typeDescription
public_idvarcharA universally unique identifier for a PR Check, assigned in the records source database.
pr_check_group_idvarcharIdentifier of the parent pull request check group.
test_idvarcharIdentifier of the test results associated with the test-service.
project_public_idvarcharA universally unique identifier for a project, assigned in the record's source database.
org_public_idvarcharA universally unique identifier for an organization, assigned in the record's source database.
group_public_idvarcharA universally unique identifier for a group, assigned in the record's source database.
asset_idvarcharIdentifier of the asset linked to the project.
parent_asset_idvarcharIdentifier of the repository parent asset linked to the project.
pr_check_created_attimestamp_ntzTimestamp when the pull request check was created.
pr_check_modified_attimestamp_ntzTimestamp when the pull request check was last updated.
check_group_created_attimestamp_ntzTimestamp when the parent check group was created.
check_group_modified_attimestamp_ntzTimestamp when the parent check group was last updated.
product_namevarcharThe Snyk Product associated with the check (for example, Snyk Open Source, Snyk Code).
pr_check_statevarcharThe check status for the particular product type. The status is success if the check passed under the policy settings in force and failure if an issue violating the policy was found. An error status indicates there was a problem running the check.
pr_check_group_statevarcharThe status for the parent check group.
marked_as_successbooleanTrue if the check failed due to a policy violation but a user manually overrode the result. This lets users merge PRs despite security findings.
pr_check_result_descriptionvarcharSummary of the check results.
settings_policyvarcharDescription of the policy applied to the check run (for example, only_new vs all).
settings_severity_thresholdvarcharSettings for the severity threshold at which the pull request check fails.
is_settings_fail_only_fixablebooleanFlag indicating if the check was configured to fail only on fixable issues.
old_version_shavarcharCommit SHA for the base revision used in the scan.
new_version_shavarcharCommit SHA for the head revision used in the scan.
merge_base_version_shavarcharCommit SHA for the merge base between the compared revisions.
pull_data_refvarcharReference of the pull request that triggered the check.
error_messagevarcharHuman-readable error message when the check resulted in an error state.
error_codevarcharSnyk error catalog code identifying the type of error (for example, SNYK-PR-CHECK-0009).
error_statusvarcharHTTP status code associated with the error.
error_catalog_urlvarcharURL to the Snyk error catalog documentation page for the specific error code.
error_classificationvarcharACTIONABLE indicates that the input is not in a format or state usable by Snyk, but there are steps you can take to resolve the issue. UNSUPPORTED indicates that Snyk cannot handle the data sent. For example, a project that uses a version of Python that is no longer supported.
__updated_attimestamp_ntzWhen the data share data transformation last updated this record.
### PR Checks Integration Adoption @@ -334,8 +334,8 @@ The `PR_CHECK_PROJECT_ADOPTION` table tracks pull request (PR) check configurati | `target_deleted` | timestamp\_ntz | Timestamp when the target containing the project was deleted, if applicable. | | `is_project_monitored_historical` | boolean | Historical flag indicating if the project was monitored during this historical period. | | `project_deleted_historical` | boolean | Historical flag from registry indicating if the project was deleted during this period. | -| `test_pull_requests` | boolean | Flag indicating if PR testing is enabled for the project, will be null if inheriting from integration settings. | -| `pull_requests_policy` | varchar | Policy for PR checks setting (for example, only\_new, all), will be null if inheriting from integration settings. | -| `pull_requests_severity_threshold` | varchar | Severity threshold at which PR checks are set to fail, will be null if inheriting from integration settings. | -| `is_pull_request_fail_only_for_issues_with_fix` | boolean | Flag indicating if open-source PR checks are only set to fail for issues with available fixes, will be null if inheriting from integration settings. | +| `test_pull_requests` | boolean | Flag indicating if PR testing is enabled for the project, null if inheriting from integration settings. | +| `pull_requests_policy` | varchar | Policy for PR checks setting (for example, only\_new, all), null if inheriting from integration settings. | +| `pull_requests_severity_threshold` | varchar | Severity threshold at which PR checks are set to fail, null if inheriting from integration settings. | +| `is_pull_request_fail_only_for_issues_with_fix` | boolean | Flag indicating if open-source PR checks are only set to fail for issues with available fixes, null if inheriting from integration settings. | | `__updated_at` | timestamp\_ntz | When the data share data transformation last updated this record. | diff --git a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/troubleshooting-snyk-reports.md b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/troubleshooting-snyk-reports.md index 50e107fece43..388713c33147 100644 --- a/scan-fix-and-prevent/manage-risk/analytics/reports-tab/troubleshooting-snyk-reports.md +++ b/scan-fix-and-prevent/manage-risk/analytics/reports-tab/troubleshooting-snyk-reports.md @@ -2,7 +2,7 @@ ## Access to reporting -If reporting is not loading in the Snyk UI, follow these troubleshooting steps that may help resolve the issue. +If reporting is not loading in the Snyk Web UI, follow these troubleshooting steps to help resolve the issue. {% hint style="info" %} Allowlisting may be necessary due to some firewall settings. If allowlisting snyk.io was required for the initial implementation, additional allowlisting may be needed for new reporting access. Contact your account team for more information. @@ -16,17 +16,17 @@ Resolved issues are issues detected in the previous scan snapshot that no longer \ Changes in the Snyk code **resolved** column between snapshots may occur for any of the following reasons: -* The issue was fixed between the two scans and is therefore marked as resolved. -* The engine rules were improved, which may change the scan results.\ - This may add new issues or resolve previously detected issues. -* The code changed in a way that caused the issue to be defined differently, thus changing the issue ID.\ +* The issue was fixed between the two scans and is marked as resolved. +* The engine rules were improved, which can change the scan results.\ + This can add new issues or resolve previously detected issues. +* The code changed in a way that caused the issue to be defined differently, changing the issue ID.\ In this situation, the original issue ID is marked as **resolved,** and a new issue ID is created. ## Data freshness -Data is available in reporting approximately one hour after a scan occurs. Data refreshes hourly and should, therefore, always be updated within two hours. Note the exception for ignores that follows. +Data is available in reporting approximately one hour after a scan occurs. Data refreshes hourly and so is always updated in two hours. Note the exception for ignores that follows. -When you navigate to **Inventory** > **All Assets** and other inventory views from a filter in the **Asset Dashboard** report or **Inventory Overview**, you may see a notification indicating that data is still being processed and temporary inconsistencies may occur. The data source for the Inventory pages differs from that of the Reporting pages, leading to temporary discrepancies. +When you navigate to **Inventory** > **All Assets** and other inventory views from a filter in the **Asset Dashboard** report or **Inventory Overview**, you might see a notification indicating that data is still being processed and temporary inconsistencies can occur. The data source for the Inventory pages differs from that of the Reporting pages, leading to temporary discrepancies. ## Ignores in reporting @@ -40,14 +40,14 @@ Tables in PDF exports are limited to 50 results. A link is available at the bott Session data is shared between browser tabs. Snyk recommends you have reporting tabs for one Group or one Organization open in the browser at any one time because having tabs open for different Groups or Organizations can result in unexpected behavior. -Customers may experience an error if hundreds of filter values are applied on a page. This is the result of the [stateful URLs for filtered views](./#stateful-urls-for-filtered-views) capability and a URL length limit. If you experience an error with many filter values applied, consider alternate filter mechanisms such as [Project collections](../../../snyk-platform-administration/snyk-projects/project-collections-groupings/project-collections.md). +You might experience an error if you apply hundreds of filter values on a page. This is the result of the [stateful URLs for filtered views](./#stateful-urls-for-filtered-views) capability and a URL length limit. If you experience an error with many filter values applied, consider alternate filter mechanisms such as [Project collections](../../../snyk-platform-administration/snyk-projects/project-collections-groupings/project-collections.md). ## Filtered views -The way filtered views are managed in the URL may change over time. +The way filtered views are managed in the URL can change over time. If the view changes, you can generate a new filtered URL in the Snyk Web UI and save it as a bookmark or share it with others. ## Deactivated Projects -Deactivated Projects and their respective results will not appear in the Reports area. +Deactivated Projects and their respective results do not appear in the Reports area. diff --git a/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/README.md b/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/README.md index d50f8ffb0f65..fa1de13c439c 100644 --- a/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/README.md +++ b/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/README.md @@ -12,7 +12,7 @@ For both dependencies and licenses, you can filter by Project or other filter cr * From the **Filters** dropdown, check the applicable boxes to filter by [Severity level](../prioritize-issues-for-fixing/severity-levels.md) or Project type. {% hint style="info" %} -Results from the Dockerfile Project type are filtered out by default in the filter criteria as they can result in duplication of results from scans of the images resulting from building the Dockerfiles. To match results from [AP](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/reporting-api-v1)I calls, either filter out Dockerfiles from the API results or turn on Dockfiles in the Project type column of the filter. +Results from the Dockerfile Project type are filtered out by default in the filter criteria as they can result in duplication of results from scans of the images resulting from building the Dockerfiles. To match results from [API](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/reporting-api-v1) calls, either filter out Dockerfiles from the API results or turn on Dockerfiles in the Project type column of the filter. {% endhint %} {% hint style="info" %} diff --git a/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/view-dependencies.md b/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/view-dependencies.md index 5040cb7676cb..4bb2004a8be9 100644 --- a/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/view-dependencies.md +++ b/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/view-dependencies.md @@ -1,6 +1,6 @@ # View dependencies -The **Dependencies** tab acts as a Bill Of Materials (BOM) for all dependencies in all Projects in the selected Organization. This allows you to quickly and easily identify which Projects have a specific version of a dependency. +The **Dependencies** tab acts as a Bill Of Materials (BOM) for all dependencies in all Projects in the selected Organization. This lets you identify which Projects have a specific version of a dependency. Dependency reports show details about the packages included in your Projects, including their full names, the version of the package used, the Projects in which they are used, and a summary of the issues they contain. @@ -8,7 +8,7 @@ Examining the details for each package can help you determine the dependency hea ## Field details -
ElementDescription
Dependencies

The full package names of the dependencies contained in at least one of your Projects. Click the link to view the detailed Package page.

For npm only, a warning icon appears next to the package name if a package is deprecated.

VersionThe version of the package used in your Projects. Use this and the Latest Version to see the difference between your current package version and the most recent package version available.
Latest version and Last publish

The most recent version updated by a maintainer for this package in its repository, and the last time a new version of the package was published by a maintainer. Look at these dates to help you determine the maturity of the package and activity frequency


Latest version and Last publish are supported for npm and Maven only.

VulnerabilitiesEach row shows the icon of the associated severity for the issues, Critical, High, Medium, Low. The vulnerabilities shown in the table are the total number of vulnerable paths associated with that dependency and version across all Snyk Projects. For example, if there is a dependency with one critical vulnerability in two Snyk Projects, but in one of those Projects the dependency (vulnerability) is brought in on two paths, Snyk shows three critical vulnerabilities associated with the dependency on the Dependencies tab.
License

The license or licenses used by this package. These can be:

Known license name: Snyk identified the package and its associated license type, and this information is shown in the list.
Unknown: Snyk identified the package but could not identify its associated license type.
Blank: Snyk could not identify the package and therefore has no license or other information for the package.

Copyrights (until January 8, 2024)For npm, PyPI, and Maven, copyright information for the license.
ProjectsThe Projects in which this package is used by your Organization.
Dependencies with issuesA link to the dependencies in the package that have issues, with details about those issues.
+
ElementDescription
Dependencies

The full package names of the dependencies contained in at least one of your Projects. Click the link to view the detailed Package page.

For npm only, a warning icon appears next to the package name when a package is deprecated.

VersionThe version of the package used in your Projects. Use this and the Latest Version to see the difference between your current package version and the most recent package version available.
Latest version and Last publish

The most recent version updated by a maintainer for this package in its repository, and the last time a new version of the package was published by a maintainer. Look at these dates to help you determine the maturity of the package and activity frequency


Latest version and Last publish are supported for npm and Maven only.

VulnerabilitiesEach row shows the icon of the associated severity for the issues, Critical, High, Medium, Low. The vulnerabilities shown in the table are the total number of vulnerable paths associated with that dependency and version across all Snyk Projects. For example, if there is a dependency with one critical vulnerability in two Snyk Projects, but in one of those Projects the dependency (vulnerability) is brought in on two paths, Snyk shows three critical vulnerabilities associated with the dependency on the Dependencies tab.
License

The license or licenses used by this package. These can be:

Known license name: Snyk identified the package and its associated license type, and this information is shown in the list.
Unknown: Snyk identified the package but could not identify its associated license type.
Blank: Snyk could not identify the package and therefore has no license or other information for the package.

Copyrights (until January 8, 2024)For npm, PyPI, and Maven, copyright information for the license.
ProjectsThe Projects in which this package is used by your Organization.
Dependencies with issuesA link to the dependencies in the package that have issues, with details about those issues.
## Dependencies tab actions diff --git a/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/view-licenses.md b/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/view-licenses.md index 5a7fa77edd3d..a02a5f27b709 100644 --- a/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/view-licenses.md +++ b/scan-fix-and-prevent/manage-risk/dependencies-and-licenses/view-licenses.md @@ -1,6 +1,6 @@ # View licenses -The **Licenses** tab displays all licenses detected for your Projects, with summaries of all dependencies in your Projects and all of your Projects using the license. This allows you to see which Projects and dependencies have a license. +The **Licenses** tab displays all licenses detected for your Projects, with summaries of all dependencies in your Projects and all of your Projects using the license. This lets you see which Projects and dependencies have a license. ## **Field details** @@ -10,5 +10,5 @@ The **Licenses** tab displays all licenses detected for your Projects, with summ The actions appear at the top of the tab. -* **Search for Licenses**: Enter free text and begins searching with the first character you type. You can also select multiple packages from the dropdown list that opens when you click the field. You can also click the **Select All** or **Deselect All** links that appear dynamically in the dropdown list. +* **Search for Licenses**: Enter free text. Searching begins with the first character you type. You can also select multiple packages from the dropdown list that opens when you click the field. You can also click the **Select All** or **Deselect All** links that appear dynamically in the dropdown list. * **Export as CSV**: Export issue data in CSV file format. diff --git a/scan-fix-and-prevent/manage-risk/policies/README.md b/scan-fix-and-prevent/manage-risk/policies/README.md index 17a5701bb59a..f48f04c90139 100644 --- a/scan-fix-and-prevent/manage-risk/policies/README.md +++ b/scan-fix-and-prevent/manage-risk/policies/README.md @@ -5,10 +5,10 @@ Policies are available only with Snyk Enterprise plans and apply only to Snyk Open Source scans. For more information, see [plans and pricing](https://snyk.io/plans/). -The `.snyk` file is a policy file that Snyk uses to define specific analysis behaviors for Open Source, Snyk Code, and Snyk IaC. and to specify patches for the CLI and CI/CD plugins. See [The .snyk file](the-.snyk-file.md) for details. +The `.snyk` file is a policy file that Snyk uses to define specific analysis behaviors for Open Source, Snyk Code, and Snyk IaC, and to specify patches for the CLI and CI/CD plugins. See [The .snyk file](the-.snyk-file.md) for details. {% endhint %} -Snyk policies contain rules to define how Snyk behaves when encountering specific types of Open Source issues. With policies, you can identify types of issues based on conditions, such as `no exploit available`, and then apply actions to these issues, such as changing the severity. Thus by using customizable Snyk policies, you can define actions for specific types of issues encountered in scanning. +Snyk policies contain rules to define how Snyk behaves when encountering specific types of Open Source issues. With policies, you can identify types of issues based on conditions, such as `no exploit available`, and then apply actions to these issues, such as changing the severity. Using customizable Snyk policies, you can define actions for specific types of issues encountered in scanning.
Snyk Policy manager

Snyk Policy manager

@@ -16,7 +16,7 @@ Using the Snyk Policy Manager, you can view, create, and edit policies. For deta ## Benefits of Snyk policies -Policies give you a quick and automated way to identify and triage issues that are irrelevant to or unimportant in your application development. This reduces the noise level, saving valuable development time and allowing developers to take more responsibility for and ownership of security. +Policies give you a quick and automated way to identify and triage issues that are irrelevant to or unimportant in your application development. This reduces the noise level, saving valuable development time and letting developers take more responsibility for and ownership of security. Policies help prioritize issues to address and can ensure vulnerable or non-compliant components do not escape notice. Policies are part of the governance framework of your company. diff --git a/scan-fix-and-prevent/manage-risk/policies/assets-policies/README.md b/scan-fix-and-prevent/manage-risk/policies/assets-policies/README.md index c5c522781e3d..6e336738f852 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assets-policies/README.md +++ b/scan-fix-and-prevent/manage-risk/policies/assets-policies/README.md @@ -2,12 +2,12 @@ ## Overview -With Policies, you can easily automate the process of adding business context and receiving notifications. +With Policies, you can automate the process of adding business context and receiving notifications. {% hint style="info" %} -After a policy is created, it is run in a maximum of 3 hours after creation, then once every 3 hours. +After a policy is created, it runs in a maximum of three hours after creation, then once every three hours. -If your policy is set to run daily, then the policy is run 3 hours after the 24-hour period ends. You can always manually run a policy by using the Run button. +If your policy is set to run daily, then the policy runs three hours after the 24-hour period ends. You can always manually run a policy by using the Run button. {% endhint %} Access the Snyk Essentials policies by positioning yourself at the Group level, selecting **Policies**, then **Assets**. @@ -16,7 +16,7 @@ Access the Snyk Essentials policies by positioning yourself at the Group level, [Manage assets](../../../manage-assets/manage-assets.md) and [assets policies](./) are interconnected. Before setting up any new policy, ensure you have reviewed and filtered your assets from the Inventory menu. {% endhint %} -## Use Cases +## Use cases You can create policies for organizing the assets, classifying them, and always being up to date with the latest information about an asset.\ Common use cases for policies include: @@ -28,9 +28,9 @@ Common use cases for policies include: ### New asset notifications -Notify members of the AppSec team when new assets meeting certain criteria are discovered. For example, you may send a Slack message to the infra team if new repository assets that leverage Terraform as a technology are detected by Snyk Essentials. +Notify members of the AppSec team when new assets meeting certain criteria are discovered. For example, you can send a Slack message to the infra team if Snyk Essentials detects new repository assets that use Terraform as a technology. -When setting up a notification action (email or Slack) for a policy, you can include a link to the relevant assets. Each notification will list all the assets impacted by the policy. You can view the assets individually, or you can see a summary of all the assets by clicking the **Click Here** option in the notification. The list of assets displayed in the email notification is automatically generated. +When setting up a notification action (email or Slack) for a policy, you can include a link to the relevant assets. Each notification lists all the assets impacted by the policy. You can view the assets individually, or you can see a summary of all the assets by clicking the **Click Here** option in the notification. The list of assets displayed in the email notification is automatically generated. ### Asset classification diff --git a/scan-fix-and-prevent/manage-risk/policies/assets-policies/create-policies.md b/scan-fix-and-prevent/manage-risk/policies/assets-policies/create-policies.md index 68bad5288f2a..4e1697b7a63f 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assets-policies/create-policies.md +++ b/scan-fix-and-prevent/manage-risk/policies/assets-policies/create-policies.md @@ -5,7 +5,7 @@ Snyk Essentials includes a powerful policy editor for creating and modifying pol There are two steps to building policies: 1. [Define filters](create-policies.md#define-filters) - Set filter conditions on asset properties. -2. [Set actions](create-policies.md#set-actions) - Define actions to be taken on filtered assets. +2. [Set actions](create-policies.md#set-actions) - Define actions to take on filtered assets. ## New policy @@ -13,19 +13,19 @@ You can create a new policy using the **Start from scratch** option or choose on ### Start from scratch - policy creation -To create a new policy, you have to click the **New Policy** option from the Policies/Assets view and select the **Start from scratch** option. +To create a new policy, click the **New Policy** option from the Policies/Assets view and select the **Start from scratch** option. -You must name your policy and, optionally, provide a description of the policy. After you complete these steps you have to [define the filters ](create-policies.md#define-filters)and [set the actions](create-policies.md#set-actions) of your policy. +You must name your policy and, optionally, provide a description of the policy. After you complete these steps, [define the filters ](create-policies.md#define-filters)and [set the actions](create-policies.md#set-actions) of your policy. ### Use a template - policy creation -You can create a new policy by using one of the available templates. To select one of the policy templates, you have to click the **New Policy** option from the Policies/Assets view and select the **Use a template** option. You can select one of the templates from the templates library by clicking the **Use template** button from the policy template card. +You can create a new policy by using one of the available templates. To select one of the policy templates, click the **New Policy** option from the Policies/Assets view and select the **Use a template** option. You can select one of the templates from the templates library by clicking the **Use template** button from the policy template card. Each policy template has a name, a description, and displays the graphic connections between filters and actions. You can customize the filters and actions or use the template as is. After finishing all the template changes, click the **Save** button to create the new policy. -## Define Filters +## Define filters {% hint style="info" %} **Release status** @@ -41,12 +41,12 @@ You can specify more than one filter component with an **And** or **Or** operato ## Set actions -After defining filter components, you need to define the actions that the policy has to perform on the filtered assets. Asset policies support the following actions: +After defining filter components, you need to define the actions that the policy must perform on the filtered assets. Asset policies support the following actions: * **Send Email** - Receive an email every time there are asset updates. You can choose between daily emails or scheduling the checks. You can include a link to the relevant assets. Each notification lists all impacted assets. You can view them individually or see the aggregated view by clicking **Click Here**. The list of assets displayed in the email notification is automatically generated. * **Send Slack Message** - Receive a Slack notification every time there are asset updates. You need to add your [Slack webhook URL](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/jira-and-slack-integrations/slack-integration), then you can choose between daily emails or scheduling the checks. You can include a link to the relevant assets. Each notification lists all impacted assets. You can view them individually or see the aggregated view by clicking **Click Here**. The list of assets displayed in the email notification is automatically generated. -* **Set Asset Class** - Sets the class on the matched assets. Removing the policy or turning in off does not retroactively change the asset class back to default. -* **Set Asset Tag** - Sets a tag on the matched assets. Removing the policy or turning in off will remove the tags of this policy from the relevant assets. -* **Set Coverage Control Policy** - Sets a control on filtered assets that checks whether selected security products are scanning assets, optionally within a given timeframe. Assets that fail this control will be marked accordingly on inventory pages. This control applies the OR logic across products. +* **Set Asset Class** - Sets the class on the matched assets. Removing the policy or turning it off does not retroactively change the asset class back to default. +* **Set Asset Tag** - Sets a tag on the matched assets. Removing the policy or turning it off removes the tags of this policy from the relevant assets. +* **Set Coverage Control Policy** - Sets a control on filtered assets that checks whether selected security products are scanning assets, optionally in a given timeframe. Assets that fail this control are marked accordingly on inventory pages. This control applies the OR logic across products. The editor supports multiple flows for the same policy. The flows can be independent or intersect. diff --git a/scan-fix-and-prevent/manage-risk/policies/assets-policies/implement-policies.md b/scan-fix-and-prevent/manage-risk/policies/assets-policies/implement-policies.md index 232c05cbb4f1..f0195be70a9b 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assets-policies/implement-policies.md +++ b/scan-fix-and-prevent/manage-risk/policies/assets-policies/implement-policies.md @@ -1,6 +1,6 @@ # Implement policies -All policies that you add to a project help you to better monitor your assets and automate the business context by always receiving notifications about occurring changes. +All policies that you add to a Project help you to better monitor your assets and automate the business context by always receiving notifications about occurring changes. ## Policy functionalities @@ -13,7 +13,7 @@ Access the main view of the Policy function to see a list of all your policies a You can hover over a policy to gain access to extra details: * **Go to flow** - Opens the policy. -* **Edit name and description** - Allows you to edit the name and description of the policy. +* **Edit name and description** - Lets you edit the name and description of the policy. * **Clone** - Duplicates the policy. * **Delete** - Removes the policy. @@ -27,13 +27,13 @@ You can run a simulation to get an overview of how the policy is working. A numb ### Run the policy -All policies are automatically run in a maximum of 3 hours after creation, then every 3 hours. You can manually run a policy by clicking Run to apply the policy to your assets. Changes are applied automatically to your assets by implementing the actions you set on the policy. +All policies are automatically run in a maximum of three hours after creation, then every three hours. You can manually run a policy by clicking **Run** to apply the policy to your assets. Changes are applied automatically to your assets by implementing the actions you set on the policy. You can also add an **AND** **Send email** or **Send Slack notification** action to be notified after the policy is successfully run. ### Edit a policy -Click Edit to change the settings of your policies. You can change, add, or remove information from both the Filters and Actions fields. +Click **Edit** to change the settings of your policies. You can change, add, or remove information from both the Filters and Actions fields. {% hint style="info" %} You cannot revert changes to a policy to its initial state. diff --git a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/classification-policy.md b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/classification-policy.md index bde2cf7d393e..efcaf83d3e32 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/classification-policy.md +++ b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/classification-policy.md @@ -13,7 +13,7 @@ Snyk Essentials identifies GitHub and GitLab topics as asset labels. Use the classification policy to give business context to your application. When you set up a classification policy, all your assets are automatically classified. -If you just started using the classification policy, the recommendation is to focus first on the Class D assets, since they are the least important. +If you are new to the classification policy, the recommendation is to focus first on the Class D assets, since they are the least important. The following example filters the assets that contain `sandbox`, `test`, and `to-delete` in their names. In Snyk Essentials, GitHub and GitLab topics are pulled in from the SCM integration and applied to repository assets, so if topics like `PCI-Compliance` have been added to repos in the SCM, Snyk can take those tags in Snyk Essentials and classify those assets as Class A. diff --git a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/coverage-and-coverage-gap-policies.md b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/coverage-and-coverage-gap-policies.md index 52db47df7f0c..6210175a3d3e 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/coverage-and-coverage-gap-policies.md +++ b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/coverage-and-coverage-gap-policies.md @@ -26,7 +26,7 @@ Snyk Essentials includes a default asset policy to highlight potential coverage Identifying coverage gaps using this policy is SCM integration dependent, meaning that it does not flag coverage gaps when there are no language tags found. -You can use this policy as a template, edit, update and delete it. +You can use this policy as a template, edit, update, and delete it. ### Exclude all products diff --git a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/coverage-control-policy.md b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/coverage-control-policy.md index 1909a1368379..66f8a73989b8 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/coverage-control-policy.md +++ b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/coverage-control-policy.md @@ -2,7 +2,7 @@ You can use the **Set Coverage Control** action from the Policies view to identify your application assets, monitor them, and prioritize the risks. You can select one or multiple security products and also specify a timeframe for when the last scan should have taken place. -Identifying and setting coverage policies allows your team to define where certain security controls are expected to be in place. +Identifying and setting coverage policies lets your team define where certain security controls are expected to be in place. The following example filters out assets that should have Snyk Open Source and Snyk Code security controls in place and then sets the coverage policies. diff --git a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/notification-policy.md b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/notification-policy.md index 32d8501458bc..5eda8ab55952 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/notification-policy.md +++ b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/notification-policy.md @@ -17,7 +17,7 @@ After setting up the filter conditions, you need to choose the **Send Email** ac If you want to set a **Send Slack Message** action, then you can generate the Slack webhook by using the [Incoming WebHooks app](https://slack.com/apps/A0F7XDUAZ-incoming-webhooks) or by [creating your own Slack app](https://api.slack.com/incoming-webhooks). {% endhint %} -Customize the Send Email action to notify you with a link to the assets impacted by the set policy. You can do this by typing "/" inside the **Body** field of the **Send Email** action and selecting **Link to Assets**. After you save the policy, every notification received will list all the assets impacted by the policy. +Customize the Send Email action to notify you with a link to the assets impacted by the set policy. You can do this by typing "/" inside the **Body** field of the **Send Email** action and selecting **Link to Assets**. After you save the policy, every notification received lists all the assets impacted by the policy.
Snyk AppRisk - Set up the Links to Assets option from the Send Email action

Assets Policy - Set up the Links to Assets option from the Send Email action

@@ -25,10 +25,10 @@ This is how your policy should look after all filters and actions are set.
Snyk AppRisk - Setting up a Notification policy

Assets Policy - Setting up a notification policy

-You will receive an email notification after including the **Link to Assets** option in the Body field. You can access the assets from the notification individually, or view them in an aggregated form by clicking the **Click Here** link. The list of assets displayed in the email notification is automatically generated. +You receive an email notification after including the **Link to Assets** option in the Body field. You can access the assets from the notification individually, or view them in an aggregated form by clicking the **Click Here** link. The list of assets displayed in the email notification is automatically generated. {% hint style="info" %} -After an email notification policy is created, it is run in a maximum of 3 hours after creation, then once every 3 hours. +After an email notification policy is created, it runs in a maximum of three hours after creation, then once every three hours. -If your policy is set to run daily, then the policy is run in a maximum of 3 hours after the 24-hour period ends. You can always manually run a policy by using the Run button. +If your policy is set to run daily, then the policy runs in a maximum of three hours after the 24-hour period ends. You can always manually run a policy by using the Run button. {% endhint %} diff --git a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/tagging-policy.md b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/tagging-policy.md index 25941e1a6544..390bb85e0cfc 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/tagging-policy.md +++ b/scan-fix-and-prevent/manage-risk/policies/assets-policies/use-cases-for-policies/tagging-policy.md @@ -4,6 +4,6 @@ Categorize and label repository assets with [asset labels](../../../../manage-assets/assets-inventory-components.md#tags). You can use the **Set Asset Labels** action to mark the repositories to which the filter criteria you have set apply. -Snyk Essentials has a number of pre-defined system labels that can be used for filtering and setting labels with policies. User-defined custom labels can be created using policies. You can create a Set Asset Label policy action and define a custom tag by typing your tag in the tag search bar and selecting **Create new: `label_name`**. In this example the `label_name` is payment. +Snyk Essentials has a number of pre-defined system labels that you can use for filtering and setting labels with policies. User-defined custom labels can be created using policies. You can create a Set Asset Label policy action and define a custom tag by typing your tag in the tag search bar and selecting **Create new: `label_name`**. In this example the `label_name` is payment. -The following use case demonstrates how to apply the custom-defined `backend` label to assets that match certain naming conventions. This allows a quick filter for backend assets from the Inventory view. +The following use case demonstrates how to apply the custom-defined `backend` label to assets that match certain naming conventions. This lets you quickly filter backend assets from the Inventory view. diff --git a/scan-fix-and-prevent/manage-risk/policies/assign-a-policy-to-an-organization.md b/scan-fix-and-prevent/manage-risk/policies/assign-a-policy-to-an-organization.md index 7f0c4ee7135a..70e4ea65f645 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assign-a-policy-to-an-organization.md +++ b/scan-fix-and-prevent/manage-risk/policies/assign-a-policy-to-an-organization.md @@ -10,22 +10,22 @@ Policies applied to Organizations are in effect when you run the `snyk test` or To apply a policy to an Organization, in the Organization selector panel, check the box for the Organization to which you want to apply the policy. -If an Organization has another policy applied, you can see that policy from the selector, and the policy indicator next to the Organization name will be gray. +If an Organization has another policy applied, you can see that policy from the selector, and the policy indicator next to the Organization name is gray. If the Organization already has the policy applied, the name of the policy is displayed in a yellow indicator next to the Organization name. -If you are applying a different policy to an Organization, in order to move that Organization from one policy to another, two indicators appear next to the Organization name in the selector. One shows, in yellow, the policy that is currently applied. The other shows the policy you will be applying to the Organization in gray. +If you are applying a different policy to an Organization, to move that Organization from one policy to another, two indicators appear next to the Organization name in the selector. One shows, in yellow, the policy that is currently applied. The other shows the policy you are applying to the Organization in gray. ## Remove a policy from an Organization To remove a policy from an Organization, uncheck the box next to the Organization you want to remove from the policy that you are viewing. -The unchecked Organization will now automatically revert to the default policy. +The unchecked Organization now automatically reverts to the default policy. ## Apply the default policy to an Organization -Remove the policy currently applied to the Organization. The Organization will automatically revert to the default policy. +Remove the policy currently applied to the Organization. The Organization automatically reverts to the default policy. ## Remove the default policy from an Organization -Apply a new policy to the Organization. The Organization will automatically be removed from the default policy and the new policy will be applied. +Apply a new policy to the Organization. The Organization is automatically removed from the default policy, and the new policy is applied. diff --git a/scan-fix-and-prevent/manage-risk/policies/assign-policies-to-projects.md b/scan-fix-and-prevent/manage-risk/policies/assign-policies-to-projects.md index 58c4878b6d85..e8cd33e898a9 100644 --- a/scan-fix-and-prevent/manage-risk/policies/assign-policies-to-projects.md +++ b/scan-fix-and-prevent/manage-risk/policies/assign-policies-to-projects.md @@ -40,9 +40,9 @@ For example, if you have a policy applied to `Critical`, `External`, and `Fronte An example policy follows. It is applied to an attribute in the **Business Criticality** section, `Critical`, and to attributes in the **Environment** section, `Frontend` and `External`. The policy also has two Project tags. The first tag has the key `PCI`, with the value of `Compliant`. The second tag has the key `owner`, with the value of `fred`. -The following Project has the attributes `Frontend`, `External`, and `Critical`, and has at least one matching tag, `PCI:Compliant`. Thus the Project will inherit the policy, that is, the policy is assigned to this Project. +The following Project has the attributes `Frontend`, `External`, and `Critical`, and has at least one matching tag, `PCI:Compliant`. So the Project inherits the policy, that is, the policy is assigned to this Project. -The following Project will not inherit the policy, because the Project lacks the `External` environment attribute. +The following Project does not inherit the policy, because the Project lacks the `External` environment attribute. ## Assign multiple policies to a Project diff --git a/scan-fix-and-prevent/manage-risk/policies/license-policies/README.md b/scan-fix-and-prevent/manage-risk/policies/license-policies/README.md index 686b4ace42b9..a4652ec01e1d 100644 --- a/scan-fix-and-prevent/manage-risk/policies/license-policies/README.md +++ b/scan-fix-and-prevent/manage-risk/policies/license-policies/README.md @@ -6,7 +6,7 @@ You can [create a license policy and rules](create-a-license-policy-and-rules.md An initial policy is created automatically and set as the default to help you get started quickly with license policy management. -This default policy is a baseline to meet the requirements of multiple types of applications, such as SaaS, distributed, and so on, and may be used as a starting point to calibrate additional license policies. +This default policy is a baseline to meet the requirements of multiple types of applications, such as SaaS, distributed, and so on, and you can use it as a starting point to calibrate additional license policies. The default license policy contains the standard Snyk Default License Policy, but you can edit the rules to suit your preferences. diff --git a/scan-fix-and-prevent/manage-risk/policies/license-policies/license-policy-results.md b/scan-fix-and-prevent/manage-risk/policies/license-policies/license-policy-results.md index a33f70fba429..b2b55dac5148 100644 --- a/scan-fix-and-prevent/manage-risk/policies/license-policies/license-policy-results.md +++ b/scan-fix-and-prevent/manage-risk/policies/license-policies/license-policy-results.md @@ -1,5 +1,5 @@ # License policy results -A newly assigned policy, or modifications to a policy, will apply after the next scheduled test runs for all of the licenses in the Organization. +A newly assigned policy, or modifications to a policy, applies after the next scheduled test runs for all of the licenses in the Organization. If you change severity, results from scans are updated in the Snyk Web UI, in [your IDE](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/snyk-ide-plugins-and-extensions), or in Snyk [PR Checks](../../../scan-with-snyk/pull-requests/pull-request-checks/). diff --git a/scan-fix-and-prevent/manage-risk/policies/security-policies/create-a-security-policy-and-rules.md b/scan-fix-and-prevent/manage-risk/policies/security-policies/create-a-security-policy-and-rules.md index b9b94b9aecbc..7dbc88be6a66 100644 --- a/scan-fix-and-prevent/manage-risk/policies/security-policies/create-a-security-policy-and-rules.md +++ b/scan-fix-and-prevent/manage-risk/policies/security-policies/create-a-security-policy-and-rules.md @@ -22,12 +22,12 @@ Select the conditions and actions to complete a rule. See [Security policy condi * To delete or duplicate a rule, click the three dots at the top right of the rule box. {% hint style="info" %} -The order of the rules you create determines the order they will be applied. If multiple rules with the same action type match the same issue, the rule closest to the top takes precedence over any subsequent rules. +The order of the rules you create determines the order they are applied. If multiple rules with the same action type match the same issue, the rule closest to the top takes precedence over any subsequent rules. **Example:** * Rule 1: Sets severity to HIGH for issues with mature exploit maturity. * Rule 2: Sets severity to LOW for issue ID "CVE-2025-0001". -If an issue with "CVE-2025-0001" also has mature exploit maturity, both rules apply. Because Rule 1 is listed first, the final severity will be HIGH. +If an issue with "CVE-2025-0001" also has mature exploit maturity, both rules apply. Because Rule 1 is listed first, the final severity is HIGH. {% endhint %} diff --git a/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policies-conditions.md b/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policies-conditions.md index 760118494569..02a9d1d55591 100644 --- a/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policies-conditions.md +++ b/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policies-conditions.md @@ -8,4 +8,4 @@ Security policies are applicable to Snyk Open Source and Snyk Container Projects You can stack multiple conditions in the same rule using the **AND** function. -
Condition categoryCondition definitions and variables
Exploit MaturityMatches all issues that contain a specified exploit maturity value. When multiple values are selected, the condition applies to all issues containing any of the selected values. Values include Mature, Proof of Concept, No known exploit, and No data available.
CWEMatches all issues that contain a specified CWE. Supports multiple CWEs.
CVEMatches all issues that contain a specified CVE. Supports multiple CVEs.
Snyk IDMatches all issues that contain a specified Snyk ID. Supports multiple Snyk IDs. Not every issue has a CVE, so this is a good way to specify those.
SeverityMatches all issues that contain a specified severity level. When multiple values are selected, the condition will apply to all issues containing any of the selected severity levels (for example, Critical, High, Medium, Low).
+
Condition categoryCondition definitions and variables
Exploit MaturityMatches all issues that contain a specified exploit maturity value. When multiple values are selected, the condition applies to all issues containing any of the selected values. Values include Mature, Proof of Concept, No known exploit, and No data available.
CWEMatches all issues that contain a specified CWE. Supports multiple CWEs.
CVEMatches all issues that contain a specified CVE. Supports multiple CVEs.
Snyk IDMatches all issues that contain a specified Snyk ID. Supports multiple Snyk IDs. Not every issue has a CVE, so this is a good way to specify those.
SeverityMatches all issues that contain a specified severity level. When multiple values are selected, the condition applies to all issues containing any of the selected severity levels (for example, Critical, High, Medium, Low).
diff --git a/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policy-actions.md b/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policy-actions.md index 8aeb5f4c64de..670ce1486c93 100644 --- a/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policy-actions.md +++ b/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policy-actions.md @@ -6,9 +6,9 @@ An action defines what you want to happen when the [security policy conditions]( You cannot stack multiple actions in the same rule. To have multiple actions with a rule, create a new rule block with the same conditions, and specify a different action. {% endhint %} -These are the actions that can currently be applied: +These are the actions you can apply: -
ActionDefinitions
Change severity to…

Changes the severity of whatever issues match the conditions. This can be set to Low, Medium, High, or Critical.

Issues with a changed severity have their priority score updated to reflect the new severity. A note appears on the issue card indicating that the severity of the issue has been changed by a policy. The severity icon will also be "stacked," showing the original severity behind the new one.

Ignore current and future instances

Ignore all vulnerabilities that match the conditions. For example, ignore all issues that have no known exploits in Projects with a business criticality attribute of low.

After an ignore policy is applied, ignores will occur every time the relevant Project is re-scanned, with ignored issues marked as ignored by Security Policy.

When setting the action, you can select won't fix and not vulnerable as ignore types, and add a reason, which appears with the ignore on the issue card

Policy-based ignores have the same behavior as issues that are manually ignored. As with manual ignores, automatic PRs are not raised on issues ignored by a security policy or included in the issue count in reporting.

+
ActionDefinitions
Change severity to…

Changes the severity of whatever issues match the conditions. This can be set to Low, Medium, High, or Critical.

Issues with a changed severity have their priority score updated to reflect the new severity. A note appears on the issue card indicating that the severity of the issue has been changed by a policy. The severity icon is also "stacked," showing the original severity behind the new one.

Ignore current and future instances

Ignore all vulnerabilities that match the conditions. For example, ignore all issues that have no known exploits in Projects with a business criticality attribute of low.

After an ignore policy is applied, ignores occur every time the relevant Project is re-scanned, with ignored issues marked as ignored by Security Policy.

When setting the action, you can select won't fix and not vulnerable as ignore types, and add a reason, which appears with the ignore on the issue card

Policy-based ignores have the same behavior as issues that are manually ignored. As with manual ignores, automatic PRs are not raised on issues ignored by a security policy or included in the issue count in reporting.

{% hint style="info" %} Security policies are applicable to Snyk Open Source and Snyk Container Projects. diff --git a/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policy-results.md b/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policy-results.md index f18ee0233fb5..d32fc56e0b33 100644 --- a/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policy-results.md +++ b/scan-fix-and-prevent/manage-risk/policies/security-policies/security-policy-results.md @@ -1,6 +1,6 @@ # Security policy results -A newly-assigned policy, or changes to a policy, apply when the Project is re-scanned. This is what Project collaborators see when an action is applied to a vulnerability: +A newly assigned policy, or changes to a policy, apply when the Project is re-scanned. This is what Project collaborators see when an action is applied to a vulnerability:
ActionWhat Project collaborators see
Change severity to…The new severity, as well as the originally assigned severity
Ignore current and future instancesAn ignored issue looking like a manual ignore but labeled ignored by Security Policy.
diff --git a/scan-fix-and-prevent/manage-risk/policies/the-.snyk-file.md b/scan-fix-and-prevent/manage-risk/policies/the-.snyk-file.md index 84245d6e0a09..6a2cce014157 100644 --- a/scan-fix-and-prevent/manage-risk/policies/the-.snyk-file.md +++ b/scan-fix-and-prevent/manage-risk/policies/the-.snyk-file.md @@ -84,7 +84,7 @@ When you include the `.snyk` file in your code repository and the `language-sett * By including a `.snyk` file in your code repository with the `language settings:` value set to one of the available UI language settings options, you can override the Organization level settings for SCM scans of that repository to use any Python version that is available in the UI options. {% hint style="info" %} -if the `.snyk` file was not present at the initial import of the Project into Snyk., you must re-import the Project. +If the `.snyk` file was not present at the initial import of the Project into Snyk, you must re-import the Project. {% endhint %} For more information about Python version support, see [Python version support](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/supported-languages/supported-languages-list/python#technical-specifications). diff --git a/scan-fix-and-prevent/manage-risk/policies/use-policies-in-the-sdlc.md b/scan-fix-and-prevent/manage-risk/policies/use-policies-in-the-sdlc.md index 96e3c4102c90..9bdce6e3627f 100644 --- a/scan-fix-and-prevent/manage-risk/policies/use-policies-in-the-sdlc.md +++ b/scan-fix-and-prevent/manage-risk/policies/use-policies-in-the-sdlc.md @@ -2,7 +2,7 @@ You can apply policies across all stages of the SDLC, from the developer’s local development environment, in the IDE or CLI, through to Git-based workflows and CI/CD, and into production. -These multiple security and compliance controls ensure issues are flagged as early as possible in the development process when it is least costly and time-consuming to fix them. +These multiple security and compliance controls ensure Snyk flags issues as early as possible in the development process, when it is least costly and time-consuming to fix them. {% hint style="info" %} In addition, the `.snyk` file is a policy file that Snyk uses to define certain analysis behaviors and to specify patches for the CLI and CI/CD plugins. See [The .snyk file](the-.snyk-file.md) for details @@ -10,7 +10,7 @@ In addition, the `.snyk` file is a policy file that Snyk uses to define certain ## Assign policies to Projects or Organizations -For both [security policies](security-policies/) and [license policies](license-policies/), you can apply a policy to Project attributes and to an Organization. This enables you to assign policies to Projects and to Organizations. For details, see [Assign policies to Projects](assign-policies-to-projects.md) and [Assign a policy to an Organization](assign-a-policy-to-an-organization.md). +For both [security policies](security-policies/) and [license policies](license-policies/), you can apply a policy to Project attributes and to an Organization. This lets you assign policies to Projects and to Organizations. For details, see [Assign policies to Projects](assign-policies-to-projects.md) and [Assign a policy to an Organization](assign-a-policy-to-an-organization.md). ### Example: assign a license policy to Projects @@ -23,7 +23,7 @@ Next, create a new license policy and apply the policy to those attributes: {% hint style="info" %} In the policy itself, a high severity can be applied to any copyleft license identified in Projects, such as the [GPL-3.0](https://snyk.io/learn/what-is-gpl-license-gplv3-explained/) and [AGPL-3.0 licenses](https://snyk.io/learn/agpl-license/).\ -When you create license policies, Snyk recommends that you describe why Snyk will fail the test. Thus, for example, if a build fails due to the GPL license, developers can see the explanation, and they will know what action to take. See [Create a license policy and rules](license-policies/create-a-license-policy-and-rules.md) for details. +When you create license policies, Snyk recommends that you describe why Snyk fails the test. For example, if a build fails due to the GPL license, developers can see the explanation, and they know what action to take. See [Create a license policy and rules](license-policies/create-a-license-policy-and-rules.md) for details. {% endhint %} This policy is now assigned to all Projects with the selected attributes applied and takes effect the next time Snyk scans those Projects. @@ -40,10 +40,10 @@ See [Security policies](security-policies/) for more details. ## Apply policies in GitHub repos -For GitHub Projects monitored by Snyk, any new pull request from a contributing developer can be checked against policies assigned to that Project. This ensures that policy-breaking code cannot be committed to the repository. +For GitHub Projects monitored by Snyk, Snyk can check any new pull request from a contributing developer against policies assigned to that Project. This ensures that policy-breaking code cannot be committed to the repository. {% hint style="info" %} -See [PR Checks](../../scan-with-snyk/pull-requests/pull-request-checks/) for details of Snyk’s PR Checks feature. +See [PR Checks](../../scan-with-snyk/pull-requests/pull-request-checks/) for details of the PR Checks feature in Snyk. {% endhint %} An example follows of a PR check on a JavaScript package license. diff --git a/scan-fix-and-prevent/manage-risk/policies/view-create-and-modify-policies.md b/scan-fix-and-prevent/manage-risk/policies/view-create-and-modify-policies.md index a6e95b4bc626..eb139a656dd0 100644 --- a/scan-fix-and-prevent/manage-risk/policies/view-create-and-modify-policies.md +++ b/scan-fix-and-prevent/manage-risk/policies/view-create-and-modify-policies.md @@ -22,13 +22,13 @@ When you expand a category, the screen shows the policies applied to **Project a Each policy category has a default policy. Default policies can be applied only to Organizations, not Project attributes. -When you create a new Organization, it will automatically be added to the default policy unless you have copied the settings of an existing Organization. You can assign an Organization to a different policy if desired. +When you create a new Organization, Snyk automatically adds it to the default policy unless you have copied the settings of an existing Organization. You can assign an Organization to a different policy if desired. -The default policy cannot be deleted; however, the default policy name, description, and rules can be edited to match your preferences. A default policy can also contain no rules if you'd prefer. +You cannot delete the default policy. However, you can edit the default policy name, description, and rules to match your preferences. A default policy can also contain no rules if you prefer. See [Assign a policy to an Organization](assign-a-policy-to-an-organization.md) for details. -The Policy Manager allows you to [create](view-create-and-modify-policies.md#create-a-policy), [edit](view-create-and-modify-policies.md#edit-a-policy), and [duplicate or delete a policy](view-create-and-modify-policies.md#duplicate-or-delete-a-policy). +The Policy Manager lets you [create](view-create-and-modify-policies.md#create-a-policy), [edit](view-create-and-modify-policies.md#edit-a-policy), and [duplicate or delete a policy](view-create-and-modify-policies.md#duplicate-or-delete-a-policy). ## Create a policy @@ -53,5 +53,5 @@ To duplicate or delete a policy, click the three dots on the right-hand side: Duplicating a policy copies the rules of a policy but not the assigned Organizations or Projects. The new policy is automatically called **Copy of (Policy Name)…** and can be edited as [explained in Edit a policy](view-create-and-modify-policies.md#edit-a-policy). {% hint style="info" %} -Deleting a policy cannot be undone. If you delete a policy with Organizations assigned to it, those Organizations will return to the default policy. +Deleting a policy cannot be undone. If you delete a policy with Organizations assigned to it, those Organizations return to the default policy. {% endhint %} diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/README.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/README.md index 07ba364f765b..900e8c760fb8 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/README.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/README.md @@ -9,7 +9,7 @@ You can find prioritization within Snyk under several names and with different c You can focus solely on one type of prioritization, or you can combine them for a more complex and targeted focus on the issues that require your immediate attention. You can use prioritization for your vulnerabilities, your security program, and your coverage (from a security perspective), or you can use it in the Reporting section of your Projects.\ \ -For example, if you only prioritize the Projects from your repositories, then the list of issues is more general. However, if you choose to use prioritization with Issues, available for Snyk Essentials, the analyzed issues are filtered through several other factors (risk factors, assets) all contributing to the creation of an issues priority list based on more complex and targeted filters, allowing you to customize the prioritization based on your needs. +For example, if you only prioritize the Projects from your repositories, then the list of issues is more general. However, if you choose to use prioritization with Issues, available for Snyk Essentials, Snyk filters the analyzed issues through several other factors (risk factors, assets) that all contribute to the creation of an issue priority list based on more complex and targeted filters, letting you customize the prioritization based on your needs. ## Prioritization at the Project level @@ -148,7 +148,7 @@ You can [ignore issues](ignore-issues/) and [triage issues](vulnerable-condition Consider [Malicious packages](malicious-packages.md) and how to address them in your Projects. -You can set up [reachable vulnerability analysis ](reachability-analysis.md)to identify vulnerabilities with a path to your code. This helps you asse are calculated as part of the priority score. +You can set up [reachable vulnerability analysis ](reachability-analysis.md)to identify vulnerabilities with a path to your code. This helps you assess them as part of the Priority Score. [Vulnerabilities with Social Trends](vulnerabilities-with-social-trends.md) are calculated as part of the Priority Score. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/README.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/README.md index 5d2cf3f65934..84d3e5414733 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/README.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/README.md @@ -1,6 +1,6 @@ # Assets and risk factors -The capabilities of the SnykWeb UI Issues menu rely on understanding your application context to help you better prioritize your security issues. It does that by understanding how your application is configured and relying on that information to provide you with triage and prioritization of your assets and issues for the Snyk Essentials plan, and it also adds specific [risk factors](./#risk-factors) and [evidence graph](../using-the-issues-ui/evidence-graph.md) information. +The capabilities of the Snyk Web UI Issues menu rely on understanding your application context to help you better prioritize your security issues. Snyk does this by understanding how your application is configured and using that information to provide triage and prioritization of your assets and issues for the Snyk Essentials plan. It also adds specific [risk factors](./#risk-factors) and [evidence graph](../using-the-issues-ui/evidence-graph.md) information. * [Assets](./#assets) are analyzed using Snyk Issues, focusing on images, Kubernetes resources, and packages to understand how they all interact with each other. * [Risk factors](./#risk-factors) are analyzed using Snyk Issues and grouped into four main categories: @@ -26,11 +26,11 @@ Kubernetes resources do not map to the Snyk Projects. These are internal entitie Packages are assets that represent a software package. Snyk Open Source and Snyk Code products perform security scans on files. These files represent the package manager declaration and the source code of a software package, respectively. A package is a representation of that software package. -Packages can be mapped one to one with the Snyk Projects created by the scans performed by Snyk Open Source and Snyk Code. All the issues identified by these products and attributed to these Projects will be mapped to the package entity. +Packages can be mapped one to one with the Snyk Projects created by the scans performed by Snyk Open Source and Snyk Code. Snyk maps all the issues identified by these products and attributed to these Projects to the package entity. -The term Package is a very coarse abstraction. It does not have versions. It is a representation of the current state of the software package at a point in time. The point in time is determined by the time when the Snyk processing pipeline is completed and the state of Snyk Projects at that time. +The term Package is a coarse abstraction. It does not have versions. It is a representation of the current state of the software package at a point in time. The point in time is determined by the time when the Snyk processing pipeline is completed and the state of Snyk Projects at that time. -Snyk Open Source uses the word package to refer to the third-party dependencies declared in the package dependency manifest. Snyk does not currently expose the granularity of the third-party dependencies. However, from the prioritization data model point of view, there is no distinction between third-party and first-party packages. These would be represented as a package object at that point in time. +Snyk Open Source uses the word package to refer to the third-party dependencies declared in the package dependency manifest. Snyk does not expose the granularity of the third-party dependencies. However, from the prioritization data model point of view, there is no distinction between third-party and first-party packages. Snyk represents these as a package object at that point in time. ## Risk factors @@ -40,7 +40,7 @@ By understanding your images, packages, and Kubernetes resources as "application * [OS condition](risk-factor-os-condition.md) * [Public facing](risk-factor-public-facing.md) -You can enable and disable all of these "application context" risk factors through the Group **Settings**, on the **Issues** tab. If you choose to disable a risk factor, a provider selection, or the Kubernetes cluster mapping, Snyk will no longer compute them. +You can enable and disable all of these "application context" risk factors through the Group **Settings**, on the **Issues** tab. If you choose to disable a risk factor, a provider selection, or the Kubernetes cluster mapping, Snyk no longer computes them. Depending on the integration options enabled for your application, risk factors are applied differently. You can [prioritize your integrations](../set-up-insights/#prioritize-your-integrations) by customizing the available Insights options from the Group settings. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-deployed.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-deployed.md index 35d7d5e6bdff..5512b7e775ba 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-deployed.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-deployed.md @@ -2,7 +2,7 @@ Any deployed code increases the risk of exploitation of your application and business. -Understanding what code is deployed and where enables you to adopt a remediation strategy that reduces your risk surface area from running code. +Understanding what code is deployed and where lets you adopt a remediation strategy that reduces your risk surface area from running code. ## Types of integration @@ -12,11 +12,11 @@ The Deployed risk factor works with the Kubernetes Connector and third-party int Snyk determines that a container image is deployed by looking for a match between the running images on the Kubernetes cluster and the created Snyk Container Projects. -Snyk uses Kubernetes state information to extract Docker image identifiers that are being executed. The status of a Kubernetes container has image names that are being run by the Kubernetes runtime. A search is performed on the database of known Docker images to find matching names. When the image names are matched, Snyk can display this information in a graph. The graph shows the relationship between the image and the container. \\ +Snyk uses Kubernetes state information to extract Docker image identifiers that are being executed. The status of a Kubernetes container has image names that the Kubernetes runtime runs. Snyk searches the database of known Docker images to find matching names. When the image names match, Snyk can display this information in a graph. The graph shows the relationship between the image and the container. \\
A vulnerability in a deployed image

A vulnerability in a deployed image

-Kubernetes is very [specific](https://kubernetes.io/docs/concepts/containers/images/#image-names) about how images are managed. Snyk uses the same logic to map the images Snyk knows about. Whenever you scan an Image with Snyk Container, Snyk collects information about the image name and image ID. Snyk uses this information to map images against information from Kubernetes. +Kubernetes is [specific](https://kubernetes.io/docs/concepts/containers/images/#image-names) about how images are managed. Snyk uses the same logic to map the images Snyk knows about. Whenever you scan an Image with Snyk Container, Snyk collects information about the image name and image ID. Snyk uses this information to map images against information from Kubernetes. {% hint style="info" %} Snyk adheres to the defined naming standards as documented for [Kubernetes](https://kubernetes.io/docs/concepts/containers/images/#image-names) and Docker [images](https://docs.docker.com/engine/reference/commandline/images/) to ensure consistency with Kubernetes. @@ -42,7 +42,7 @@ Result: Image successfully matched, and risk factor applied
Image matecjed

Image matched

-The container image is scanned using the Snyk Container CLI only, referencing the full name of the image, including the registry. Snyk recommends doing this after the image is built and before it is deployed to your cluster. +Scan the container image using the Snyk Container CLI only, referencing the full name of the image, including the registry. Snyk recommends doing this after you build the image and before you deploy it to your cluster. An example scan follows: @@ -66,13 +66,13 @@ Result: Image successfully matched, and risk factor applied
Matching of names

Matching of names

-The container image is scanned referencing a partial name, omitting the container registry. +Scan the container image referencing a partial name, omitting the container registry. An example scan follows: `$ snyk container monitor my-app:lates`t -Insights is not able to match this Project as the names do not match. +Insights cannot match this Project because the names do not match. The image is deployed to your Kubernetes cluster with this example manifest. @@ -100,7 +100,7 @@ Snyk recommends always specifying the full name of the image in your CLI command ### Third-party integrations -The Deployed risk factor is extended to third-party integrations through real-time monitoring of Kubernetes clusters, along with data from external sources. This enables a comprehensive assessment of deployed risks across diverse environments. By integrating with third-party tools, Snyk can cross-reference vulnerabilities from various sources, ensuring that the deployed risk factor reflects the most accurate and current threat landscape. This holistic approach allows Snyk to provide actionable insights and maintain robust security postures across all integrated platforms. +Snyk extends the Deployed risk factor to third-party integrations through real-time monitoring of Kubernetes clusters, along with data from external sources. This supports the assessment of deployed risks across environments. By integrating with third-party tools, Snyk can cross-reference vulnerabilities from various sources, so the Deployed risk factor reflects current threats. This lets Snyk provide actionable insights and maintain security across all integrated platforms. ## Technical details for Snyk Insights Deployed risk factor diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-os-condition.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-os-condition.md index 47ec061b8a6c..78bbc1dfd025 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-os-condition.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-os-condition.md @@ -10,7 +10,7 @@ If the vulnerability condition matches the operating system used by the runtime | ------------------ | --------------- | ---------------------- | | Any OS | Unknown | No risk factor | | Linux | Unknown | No risk factor | -| Windows | Unkown | No risk factor | +| Windows | Unknown | No risk factor | | Any OS | Linux | Risk factor identified | | Linux | Linux | Risk factor identified | | Windows | Linux | No risk factor | @@ -24,12 +24,12 @@ When an image is scanned by Snyk Container, the information about which operatin The OS condition risk factor works with your [Kubernetes Connector](../set-up-insights/set-up-insights-kubernetes-connector.md) integrations. -The Kubernetes Connector leverages the OS condition risk factors to enhance the identification of vulnerabilities within containerized applications. It continuously checks and compares the operating systems of running containers with the known risk factors from the Snyk database. This integration helps to detect potentially vulnerable packages or images in real-time based on the operating system conditions. It allows proactive security measures within Kubernetes environments. +The Kubernetes Connector uses the OS condition risk factors to enhance the identification of vulnerabilities in containerized applications. It continuously checks and compares the operating systems of running containers with the known risk factors from the Snyk database. This integration helps to detect potentially vulnerable packages or images in real time based on the operating system conditions. It supports proactive security measures in Kubernetes environments. ## Technical details for OS condition risk factor Every hour, the data pipeline takes a snapshot of all Snyk Projects and data sources and extrapolates packages and images. This snapshot determines which images and packages are known to Snyk for any customer. -Snyk Project tags are used to enable the customer to relate image assets to packages. This information is extracted from the hourly data snapshot, and a basic composition graph is generated between images and packages. +Snyk Project tags let the customer relate image assets to packages. Snyk extracts this information from the hourly data snapshot and generates a basic composition graph between images and packages. The data pipeline examines all the issues reported for the package and image and attempts to map the vulnerability condition between them. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-public-facing.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-public-facing.md index 7a25f0d5696e..b4f8db867370 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-public-facing.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/assets-and-risk-factors/risk-factor-public-facing.md @@ -20,7 +20,7 @@ Kubernetes Connector checks the images for ingress configuration. If not detecte The Public facing risk factor can be applied to your [Kubernetes Connector](../set-up-insights/set-up-insights-kubernetes-connector.md) integrations. -The Public facing risk factor has significant implications for Kubernetes Connector integration. It affects how vulnerabilities and potential attack vectors are prioritized and managed within the Kubernetes environment. The continuous monitoring of Kubernetes events by the Kubernetes Connector ensures that any changes or potential risks are instantly evaluated and relayed to the Snyk platform. This real-time data allows for the dynamic adjustment of security policies and proactive risk mitigation, ensuring the integrity and security of the cloud-native infrastructure. +The Public facing risk factor has significant implications for Kubernetes Connector integration. It affects how Snyk prioritizes and manages vulnerabilities and potential attack vectors in the Kubernetes environment. The continuous monitoring of Kubernetes events by the Kubernetes Connector ensures that Snyk evaluates any changes or potential risks and relays them to the Snyk platform. This real-time data supports the dynamic adjustment of security policies and proactive risk mitigation, ensuring the integrity and security of the cloud-native infrastructure. ## Technical details for the public-facing risk factor diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/README.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/README.md index 6bb462330aef..4a49cc8e656b 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/README.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/README.md @@ -1,6 +1,6 @@ # Ignore issues -You can ignore a vulnerability or open-source license issue if you do not need to fix it and want to avoid seeing the issue in scan results. You can ignore issues temporarily or permanently and set ignores individually or as actions. By using Snyk ignores you can display results only for issues you need to fix +You can ignore a vulnerability or open-source license issue if you do not need to fix it and want to avoid seeing the issue in scan results. You can ignore issues temporarily or permanently and set ignores individually or as actions. By using Snyk ignores you can display results only for issues you need to fix. For Open Source details, see [How to set ignores](./#how-to-set-ignores). This information provides a useful background for using ignores with other Snyk scanning methods. For more information, see the following sections on this page: @@ -10,7 +10,7 @@ For Open Source details, see [How to set ignores](./#how-to-set-ignores). This i ## Decisions to ignore issues -Optimally, it allows you to fix or patch vulnerabilities or remove vulnerable dependencies. However, you may want to suppress an issue for any of the following reasons: +Optimally, you fix or patch vulnerabilities or remove vulnerable dependencies. However, you might want to suppress an issue for any of the following reasons: * There is no fix. * The issue is not relevant to the Project. One example is a distributed denial-of-service (DDoS) attack for an internal service. @@ -35,16 +35,16 @@ Each issue card has an **Ignore** button that opens a dialog where you can selec You can select **Not vulnerable** for any issue that is not exploitable at the time you create the ignore. -If you select **Ignore temporarily,** then you can check the **Until fix is available** checkbox: +If you select **Ignore temporarily,** then you can select the **Until fix is available** check box:
Ignore temporarily

Ignore temporarily

-This is checked by default if no fix is available for the issue. The vulnerability resurfaces as soon as Snyk has a fix for it, and optionally you can provide additional details on why you are ignoring the issue. +This check box is selected by default if no fix is available for the issue. The vulnerability resurfaces as soon as Snyk has a fix for it, and you can optionally provide additional details on why you are ignoring the issue. {% hint style="info" %} An issue is ignored until either of these conditions occurs: the ignore period expires, or the vulnerability becomes fixable. -An issue ignored in an Open Source or Code Project in the Snyk web UI will be reflected and not flagged in any subsequent [PR checks](../../../scan-with-snyk/pull-requests/pull-request-checks/) across all branches of the Project. +An issue ignored in an Open Source or Code Project in the Snyk Web UI is reflected and not flagged in any subsequent [PR checks](../../../scan-with-snyk/pull-requests/pull-request-checks/) across all branches of the Project. {% endhint %} When you ignore an issue in the Snyk Web UI, the issue shows who ignored it and allows you to edit the ignore or unignore the issue. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/README.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/README.md index 4dae78a6a7f3..03b141b47a89 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/README.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/README.md @@ -10,11 +10,11 @@ Enable Snyk Code Consistent Ignores for your Group or Organization in the Snyk W ## Disable Snyk Code Consistent Ignores -Any ignores created or converted with the feature enabled will not be automatically converted back to Project-based ignores. You can recreate them manually after disabling the feature. +Snyk does not automatically convert ignores created or converted with the feature enabled back to Project-based ignores. You can recreate them manually after disabling the feature. ## User roles -To create, edit and remove ignores, you need to have a user role assigned with Ignore management permissions. Only Group Admins can set these permissions (see [User role management](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/user-role-management)). +To create, edit, and remove ignores, you must have a user role assigned with Ignore management permissions. Only Group Admins can set these permissions (see [User role management](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/user-role-management)). 1. Log in to the Snyk Web UI and navigate to your Group and Organization. 2. Navigate to **Members** > **Manage Roles** and select one or more permissions. @@ -24,7 +24,7 @@ To create, edit and remove ignores, you need to have a user role assigned with I ## Manage ignores at the Group level through Snyk Code Security policies {% hint style="info" %} -This feature is available to Enterprise customers only. It must be enabled by Snyk before it is accessible. +This feature is available to Enterprise customers only. Snyk must enable it before it is accessible. {% endhint %} You can manage ignores proactively using Group-level Snyk Code Security policies. As a general rule, you can apply ignore policies when you identify a recurring need to apply similar individual ignores. @@ -32,12 +32,12 @@ You can manage ignores proactively using Group-level Snyk Code Security policies To manage the ignores through security policies, Snyk Code Consistent Ignores need to be enabled at the Group level. You do not require [conversion](convert-project-scoped-ignores-to-asset-scoped-ignores.md) for any previously applied Group level policy ignores. If you want to activate Snyk Code Security policies at the Group level, contact your Snyk account team or Snyk Support. {% hint style="info" %} -[**Snyk Security Policies**](https://docs.snyk.io/manage-risk/policies/security-policies) are a separate feature, available at the Group level to all Enterprise customers. That feature is applicable to Open Source and Container, and will not work for Snyk Code. For Group level policy Ignores to apply to Snyk Code, you must use the Snyk Code Security policies feature. +[**Snyk Security Policies**](https://docs.snyk.io/manage-risk/policies/security-policies) are a separate feature, available at the Group level to all Enterprise customers. That feature is applicable to Open Source and Container, and does not work for Snyk Code. For Group level policy Ignores to apply to Snyk Code, you must use the Snyk Code Security policies feature. {% endhint %} Policies configured to ignore based on Project attributes do not result in ignores being applied in Snyk CLI and IDE settings where a Snyk Project is not available. -To configure a Snyk Code Security policy, select the organization/s or project attributes that the policy should apply to, give it a name, and add rules containing at least one of the following criteria: +To configure a Snyk Code Security policy, select the Organizations or Project attributes that the policy applies to, give it a name, and add rules containing at least one of the following criteria: | Criteria | Description | | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | @@ -51,7 +51,7 @@ You can take action from Project issues, but Snyk will apply any ignores to the When you create, modify, or delete an ignore, you must [retest the Project](../../../../scan-with-snyk/snyk-code/manage-code-vulnerabilities/#retesting-code-repository) to update the issue status. -An indicator at the top of the Project page will notify you if a retest is needed to capture policy or ignore updates. +An indicator at the top of the Project page notifies you if a retest is needed to capture policy or ignore updates. Project retests typically occur on a nightly or weekly basis, but you can also retest manually. @@ -60,9 +60,9 @@ Project retests typically occur on a nightly or weekly basis, but you can also r 1. Log in to the Snyk Web UI and navigate to your Group and Organization. 2. Open a Project and find an issue card. 3. Select **Ignore** on an issue card to create an ignore. -4. Fill in the ignore information and confirm its creation. The issue will be updated and moved from **Open** to **Ignored**.\ +4. Fill in the ignore information and confirm its creation. Snyk updates the issue and moves it from **Open** to **Ignored**.\ \ - If anyone loads the page before a retest, an indicator will appear and encourage retesting to capture policy or ignore changes. + If anyone loads the page before a retest, an indicator appears and encourages retesting to capture policy or ignore changes. ### Modify ignore diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/api.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/api.md index f8ab31e66111..f7fd8986606e 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/api.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/api.md @@ -4,4 +4,4 @@ You can manage ignores individually through the [Snyk Policies API (REST)](https The SARIF output from Snyk CLI contains the `snyk/asset/finding/v1` identifier used to manage ignores at the start of the Early Access program. -This API leverages the `snyk/asset/finding/v1` identifier and not the `issueId` used by the legacy ignores API. Consider migrating any scripts or automation that rely on the legacy ignores API to the new policy API. +This API uses the `snyk/asset/finding/v1` identifier and not the `issueId` used by the legacy ignores API. Consider migrating any scripts or automation that rely on the legacy ignores API to the new policy API. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/consistent-ignores-for-snyk-code-faqs.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/consistent-ignores-for-snyk-code-faqs.md index d3a1b9f32f8a..5cac97b36fcf 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/consistent-ignores-for-snyk-code-faqs.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/consistent-ignores-for-snyk-code-faqs.md @@ -11,7 +11,7 @@ This FAQ section addresses common concerns about the Snyk Code Consistent Identi Ignores only work within the Organization where they're defined. You need to run tests in the Organization where you stored an ignore for it to be taken into account. This is also valid for Snyk IDE and CLI environments where developers work in repositories that span multiple Snyk organizations. -Depending on feedback during the Early Access period, we may offer a broader scope for ignores beyond an individual Organization. +Depending on feedback during the Early Access period, we might offer a broader scope for ignores beyond an individual Organization. ## Existing DeepCode inline ignores (legacy) are not supported or migrated @@ -23,7 +23,7 @@ Recreate these ignores using the new Snyk Code Consistent Ignore process, either ## Repository renames may result in ignores being lost -Snyk may fail to complete testing after you rename a repository, depending on whether the underlying SCM supports redirects. If Snyk successfully runs subsequent tests (e.g., GitHub), ignores may not be applied. +Snyk might fail to complete testing after you rename a repository, depending on whether the underlying SCM supports redirects. If Snyk successfully runs subsequent tests (for example, GitHub), ignores might not be applied. ### Recommendation @@ -36,7 +36,7 @@ Snyk may fail to complete testing after you rename a repository, depending on wh 1. Delete all targets associated with that repository. 2. Reimport the newly renamed repository. -Previous Consistent Ignores are applied to the newly named repository. New clones in IDEs/CLI that reference the new name take into account the ignores, even with the old git URL, in case some developers haven't updated their remote repositories. +Previous Consistent Ignores are applied to the newly named repository. New clones in IDEs/CLI that reference the new name take into account the ignores, even with the old git URL, in case some developers have not updated their remote repositories. ## Granular ignores @@ -46,8 +46,8 @@ If you have specific use cases that require this functionality, reach out to you ## Project attribute policies -Policies defined against Project attributes will continue to work within Snyk Projects where the attributes match. The policies are not applied across the repository to other Projects or in Snyk IDE, CLI, or PR checks flows. To apply policies across Projects and branches for the same repository, define them against Organizations. +Policies defined against Project attributes continue to work within Snyk Projects where the attributes match. The policies are not applied across the repository to other Projects or in Snyk IDE, CLI, or PR checks flows. To apply policies across Projects and branches for the same repository, define them against Organizations. ## CI/CD support for snyk test --code -Most native Snyk CI/CD plugins (e.g., Jenkins, AWS Pipelines) do not support Snyk Code. As a workaround, some users have been applying the `--code` flag to the standard `snyk test` command to invoke a Snyk Code scan instead of a Snyk Open Source scan. Snyk Code Consistent Ignores does not support this workflow. +Most native Snyk CI/CD plugins (for example, Jenkins, AWS Pipelines) do not support Snyk Code. As a workaround, some users have been applying the `--code` flag to the standard `snyk test` command to invoke a Snyk Code scan instead of a Snyk Open Source scan. Snyk Code Consistent Ignores does not support this workflow. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/convert-project-scoped-ignores-to-asset-scoped-ignores.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/convert-project-scoped-ignores-to-asset-scoped-ignores.md index e7b93fa3600e..e6eb5ab7c322 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/convert-project-scoped-ignores-to-asset-scoped-ignores.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/convert-project-scoped-ignores-to-asset-scoped-ignores.md @@ -8,7 +8,7 @@ If you are new to Snyk or using Snyk Code Projects, you can skip this step, as t Conversion provides you with control over which ignores Snyk converts. For example, if you monitor multiple branches for a given repository, you can decide what ignore metadata Snyk converts and uses as the single source of truth going forward. -The following scenario assumes that you have ignored issues in your Snyk Code Project prior to enabling Snyk Code Consistent Ignores. +The following scenario assumes that you have ignored issues in your Snyk Code Project before enabling Snyk Code Consistent Ignores. If the **Ignore** button is inactive after you enable the **Snyk Code Consistent Ignores** feature, retest the Project. @@ -41,9 +41,9 @@ To convert all legacy ignores from a Project page, navigate to your **Organizati ### Convert ignores using Snyk API -For Snyk Code Projects with over 200 legacy Project-scoped ignores, or in scenarios where you want more control over the values applied for ignore attributes, consider using the Snyk API instead. This allows you to programmatically convert Project-scoped ignores to asset-scoped ignores. +For Snyk Code Projects with over 200 legacy Project-scoped ignores, or in scenarios where you want more control over the values applied for ignore attributes, consider using the Snyk API instead. This lets you programmatically convert Project-scoped ignores to asset-scoped ignores. -The following sequence of API calls allows you to build a custom script tailored to your Organization's needs for this conversion. It does not provide a prescriptive approach, but provides information on the most likely endpoints to consider. +The following sequence of API calls lets you build a custom script tailored to your Organization needs for this conversion. It does not provide a prescriptive approach, but provides information on the most likely endpoints to consider. Steps to follow: @@ -61,14 +61,14 @@ Steps to follow: * Filter: Use the query parameter `&types=sast` to list only Snyk Code Projects. {% hint style="info" %} -The response contains details about each Project, including its ID (`project_id`), origin (e.g., GitHub, CLI), and target repository or branch information. This helps you select the correct Projects, especially if the same repository is imported multiple times, such as through different SCM integrations or using the custom branch feature. +The response contains details about each Project, including its ID (`project_id`), origin (for example, GitHub, CLI), and target repository or branch information. This helps you select the correct Projects, especially if the same repository is imported multiple times, such as through different SCM integrations or using the custom branch feature. {% endhint %} #### Retrieve existing Project-scoped ignores for a Project * Goal: For a specific Project identified in step 1, get the details of all its current project-scoped ignores. * [API Endpoint](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/ignores-v1): `GET /v1/org/{org_id}/project/{project_id}/ignores` -* Response format: The response is an object where each key is a project-scoped finding ID (`snyk/org/project/finding/v1`) that has an ignore applied. The value is an array containing details about the ignore(s) for that finding. +* Response format: The response is an object where each key is a project-scoped finding ID (`snyk/org/project/finding/v1`) that has an ignore applied. The value is an array containing details about the ignores for that finding. ```javascript { @@ -89,7 +89,7 @@ The response contains details about each Project, including its ID (`project_id` ``` {% hint style="info" %} -Note down the Project-scoped finding ID (e.g., `1ddad474-...`), the `reason`, and the `reasonType` for each ignore you intend to convert. +Note down the Project-scoped finding ID (for example, `1ddad474-...`), the `reason`, and the `reasonType` for each ignore you intend to convert. {% endhint %} #### Map Project-scoped findings to asset-scoped findings @@ -116,7 +116,7 @@ Note down the Project-scoped finding ID (e.g., `1ddad474-...`), the `reason`, an ``` {% hint style="info" %} -For each Project-scoped finding ID (`key`) from step 2, find the matching issue in this response and extract its corresponding asset-scoped finding ID (`key_asset`). You will need this `key_asset` value to create the new ignore policy. +For each Project-scoped finding ID (`key`) from step 2, find the matching issue in this response and extract its corresponding asset-scoped finding ID (`key_asset`). You need this `key_asset` value to create the new ignore policy. {% endhint %} #### Create the new asset-scoped ignore policy @@ -157,7 +157,7 @@ For each Project-scoped finding ID (`key`) from step 2, find the matching issue * Goal: Remove the legacy Project-scoped ignore now that an equivalent asset-scoped policy exists. * [API Endpoint:](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/ignores-v1) `DELETE /v1/org/{org_id}/project/{project_id}/ignore/{project_scoped_id}` -* Key Information: Use the project\_id from step 1 and the `{project_scoped_id}` which is the key from step 2 response (e.g., `1ddad474-39f1-4ac4-b9c6-f2f79a65fd88`). +* Key Information: Use the project\_id from step 1 and the `{project_scoped_id}` which is the key from step 2 response (for example, `1ddad474-39f1-4ac4-b9c6-f2f79a65fd88`). #### Verify the changes diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-cli.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-cli.md index 9f8a6cb4dc84..1806e6b868f7 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-cli.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-cli.md @@ -1,6 +1,6 @@ # Consistent Ignores for Snyk Code CLI -Ignores are taken into account in the Snyk CLI when `snyk code test` is run. +The Snyk CLI takes ignores into account when you run `snyk code test`. ## Minimum version required @@ -12,7 +12,7 @@ To take ignores into account, specify the Organization where the ignores reside. [Group-level policies also cascade down to all Organizations](./#manage-ignores-at-the-group-level-through-snyk-code-security-policies). See [How to select the Organization to use in the CLI](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/how-to-select-the-organization-to-use-in-the-cli). -Repository context is required for asset-scoped ignores to take effect. Policy-based ignores such as those based on CWE or Snyk Code Rule ID are still being applied regardless of repository context. +Repository context is required for asset-scoped ignores to take effect. Snyk still applies policy-based ignores such as those based on CWE or Snyk Code Rule ID regardless of repository context. `snyk code test` automatically detects the repository context if a .git directory is present. If not, you can explicitly specify it using the `--remote-repo-url` option. To verify the Git URL, run `git remote -v`. @@ -42,7 +42,7 @@ You can use this identifier to [create new ignores using API calls](api.md). ## Ignores in CI/CD pipelines -As ignores are taken into account in Snyk CLI, the same applies when Snyk CLI is integrated into CI/CD pipelines. For example, if a pipeline uses the command `snyk code test –severity-threshold=high` and there are no unignored high-severity results, Snyk CLI will exit with a `0` (success) status code and the build will succeed. +Because the Snyk CLI takes ignores into account, the same applies when you integrate the Snyk CLI into CI/CD pipelines. For example, if a pipeline uses the command `snyk code test –severity-threshold=high` and there are no unignored high-severity results, the Snyk CLI exits with a `0` (success) status code and the build succeeds. The following example shows how Snyk Code detected high-severity hardcoded secrets, causing a GitHub Action workflow to fail with the exit code `1`. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-ide.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-ide.md index 916d2832d393..568c6085328f 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-ide.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-ide.md @@ -1,6 +1,6 @@ # Consistent Ignores for Snyk Code IDE -When you run tests in any of the [supported Snyk IDE plugins](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/snyk-ide-plugins-and-extensions), the plugins will take into account your ignores. +When you run tests in any of the [supported Snyk IDE plugins](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/snyk-ide-plugins-and-extensions), the plugins take into account your ignores. ## Minimum version required diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-pull-request-checks.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-pull-request-checks.md index 3539c9deda9f..dd2e4b70934c 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-pull-request-checks.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/consistent-ignores-for-snyk-code/snyk-pull-request-checks.md @@ -4,11 +4,11 @@ When viewing a pull request (PR) check from Snyk in your integrated SCM, ignored findings do not contribute to the PR check outcome. A PR check does not fail due to an ignored finding. Additionally, the Snyk PR experience includes the count of active (unignored) findings in the summary comment and displays each finding as an inline comment within the PR. -If a finding is ignored after a PR check has already been completed, the PR check must be retriggered by committing again to the PR. Upon retriggering, the PR check the following changes occur: +If you ignore a finding after a PR check has already completed, you must retrigger the PR check by committing again to the PR. Upon retriggering, the following changes occur: -• The ignored finding is no longer counted in the summary table. +• Snyk no longer counts the ignored finding in the summary table. -• The inline comment for the ignored finding is collapsed by default and marked as resolved. +• Snyk collapses the inline comment for the ignored finding by default and marks it as resolved. Ignores are respected in[ Snyk Code Pull Request Checks](../../../../scan-with-snyk/pull-requests/pull-request-checks/) regardless of whether they are created through [policy](./#manage-ignores-at-the-group-level-through-snyk-code-security-policies) or for an [individual `snyk/assets/finding/v1` value](./#manage-ignores-in-snyk-projects). diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/exclude-files-and-ignore-issues-faqs.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/exclude-files-and-ignore-issues-faqs.md index 6f70db36dd79..6f3ab0065e08 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/exclude-files-and-ignore-issues-faqs.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/exclude-files-and-ignore-issues-faqs.md @@ -1,13 +1,13 @@ # Exclude files and ignore issues FAQs -There are many considerations in determining how excluding files and ignoring issues will work, depending on several factors: +There are many considerations in determining how excluding files and ignoring issues works, depending on several factors: * How the Project was imported: through an SCM integration, or through the CLI or an IDE * The scanning method being used: Open Source, Code, Container, or IaC * How the test is being done, in the UI, or through the CLI or an IDE * How the exclude or ignore was set: in a policy, through the UI or the API, or in the `.snyk` file -This document collects questions the support team receives frequenty and provides the answers. +This document collects questions the support team receives frequently and provides the answers. ## Questions related to scanning methods @@ -15,7 +15,7 @@ This document collects questions the support team receives frequenty and provide * To ignore a code vulnerability, import the Project into the Snyk UI, and use the ignore button. * You cannot use the `.snyk` file to ignore issues in Code scans. -* The `snyk-to-html` tool will display all issues for Code scans whether the issues are ignored or not. +* The `snyk-to-html` tool displays all issues for Code scans whether the issues are ignored or not. ### How do I avoid scanning certain files for Open Source scans? @@ -28,12 +28,12 @@ This document collects questions the support team receives frequenty and provide ### How do I avoid scanning certain files for Code scans? * Use an exclude in a `.snyk` file to omit all scanning of certain files or folders from a Snyk Code scan. For details, see the [`--file-path` option for the `snyk ignore` command](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/commands/ignore#file-path-less-than-path_to_resource-greater-than), [Ignore files or folders using glob expression - Snyk Code and `unmanaged`only](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/commands/ignore#ignore-files-or-folders-using-glob-expression-snyk-code-and-unmanaged-only), and [Exclude directories and files from Snyk Code CLI tests](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-code/exclude-directories-and-files-from-snyk-code-cli-tests). -* When you import a repository to test using Snyk Code, use an `exclude:` statement in the `.snyk` file to omit certain directories and files from the import. For details see For details see [Exclude directories and files from Snyk Code CLI tests](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-code/exclude-directories-and-files-from-snyk-code-cli-tests). -* A `.snyk` file with file or folder exclusions and contained in the root directory of your repository or SCM will exclude those files and folders from being scanned when you import using an SCM. +* When you import a repository to test using Snyk Code, use an `exclude:` statement in the `.snyk` file to omit certain directories and files from the import. For details, see [Exclude directories and files from Snyk Code CLI tests](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-code/exclude-directories-and-files-from-snyk-code-cli-tests). +* A `.snyk` file with file or folder exclusions, contained in the root directory of your repository or SCM, excludes those files and folders from being scanned when you import using an SCM. * The CLI `--exclude` option used with `snyk test` and `snyk monitor` does not apply for Code scans. * The Exclude Folders option in the import windows in the Web UI does not apply for Code scans. * The `.snyk` file does not apply for excluding files and directories from IDE scanning of Code. -* For Code and Container scans only., you can use exclusion globs in API import, including an import with the `snyk-api-import` tool. This exclusion works the same way as an SCM integration exclusion. +* For Code and Container scans only, you can use exclusion globs in API import, including an import with the `snyk-api-import` tool. This exclusion works the same way as an SCM integration exclusion. ### How do I avoid scanning certain files for Container scans? diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/how-ignores-work-for-projects-imported-using-an-scm-and-the-cli.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/how-ignores-work-for-projects-imported-using-an-scm-and-the-cli.md index 9a2f018c07c2..ce8083797588 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/how-ignores-work-for-projects-imported-using-an-scm-and-the-cli.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/ignore-issues/how-ignores-work-for-projects-imported-using-an-scm-and-the-cli.md @@ -5,11 +5,11 @@ When you ignore an issue, you must consider the following factors: * How was the Project imported: Through an SCM? Through the CLI? * What Snyk product scanned the Project: Snyk Open Source, Snyk Code, or another? * How was the ignore created: In a policy? Through the UI from the Project page? Using an API? In a `.snyk` file? - * For ignores created in a policy, ignoring an issue on the Organization level will ensure the issues are ignored for Projects imported using an SCM and Projects imported using the CLI. - * Ignoring for a particular Project or attribute will ensure the issue is ignored only for the specific Project and only for Projects imported using an SCM. + * For ignores created in a policy, ignoring an issue on the Organization level ensures the issues are ignored for Projects imported using an SCM and Projects imported using the CLI. + * Ignoring for a particular Project or attribute ensures the issue is ignored only for the specific Project and only for Projects imported using an SCM. * For more information, see [Ignore issues in the Snyk Web UI](./#ignore-issues-in-the-snyk-web-ui), [Security policies](../../policies/security-policies/), and [The `.snyk` file](../../policies/the-.snyk-file.md). -Depending on these factors, the ignore is respected for testing in different places. Where will the ignore be respected testing? +Depending on these factors, the ignore is respected for testing in different places. Where is the ignore respected for testing? * In the UI and an SCM PR test? * In a CLI test, either local or in a build pipeline, and in an IDE test? @@ -24,7 +24,7 @@ If you added an ignore in the UI, support for ignores and the test results diffe ## Import through an SCM -The following table summarizes how an ignore will be respected for testing depending on the way you set the ignore for Projects imported through an SCM. +The following table summarizes how an ignore is respected for testing depending on the way you set the ignore for Projects imported through an SCM. | Import through an SCM and set ignore by available methods | Ignore respected in UI for retesting | Ignore respected in CLI and IDE tests | | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------------------------------------------------------ | @@ -34,10 +34,10 @@ The following table summarizes how an ignore will be respected for testing depen ## Import through the CLI -The following table summarizes how an ignore will be respected for testing depending on the way you set the ignore for Projects imported through the CLI. +The following table summarizes how an ignore is respected for testing depending on the way you set the ignore for Projects imported through the CLI. | Import through the CLI and set ignore by available methods | Ignore respected in UI for retesting | Ignore respected in CLI and IDE tests | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ | ------------------------------------------------------- | -| Ignore by policy (add ignore commands to your security policies) For an IDE and the CLI the testing must be done in the relevant Organization in order for the policies to be used. |

Open Source: ✅

Container: ✅

Code: ✅

|

Open Source: ✅

Container: ❌

Code: ✅

| +| Ignore by policy (add ignore commands to your security policies) For an IDE and the CLI, the testing must be done in the relevant Organization for the policies to be used. |

Open Source: ✅

Container: ✅

Code: ✅

|

Open Source: ✅

Container: ❌

Code: ✅

| | Ignore by UI or API |

Open Source: ✅

Container: ✅

Code: ✅

|

Open Source: ✅

Container: ❌

Code: ✅

| | Ignore by `.snyk` file (add the issue to a `.snyk` file in the repository; for Open Source; the `.snyk` file must be in the same folder as the manifest file; applies to the `snyk test` and `snyk monitor` commands) |

Open Source: ✅

Container: ✅

Code: ❌

|

Open Source: ✅

Container: ✅

Code: ❌

| diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/malicious-packages.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/malicious-packages.md index 07feea1db884..3c0b1aa1acdf 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/malicious-packages.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/malicious-packages.md @@ -83,7 +83,7 @@ More details about this type of attack are described in the [malicious versions ## Verifying the provenance of packages -At present, Snyk Open Source and Snyk Container scanners are unable to differentiate between internal and external packages, meaning that they cannot determine if a package has been imported from a public or a private registry. This capability will be added in the future. Meanwhile, you might see inaccurate alerts related to packages imported from a private registry. +At present, Snyk Open Source and Snyk Container scanners cannot differentiate between internal and external packages, meaning that they cannot determine if a package has been imported from a public or a private registry. Snyk plans to add this capability in the future. Meanwhile, you might see inaccurate alerts related to packages imported from a private registry. A Snyk alert is a warning that an attack has targeted the organization, not an implication that the organization published the malware. @@ -147,13 +147,13 @@ If you do not have an `.npmrc` file or it does not specify a registry, npm uses If you use npm, you can host your private packages on the npm registry. -If your company is using this [service](https://docs.npmjs.com/about-private-packages), then the public registry will be https://registry.npmjs.org. +If your company is using this [service](https://docs.npmjs.com/about-private-packages), then the public registry is https://registry.npmjs.org. -In this case, you will need to verify that the packages used are private, by logging in to the npm website. +In this case, you must verify that the packages used are private, by logging in to the npm website. ## Remediation of malicious package findings -If you find evidence that a malicious package was installed in your environment, you should do the following: +If you find evidence that a malicious package was installed in your environment, do the following: * Immediately remove it from the local drive, both the local folder `node_modules` and global package manager cache. * Remove it from the package registry proxy cache and database if it exists. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/prioritization-for-snyk-essentials.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/prioritization-for-snyk-essentials.md index e8ae8d45cd15..4308788c1fcd 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/prioritization-for-snyk-essentials.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/prioritization-for-snyk-essentials.md @@ -2,4 +2,4 @@ Snyk uses holistic application intelligence to help you better identify and prioritize your Container, Code, and Open Source issues based on the risk they pose to your application. You can also prioritize your issues based on asset classification as defined in asset-related policies. -You can access the **Issues** page from the Snyk Web UI. The **Issues** page provides a centralized view of all the issues identified by Snyk with additional asset context. This will empower AppSec teams to better triage and remediate issues in Snyk. **Issues** is available at the Group level or at the Organization level. +You can access the **Issues** page from the Snyk Web UI. The **Issues** page provides a centralized view of all the issues identified by Snyk with additional asset context. This empowers AppSec teams to better triage and remediate issues in Snyk. **Issues** is available at the Group level or at the Organization level. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/priority-score-vs-risk-score.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/priority-score-vs-risk-score.md index 1d01197a9f8b..3bb071c116cb 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/priority-score-vs-risk-score.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/priority-score-vs-risk-score.md @@ -2,7 +2,7 @@ The Snyk Risk score and Priority score are keys to security management. Both types of score help Organizations handle current threats and prepare for future vulnerabilities, leading to a more robust security framework. -The Priority and Risk Scores rank the issues and the urgency of fixing them. Both scores provide a number between 1 and 1000, where 1 means low severity and 1000 means high severity. Snyk uses these numbers to indicate the urgency of remediating a vulnerability. +The Priority and Risk Scores rank the issues and the urgency of fixing them. Both scores provide a number between 1 and 1,000, where 1 means low severity and 1,000 means high severity. Snyk uses these numbers to indicate the urgency of remediating a vulnerability. {% hint style="info" %} Risk score assesses the potential impact of vulnerabilities, prioritizing those with severe consequences. @@ -14,7 +14,7 @@ Risk Score and Priority Score are fundamental to vulnerability management. Risk If you want to compare scores, ensure you are looking at the same type of score and for the same product. For example, you can compare a Risk score from Snyk Open Source with another Risk score from Snyk Open Source but cannot compare a Risk score from Snyk Open Source with another Risk score from Snyk Container. -By default, the Priority score is enabled for Snyk Container, Snyk Code, Snyk IaC, and Snyk Open Source issues. If the user enables the Risk score from Snyk Preview, then the scores are applied like this: +By default, the Priority score is enabled for Snyk Container, Snyk Code, Snyk IaC, and Snyk Open Source issues. If you enable the Risk score from Snyk Preview, then Snyk applies the scores like this: * Risk score is applied to Snyk Container and Snyk Open Source issues. * Priority score is applied to Snyk Code and Snyk IaC issues. @@ -44,8 +44,8 @@ Priority Score helps your team quickly prioritize and address urgent Project vul The assessment model used by the Priority score focuses on two factors: -* Impact - Snyk analyses the possibility of a fix to address multiple vulnerabilities. The Priority score increases exponentially with the number of vulnerabilities addressed by a fix. -* Actionability - Snyk analyses how easy it is to remediate a vulnerability. +* Impact - Snyk analyzes the possibility of a fix to address multiple vulnerabilities. The Priority score increases exponentially with the number of vulnerabilities addressed by a fix. +* Actionability - Snyk analyzes how easy it is to remediate a vulnerability. ## When and why to use the Risk score @@ -85,7 +85,7 @@ Scan your source code and apply the following filters to your list of found vuln ### Risk score use case -Let's assume that you are integrating a new third-party library into an existing application, and after a scan, you discover that the library has several vulnerabilities. Filter the vulnerabilities using the Risk score to determine which vulnerabilities pose the greatest threat. +Assume that you are integrating a new third-party library into an existing application, and after a scan, you discover that the library has several vulnerabilities. Filter the vulnerabilities using the Risk score to determine which vulnerabilities pose the greatest threat. Remember that Risk score must first be enabled from the [Snyk Preview](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/snyk-hierarchy/snyk-preview) screen and can only be applied to Snyk Open Source and Snyk Container. @@ -97,7 +97,7 @@ Scan your source code and apply the following filters to your list of found vuln * Computed fixability: Fixable * Exploit maturity: Mature -After you apply the filters, you have a list of the most critical vulnerabilities that need to be fixed before safely integrating the third-party library with your application. Fixing these critical issues you are preventing a potential security breach and are also safeguarding the integrity of your application. +After you apply the filters, you have a list of the most critical vulnerabilities that need to be fixed before safely integrating the third-party library with your application. By fixing these critical issues, you prevent a potential security breach and safeguard the integrity of your application. Given the high severity and the mature exploit, the risk score for this issue would be elevated, indicating an urgent need for action. In this scenario, organizations should prioritize patching this vulnerability immediately due to the high risk of exploitation. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/priority-score.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/priority-score.md index 622c0d65889d..f8eb8252e7bd 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/priority-score.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/priority-score.md @@ -1,8 +1,8 @@ # Priority Score -The Snyk Priority Score is a single value assigned to an issue, to help you quickly and easily decide which issues are most important to fix. Scores range from 0 to 1,000; the higher the score, the more important it is to fix that issue. +The Snyk Priority Score is a single value assigned to an issue, to help you quickly decide which issues are most important to fix. Scores range from 0 to 1,000. The higher the score, the more important it is to fix that issue. -The Snyk Priority Score is determined based on a number of industry-standard criteria, including CVSS score, trending vulnerabilities, reachability, availability of exploits, and other factors. These factors yield scores with a high degree of granularity. This granularity avoids having many issues with the same score, allowing you to determine the importance of an issue quickly and accurately. +The Snyk Priority Score is determined based on a number of industry-standard criteria, including CVSS score, trending vulnerabilities, reachability, availability of exploits, and other factors. These factors yield scores with a high degree of granularity. This granularity avoids having many issues with the same score, letting you determine the importance of an issue quickly and accurately. {% hint style="info" %} Snyk does not use the CVSS score alone to determine priority; other factors are also considered. @@ -22,7 +22,7 @@ You can filter issues by Priority Score range in the left sidebar. ## View issues by Priority Score -The **Issues** tab on the Project details allows you to filter issues by Priority Score. You can find more details on how to filter your issues on the [Manage and remediate issues](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/implementation-guides/enterprise-implementation-guide/manage-and-remediate-issues) page. +The **Issues** tab on the Project details lets you filter issues by Priority Score. You can find more details on how to filter your issues on the [Manage and remediate issues](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/implementation-guides/enterprise-implementation-guide/manage-and-remediate-issues) page. ## View Priority Score in the Snyk API diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/reachability-analysis.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/reachability-analysis.md index d7c1d492a93f..5ce75160a7f7 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/reachability-analysis.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/reachability-analysis.md @@ -6,11 +6,11 @@ Reachability analysis is in General Availability (GA) for specific [integrations and programming languages](reachability-analysis.md#supported-languages-and-integrations). {% endhint %} -Snyk reachability analysis allows you to analyze risk by identifying whether your application is calling a code element (for example, functions, classes, modules, and more) related to the vulnerability, thus raising the chances of that vulnerability being exploited in the context of your application. +Snyk reachability analysis lets you analyze risk by identifying whether your application is calling a code element (for example, functions, classes, modules, and more) related to the vulnerability, raising the chances of that vulnerability being exploited in the context of your application. -Reachability analysis can be used as an indicator to make decisions, or as part of a broader risk-based prioritization approach using the Snyk Risk Score. +You can use reachability analysis as an indicator to make decisions, or as part of a broader risk-based prioritization approach using the Snyk Risk Score. -Snyk uses a combination of static program analysis and various AI techniques to determine the reachability of a given vulnerability, with validation conducted by security research experts. These capabilities enable Snyk to quickly analyze the code without requiring the application to be built prior to the scan. +Snyk uses a combination of static program analysis and various AI techniques to determine the reachability of a given vulnerability, with validation conducted by security research experts. These capabilities enable Snyk to quickly analyze the code without requiring the application to be built before the scan. To use this feature, Snyk must analyze your source code. To learn more, visit [How Snyk handles your data](https://app.gitbook.com/s/ELvljsaLKPkSpffOkmsQ/how-snyk-handles-your-data). @@ -21,8 +21,8 @@ Snyk uses a combination of security expert analysis, program analysis, and vario * Enriching vulnerabilities with the patches applied to fix them - as part of the Snyk vulnerability curation process, Snyk references the fix commit that the maintainer applied. * Related elements analysis - Based on the commit fix, Snyk uses DeepCode AI program analysis to analyze the code elements and other parameters related to the vulnerability. * Root Cause analysis - Snyk uses DeepCode AI and Natural Language Processing (NLP) techniques to automatically rank the related code elements by their chances of being the root cause of the vulnerability. -* Reachability analysis - As issues are found in your application by a Snyk scan, the DeepCode program analysis engine is used to analyze the call graph of your application in relation to the call graph between the open-source dependencies used. A path between your application and a code element ranked as a root cause will yield a “Reachable” vulnerability. -* Security experts supervision - Snyk security experts will manually verify and mark elements as root causes in order to make the entire analysis more accurate over time +* Reachability analysis - As a Snyk scan finds issues in your application, the DeepCode program analysis engine analyzes the call graph of your application in relation to the call graph between the open-source dependencies used. A path between your application and a code element ranked as a root cause yields a “Reachable” vulnerability. +* Security experts supervision - Snyk security experts manually verify and mark elements as root causes to make the entire analysis more accurate over time The following considerations related to false positives and false negatives apply to Reachable vulnerability analysis. @@ -30,7 +30,7 @@ Program analysis requires a trade-off between accurate results, minimizing false To facilitate this trade-off, Snyk DeepCode analysis applies real-time decision-making to determine whether to under-approximate the set of reachable elements based on analysis of the likelihood that a reachable path will be found in a specific environment. -For example, it is not always possible to give a precise answer when reflection programming is used. In such a case, neither returning a large set of false positives nor returning “Not reachable” will suffice. The agentic capability of Snyk analysis optimizes in order to retrieve the most accurate and complete result possible for a given code structure. +For example, it is not always possible to give a precise answer when reflection programming is used. In such a case, neither returning a large set of false positives nor returning “Not reachable” will suffice. The agentic capability of Snyk analysis optimizes to retrieve the most accurate and complete result possible for a given code structure. {% hint style="info" %} Changes in the first-party code, in the vulnerability analysis, and enhancements in the SAST engine can impact the results. Therefore, vulnerabilities labeled as **Not path found** can change to **Reachable** over time. @@ -160,7 +160,7 @@ After it is identified, a vulnerability has one of the following reachability st * `NOT APPLICABLE` - Reachability is not supported for this vulnerability. {% hint style="info" %} -A vulnerability with the status `NO PATH FOUND` it does not mean that the vulnerability is completely unreachable or unexploitable. +A vulnerability with the status `NO PATH FOUND` does not mean that the vulnerability is completely unreachable or unexploitable. {% endhint %} Reachability analysis status is available on the Project page, as part of the Risk Score, in the [Issues Detail report](../analytics/reports-tab/exposure-and-coverage-reports.md#issues-detail-report), and through the API endpoint [Get issues by Group ID](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/issues#groups-group_id-issues). @@ -177,7 +177,7 @@ For Projects that have been imported through a CLI monitor, the Reachability sta ### Reachability analysis as part of the Risk Score -[Risk Score](risk-score.md) helps you apply holistic risk-based prioritization that combines multiple factors, associated with either the vulnerability or the context of your application. Reachability analysis is such a contextual factor that will significantly increase the overall score. +[Risk Score](risk-score.md) helps you apply holistic risk-based prioritization that combines multiple factors, associated with either the vulnerability or the context of your application. Reachability analysis is such a contextual factor that significantly increases the overall score. Risk Score is available on the Projects page and through the API and Reports. @@ -190,7 +190,7 @@ Risk Score is available on the Projects page and through the API and Reports. Snyk supports Reachability CLI version `1.1301.0` and greater. To perform Reachability analysis, use the `--reachability=true` option. {% hint style="info" %} -When using `--reachability`, Snyk returns a new findings schema. Some legacy fields may not be available in this schema. Before using, please first check your usage to ensure automations do not fail. +When using `--reachability`, Snyk returns a new findings schema. Some legacy fields might not be available in this schema. Before using, first check your usage to ensure automations do not fail. {% endhint %} By default, Snyk uploads source code from the current working directory for Reachability analysis. To specify source files for analysis in a separate directory, use the `--source-dir` option. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/risk-score.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/risk-score.md index d1a8500152ee..02a9650bf9ef 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/risk-score.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/risk-score.md @@ -8,11 +8,11 @@ Risk Score is in Early Access and available for Snyk Open Source and Snyk Contai Use [Snyk Preview](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/snyk-hierarchy/snyk-preview) to replace the Priority Score with the new Risk Score for Snyk Open Source and Snyk Container issues. {% endhint %} -The Snyk Risk Score is a single value assigned to an issue, applied by automatic risk analysis for all vulnerability-type issues. License issues are not supported. Risk Score is based on the potential impact and likelihood of exploitability. Ranging from 0 to 1,000, the score represents the risk imposed on your environment and enables a risk-based prioritization approach. +The Snyk Risk Score is a single value assigned to an issue, applied by automatic risk analysis for all vulnerability-type issues. License issues are not supported. Risk Score is based on the potential impact and likelihood of exploitability. Ranging from 0 to 1,000, the score represents the risk imposed on your environment and supports a risk-based prioritization approach. -Risk score remains the same over time if the contributing factors do not change. However, some contributing factors, such as the Exploit Prediction Scoring System (EPSS), can potentially change frequently. The number of days since the vulnerability was first published is also a factor and causes the score to change once, when the number of days becomes more than one year, and the likelihood subscore decreases. +Risk score remains the same over time if the contributing factors do not change. However, some contributing factors, such as the Exploit Prediction Scoring System (EPSS), can potentially change frequently. The number of days since the vulnerability was first published is also a factor and causes the score to change one time, when the number of days becomes more than one year, and the likelihood subscore decreases. -Since real risk is scarce, you should expect a significant drift in the distribution of scores, as can be seen in this example of Project score distributions: +Since real risk is scarce, expect a significant drift in the distribution of scores, as shown in this example of Project score distributions:
Example Project scores distribution

Example Project scores distribution

@@ -50,11 +50,11 @@ The Risk model results from extensive research conducted by the Snyk Security Da Objective impact factors are the CVSS impact metrics, Availability, Confidentiality, Integrity, and Scope, calculated based on the CVSS impact subscore. For Container issues, Provider Urgency is also taken into account. -The business criticality Project attribute will be taken into account as a contextual impact factor, increasing or decreasing the impact subscore. For more information, see [Project attributes](../../snyk-platform-administration/snyk-projects/project-attributes.md). +Snyk takes the business criticality Project attribute into account as a contextual impact factor, increasing or decreasing the impact subscore. For more information, see [Project attributes](../../snyk-platform-administration/snyk-projects/project-attributes.md). ### Likelihood subscore -Objective likelihood factors are taken into account: +Snyk takes objective likelihood factors into account: * Exploit Maturity * Exploit Prediction Scoring System (EPSS) @@ -133,7 +133,7 @@ User-defined Project attribute representing the subjective business impact of th | `Low` | Impact subscore decreases significantly. | {% hint style="info" %} -When you apply a business criticality attribute to a Project, a retest is required for the Risk Scores to incorporate the new data. When no Business Criticality is assigned, the Impact subscore will not be affected. +When you apply a business criticality attribute to a Project, you must retest the Project for the Risk Scores to incorporate the new data. When no Business Criticality is assigned, the Impact subscore is not affected. {% endhint %} When the business criticality for a Project is not configured, the `high` default value is used so that the subscore remains unaffected. @@ -269,7 +269,7 @@ Building on [past studies](https://arxiv.org/pdf/2301.07972.pdf), Snyk research Snyk static code analysis determines whether the vulnerable method is being called. This is supported for Java and JavaScript. For more details, navigate to the [Reachability analysis](reachability-analysis.md) page. -When Reachability is not enabled, the Likelihood subscore will not change, and the factor will not show up. +When Reachability is not enabled, the Likelihood subscore does not change, and the factor does not show up. | Possible input values | Score impact | | --------------------- | ---------------------------------------------------------------------- | diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/README.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/README.md index 6e7393001888..74f0abed86cd 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/README.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/README.md @@ -6,15 +6,15 @@ Customize prioritization using the Set up Insights option and an application tha ### What risk factors do I need? -The Set up insights product operates by providing you with the following risk factors for your vulnerabilities: +The Set up Insights product provides the following risk factors for your vulnerabilities: * [Deployed](../assets-and-risk-factors/risk-factor-deployed.md): Is my code and container image deployed anywhere? * [OS condition](../assets-and-risk-factors/risk-factor-os-condition.md): Does this vulnerability apply to my operating system? * [Public facing](../assets-and-risk-factors/risk-factor-public-facing.md): Does my container have any internet exposure? -### Risk factors usage criteria +### Risk factors use criteria -To get data about these four risk factors, you must meet the following criteria: +To get data about these risk factors, you must meet the following criteria: #### Loaded package risk factor @@ -34,17 +34,17 @@ You need to meet the following conditions to use the Deployed and Public facing * For both risk factors, you have a container image that is deployed onto a Kubernetes cluster, where you can deploy the [Kubernetes Connector](set-up-insights-kubernetes-connector.md). -Ensure you meet these requirements to gather data for all four risk factors for the code in your scanned image. +Ensure you meet these requirements to gather data for all the risk factors for the code in your scanned image. ### Maximize your insights Snyk recommends that you also perform the following steps to get the maximum value out of insights: -* Scan the third-party dependencies using Snyk Open Source, +* Scan the third-party dependencies using Snyk Open Source * Scan the source code using Snyk Code * Start with one application and expand from there -By scanning both the source code and the third-party dependencies, you will get risk factors data, which provides the application context to better prioritize your open issues. +By scanning both the source code and the third-party dependencies, you get risk factors data, which provides the application context to better prioritize your open issues. ## Prioritization process overview @@ -64,17 +64,17 @@ The Kubernetes Connector is different from the Kubernetes Controller, Snyk-Monit The Insights settings are organized into three main categories: -* [Risk factors](./#risk-factors) - allows you to enable or disable the risk factors involved in calculating the risk of your identified issues. -* [Provider selection](./#provider-selection) - allows you to configure the Kubernetes providers. -* [Kubernetes cluster mapping](./#kubernetes-cluster-mapping) - allows you to match the clusters identified by providers with the preferred names. +* [Risk factors](./#risk-factors) - lets you enable or disable the risk factors involved in calculating the risk of your identified issues. +* [Provider selection](./#provider-selection) - lets you configure the Kubernetes providers. +* [Kubernetes cluster mapping](./#kubernetes-cluster-mapping) - lets you match the clusters identified by providers with the preferred names. -All these settings can be found in the Snyk Web UI, under Group Settings, the Settings option. +You can find all these settings in the Snyk Web UI, under Group Settings, the Settings option. ### Risk factors -You can enable or disable the available risk factors: [Deployed](../assets-and-risk-factors/risk-factor-deployed.md), [OS condition](../assets-and-risk-factors/risk-factor-os-condition.md), [Public facing](../assets-and-risk-factors/risk-factor-public-facing.md). When a risk factor is disabled, it will not be used to calculate issues. +You can enable or disable the available risk factors: [Deployed](../assets-and-risk-factors/risk-factor-deployed.md), [OS condition](../assets-and-risk-factors/risk-factor-os-condition.md), [Public facing](../assets-and-risk-factors/risk-factor-public-facing.md). When a risk factor is disabled, Snyk does not use it to calculate issues. -You can enable or disable the risk factors from Snyk web UI under Group **Settings** > **Settings** option > **Risk factors**. +You can enable or disable the risk factors from the Snyk Web UI under Group **Settings** > **Settings** option > **Risk factors**. ### Provider selection @@ -82,7 +82,7 @@ You can set up multiple Kubernetes providers to gather relevant risk factors fro The default provider setting is used when two or more providers report data for the same Kubernetes cluster. When the same deployment is identified, select which one should take priority. When no default provider is selected, the earliest data available is used. -Individual providers can also be disabled here if they should not be used when calculating Insights. +You can also disable individual providers here if they should not be used when calculating Insights. {% hint style="info" %} Consider setting up a default provider. When a default provider is not configured, Snyk prioritizes data from the first provider added. @@ -102,12 +102,12 @@ Ensure each source name is assigned to only one cluster mapping. When prioritizing issues, it is important to understand the available integration options and associated risk factors. -Here are the integration options that you can choose from when setting up issues prioritization. You can customize the settings by navigating to the Group level Snyk web UI, the Setting menu, and then the Insights option. +Here are the integration options that you can choose from when setting up issues prioritization. You can customize the settings by navigating to the Group level Snyk Web UI, the Setting menu, and then the Insights option. -* [Kubernetes Connector](set-up-insights-kubernetes-connector.md): Offers comprehensive monitoring for your Kubernetes deployments. This integration helps identify vulnerabilities within Kubernetes clusters and provides data on workload vulnerabilities, infrastructure misconfigurations, and potential malicious activity. +* [Kubernetes Connector](set-up-insights-kubernetes-connector.md): Offers comprehensive monitoring for your Kubernetes deployments. This integration helps identify vulnerabilities in Kubernetes clusters and provides data on workload vulnerabilities, infrastructure misconfigurations, and potential malicious activity. -By leveraging these integration options, you can ensure comprehensive coverage and accurate prioritization of security risks. +These integration options help you ensure comprehensive coverage and accurate prioritization of security risks. -The **Deployed** risk factor offers more specific and actionable insights into the actual state and behavior of your applications, enabling better prioritization and remediation efforts. +The **Deployed** risk factor offers more specific and actionable insights into the actual state and behavior of your applications, supporting better prioritization and remediation efforts. The **Public facing** risk factor is less commonly used in all available integration options because it covers broader, more external threats that are harder to quantify and track within an internal monitoring system. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-associating-snyk-open-source-code-and-container-projects.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-associating-snyk-open-source-code-and-container-projects.md index a257b3a94ee2..73432e790386 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-associating-snyk-open-source-code-and-container-projects.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-associating-snyk-open-source-code-and-container-projects.md @@ -26,7 +26,7 @@ The container image is the build artifact that is deployed and running on your K ## Use Project tags to link Projects -Add Snyk [Project tags](../../../snyk-platform-administration/snyk-projects/project-tags.md) to all the Projects used by your application to link these Projects together and allow Snyk to represent the whole application that you are testing. +Add Snyk [Project tags](../../../snyk-platform-administration/snyk-projects/project-tags.md) to all the Projects used by your application to link these Projects together and let Snyk represent the whole application that you are testing. To associate two Projects together, add the exact same tag to both Projects. For example, add the same tag to your Snyk Open Source Projects and Snyk Container Project if they are related to each other. @@ -34,9 +34,9 @@ See the examples at the end of this section. ## Requirements for Project tags -* The same tag must be applied to the container image and Code or Open Source Projects, -* The tag must follow the specified format, -* The Projects do not have to be in the same Snyk Organization to be mapped but must be in the same Snyk Group, +* The same tag must be applied to the container image and Code or Open Source Projects +* The tag must follow the specified format +* The Projects do not have to be in the same Snyk Organization to be mapped but must be in the same Snyk Group
Project tags

Project tags

@@ -83,7 +83,7 @@ Project Tags can be applied as follows:
ProductMethodProject Source
Snyk Code
  • API
  • UI

For projects created by

  • Git Import
Snyk Open Source
  • API
  • UI
  • CLI

For projects created by

  • Git Import
  • CLI Monitor
Snyk Container
  • API
  • UI
  • CLI

For projects created by

  • Git Import
  • CLI Monitor
  • Container Registry Integration
{% hint style="info" %} -Snyk recommends applying the tags through the API in order to automate the process. For more information, see the endpoint [Add a tag to a project](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/projects-v1#org-orgid-project-projectid-tags). +Snyk recommends applying the tags through the API to automate the process. For more information, see the endpoint [Add a tag to a project](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/projects-v1#org-orgid-project-projectid-tags). {% endhint %} ## UI example for Project tags diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-image-scanning.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-image-scanning.md index 987b2ea64124..e3f595ae2e38 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-image-scanning.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-image-scanning.md @@ -2,9 +2,9 @@ To determine the risk factors and prioritize your Code, Open Source, and Container issues, you must scan your container images using [Snyk Container](../../../scan-with-snyk/snyk-container/). -The container image is at the center of the application model that powers Snyk Enterprise. A container image includes your source code and dependencies, and it is deployed to your running environment, enabling Snyk to use the container image to bridge the development and deployment states.\ +The container image is at the center of the application model that powers Snyk Enterprise. A container image includes your source code and dependencies, and it is deployed to your running environment, so Snyk can use the container image to bridge the development and deployment states.\ \ -Snyk will identify any deployed container images using the [Kubernetes Connector](set-up-insights-kubernetes-connector.md) and compare the deployed container images to the list of scanned images you have scanned using [Snyk Container](../../../scan-with-snyk/snyk-container/). +Snyk identifies any deployed container images using the [Kubernetes Connector](set-up-insights-kubernetes-connector.md) and compares the deployed container images to the list of scanned images you scanned using [Snyk Container](../../../scan-with-snyk/snyk-container/). {% hint style="info" %} Snyk recommends that you scan each image using at least one of the Snyk Container integrations. @@ -22,13 +22,13 @@ For details, see [Snyk CLI for container security](https://app.gitbook.com/s/IEE ## Snyk Container registry scanning -The names will match if you are importing images to Snyk from the same container registry that you are referencing in your Kubernetes deployments. +The names match if you are importing images to Snyk from the same container registry that you are referencing in your Kubernetes deployments. For details, see [Snyk Container - Integrations](../../../scan-with-snyk/snyk-container/container-registry-integrations/). ## Snyk Container scanning with Kubernetes integration -The names of the container images will match because the deployed image is scanned by Snyk and created as a Project. +The names of the container images match because Snyk scans the deployed image and creates it as a Project. {% hint style="info" %} To ensure you have set up your Kubernetes Connector properly, navigate to the **Set up Insights** tab on the **Issues** page and check the **Image coverage** section to view the data Insights has access to. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-kubernetes-connector.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-kubernetes-connector.md index 3186357382af..7ede0443f00b 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-kubernetes-connector.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-kubernetes-connector.md @@ -17,7 +17,7 @@ The Kubernetes connector is the agent deployed in your Kubernetes clusters to co Before you can deploy the Kubernetes connector in your Kubernetes clusters, ensure you have the following: -* A Snyk Organization to which the Kubernetes information collected will be sent to be stored. This could be a new Organization. +* A Snyk Organization to which Snyk sends the collected Kubernetes information for storage. This can be a new Organization. * A Snyk service account created specifically to be used with the Kubernetes connector. For instructions on creating a service account, see [Service accounts](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/service-accounts/service-accounts). For the roles and permissions, Snyk recommends: * Creating a new specific role for this service account * Taking a least privilege approach, granting the new specific role the sole permission required to **Publish Kubernetes Resources**. @@ -38,9 +38,9 @@ This example illustrates creating a new role called **Kubernetes connector** ### Assign permissions to this role -Navigate to the newly created role and [select edit](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/user-role-management#edit-a-custom-role); you will also be taken to this page immediately after creating the role. +Navigate to the newly created role and [select edit](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/user-role-management#edit-a-custom-role). Snyk also takes you to this page immediately after you create the role. -Scroll to the bottom of the page, tick the **Publish Kubernetes Resources** permission, and save the changes by clicking the **Update Role Permissions** button. +Scroll to the bottom of the page, select the **Publish Kubernetes Resources** permission, and save the changes by clicking **Update Role Permissions**.
Publish Kubernetes Resources permission

Publish Kubernetes Resources permission

@@ -58,11 +58,11 @@ Create a new service account with your chosen name, and from the dropdown, selec
Select the Insights Kubernetes Agent role

Select the Kubernetes Agent role

-After the service account is created, you will see the API token. Copy the API token and save it somewhere safe; you will need this to configure the agent in the Helm chart. +After you create the service account, the API token appears. Copy the API token and save it somewhere safe. You need this to configure the agent in the Helm chart. ### Install the Kubernetes connector in your Kubernetes clusters -Snyk recommends using the Helm Chart to deploy the agent; the Helm Chart will create the associated permissions for the agent to run on your cluster. The user installing the Helm Chart needs sufficient permissions on the Kubernetes cluster to create new roles.\ +Snyk recommends using the Helm Chart to deploy the agent. The Helm Chart creates the associated permissions for the agent to run on your cluster. The user installing the Helm Chart needs sufficient permissions on the Kubernetes cluster to create new roles.\ \ [Follow the instructions on the Kubernetes-scanner GitHub repo](https://github.com/snyk/kubernetes-scanner) to use the Helm Chart to deploy the [latest released version](https://github.com/snyk/kubernetes-scanner/releases). @@ -93,8 +93,8 @@ If you have only the existing agent installed, Snyk can compute only the **Deplo **What happens to my data if I delete the Kubernetes connector?** -If you choose to delete the Kubernetes connector, your data and risk factors will remain available for 48 hours. +If you choose to delete the Kubernetes connector, your data and risk factors remain available for 48 hours. **What happens to my data if the Kubernetes connector stops working?** -If, for any reason, the Kubernetes connector stops working, your data and risk factors will remain available for 48 hours. +If, for any reason, the Kubernetes connector stops working, your data and risk factors remain available for 48 hours. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-user-permissions.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-user-permissions.md index b82b10d5bfff..f9f62ed9f0f2 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-user-permissions.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/set-up-insights/set-up-insights-user-permissions.md @@ -2,4 +2,4 @@ Set up Insights is available at the Group level, so [grant relevant users the Group viewer or the Organization Collaborator role](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/user-role-management#manage-roles). This is the minimum required permission, but Group Admins can also view Prioritization. -After you have the right permission, you will see a new **Issues UI** option in the left navigation at the Group level. On the Issues page, you can also see two tabs, one for viewing and customizing your **Issues**, and one to **Set up Insights**. +After you have the right permission, a new **Issues UI** option appears in the navigation at the Group level. On the Issues page, you can also see two tabs, one for viewing and customizing your **Issues**, and one to **Set up Insights**. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/severity-levels.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/severity-levels.md index ff1a506d06de..4a3af0d00780 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/severity-levels.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/severity-levels.md @@ -45,7 +45,7 @@ The Common Vulnerability Scoring System (CVSS) determines the severity level of Snyk supports the [CVSS framework version 4.0](https://www.first.org/cvss/v4-0/), along with the previous version, [CVSS framework version 3.1](https://www.first.org/cvss/v3-1/), to designate the characteristics and severity of vulnerabilities. -Vulnerabilities published prior to the support of CVSS v4.0, are based on the 3.1 version of CVSS to define severities. +Vulnerabilities published before the support of CVSS v4.0 are based on the 3.1 version of CVSS to define severities. | **Level** | **CVSS score** | | --------- | -------------- | @@ -68,7 +68,7 @@ There are multiple CVSS Scores for the same vulnerability for several reasons: * ​When evaluating the severity of a vulnerability, it is important to note that there is no single CVSS vector. There are multiple CVSS vectors defined by multiple vendors; the [National Vulnerability Database](https://nvd.nist.gov/) (NVD) is one. * The majority of vulnerabilities published by Snyk originate from [proprietary research](https://security.snyk.io/disclosed-vulnerabilities), public information sources, or through third-party disclosures. -* For example, when Snyk discovered the Critical Severity [Spring4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751), the advisory was published on March 30, 2022, with the CVSS vector analysis. This was before an official CVE was assigned and before NVD conducted its analysis, which was published nine days later on April 8, 2022. +* For example, when Snyk discovered the Critical Severity [Spring4Shell vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751), the advisory was published on March 30, 2022, with the CVSS vector analysis. This was before an official CVE was assigned and before NVD conducted its analysis, which was published nine days later, on April 8, 2022. * Having some differences in CVSS vectors is normal and expected. The likelihood of certain attack vectors will involve discrepancies and judgments made about them that make sense for the application and use cases of open source software users. * The severity of a vulnerability is influenced by a variety of factors, including whether it comes from a "red team" angle or a "blue team" angle. To arrive at an objective and actionable rating, Snyk analysts examine the full range of data, from vendors to reporters to attackers. * There are times when a vendor discovers additional information about a vulnerability that can affect its severity. Users can find all the relevant information used to determine the severity that Snyk curated in the description and references of the advisory. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/using-the-issues-ui/export-and-customize-views.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/using-the-issues-ui/export-and-customize-views.md index 01c4aacb39b1..ec103659544a 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/using-the-issues-ui/export-and-customize-views.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/using-the-issues-ui/export-and-customize-views.md @@ -2,6 +2,6 @@ By using the **Modify Columns** dropdown, you can customize the data you see in your table view by choosing from a variety of options. -You can also export the data from your table view in CSV format, but note that your choice of visible columns within the product will not affect the exported data. +You can also export the data from your table view in CSV format, but note that your choice of visible columns in the product does not affect the exported data. -Filters applied to the issue data will affect the exported data. +Filters applied to the issue data do affect the exported data. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/using-the-issues-ui/filter-your-issues.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/using-the-issues-ui/filter-your-issues.md index 63ff9d14fc82..0b83eae40eec 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/using-the-issues-ui/filter-your-issues.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/using-the-issues-ui/filter-your-issues.md @@ -4,7 +4,7 @@ Snyk Issues operates at the Group level and provides a holistic view of all the ## Funnel view -The funnel view is a visual representation of your application's issues and risk factors. It allows you to filter the list of issues by specific risk factors or a combination of them. The **Deployed** and **Public facing** risk factors are clickable filters. +The funnel view is a visual representation of your application's issues and risk factors. It lets you filter the list of issues by specific risk factors or a combination of them. The **Deployed** and **Public facing** risk factors are clickable filters. {% hint style="info" %} The OS Condition risk factor is now available only in the table view of the Issues UI. @@ -21,7 +21,7 @@ By using the filters above the table view, you can filter your issues by the fol * **Source code** - view only issues related to specific source code. * **Issue severity** - view only critical, high, medium, or low-severity issues. * **"Fixed in" Available** - filter issues based on the "Fixed in" version availability. -* **Project name** - filter issues based on the name(s) of selected Project(s). +* **Project name** - filter issues based on the names of selected Projects. * **Snyk Product** - view only issues scanned by specific Snyk products. * **Add filter** - filter issues based on additional options. Click the **Show all project filters** option to view all available filters, organized by General, Assets, Issues, Projects. diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/vulnerabilities-with-social-trends.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/vulnerabilities-with-social-trends.md index b207e6c35a2d..2bcecc5b0e74 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/vulnerabilities-with-social-trends.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/vulnerabilities-with-social-trends.md @@ -2,9 +2,9 @@ Snyk Social Trends shows a **Trending** notification for issues that are being actively discussed on X (formerly known as Twitter). -Social Trends are calculated as part of the priority score by default. You can look at the top tweets mentioning this vulnerability by clicking on **View Tweets**. +Snyk calculates Social Trends as part of the priority score by default. To see the top tweets mentioning this vulnerability, click **View Tweets**. -Snyk determines that a vulnerability is trending and displays the Trending banner as follows: trending? +Snyk determines that a vulnerability is trending and displays the Trending banner as follows: * Snyk monitors mentions of known vulnerabilities on X, calculating the trend of tweets and reactions. * Bots and other noise are canceled out to guarantee accuracy. @@ -12,5 +12,5 @@ Snyk determines that a vulnerability is trending and displays the Trending banne * The **Trending** notification remains live until several days after the trend dissipates. {% hint style="info" %} -See [Priority Score](priority-score.md) for more information on how vulnerabilities are prioritized by Snyk. +See [Priority Score](priority-score.md) for more information on how Snyk prioritizes vulnerabilities. {% endhint %} diff --git a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/vulnerable-conditions.md b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/vulnerable-conditions.md index 6c7033832a28..e375b4bc9abc 100644 --- a/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/vulnerable-conditions.md +++ b/scan-fix-and-prevent/manage-risk/prioritize-issues-for-fixing/vulnerable-conditions.md @@ -24,7 +24,7 @@ This feature is available only for the Java (Gradle and Maven) ecosystem when yo In the context of your application, the Triage Assistant evaluates the vulnerable conditions, which helps you determine the exploitability of your application. -‌Snyk Code ([SAST](https://snyk.io/learn/application-security/sast-vs-dast/)) engine is used to read your first-party code and to check the conditions for the vulnerabilities found by Snyk Open Source (SCA). +The Snyk Code ([SAST](https://snyk.io/learn/application-security/sast-vs-dast/)) engine reads your first-party code and checks the conditions for the vulnerabilities found by Snyk Open Source (SCA). {% hint style="info" %} To provide this feature, Snyk takes a temporary copy of your Git repository contents. For more information, see [How Snyk handles your data](https://app.gitbook.com/s/ELvljsaLKPkSpffOkmsQ/how-snyk-handles-your-data). @@ -46,4 +46,4 @@ Jackson Vulnerable Conditions must meet all of the following conditions for the ## When is a vulnerability with Exploit Maturity not exploitable? -A vulnerability may have exploits available in the wild or detailed explanations of how to exploit it, but as long as not all the conditions are not met, the vulnerability will remain unexploitable. +A vulnerability may have exploits available in the wild or detailed explanations of how to exploit it, but as long as not all the conditions are met, the vulnerability remains unexploitable. diff --git a/scan-fix-and-prevent/scan-with-snyk/error-catalog.md b/scan-fix-and-prevent/scan-with-snyk/error-catalog.md index 978dd9be2541..443af5b136cb 100644 --- a/scan-fix-and-prevent/scan-with-snyk/error-catalog.md +++ b/scan-fix-and-prevent/scan-with-snyk/error-catalog.md @@ -2,7 +2,7 @@ ## Snyk Error Codes -The error codes in the table below describe the codes that you may encounter while working with the [Snyk API](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/snyk-api) or [CLI](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli). When errors are encountered using the API, they will also have an appropriate [HTTP status code](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes). If you encounter errors without an error code, use the HTTP status code to determine the appropriate action. +The following table describes the codes that you might encounter while working with the [Snyk API](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/snyk-api) or [CLI](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli). Errors encountered through the API also have an appropriate [HTTP status code](https://en.wikipedia.org/wiki/List_of_HTTP_status_codes). If you encounter errors without an error code, use the HTTP status code to determine the appropriate action. *** diff --git a/scan-fix-and-prevent/scan-with-snyk/import-project-repository/remove-imported-repository-from-a-project.md b/scan-fix-and-prevent/scan-with-snyk/import-project-repository/remove-imported-repository-from-a-project.md index 815aac7b6caf..cd83cbcc60dc 100644 --- a/scan-fix-and-prevent/scan-with-snyk/import-project-repository/remove-imported-repository-from-a-project.md +++ b/scan-fix-and-prevent/scan-with-snyk/import-project-repository/remove-imported-repository-from-a-project.md @@ -7,7 +7,7 @@ If you do not want Snyk to continue testing one or more of your imported reposit * Delete the repository from your Snyk Account. {% hint style="info" %} -If you remove the entire repository from your Account, your repository will no longer be analyzed by any of the Snyk products. +If you remove the entire repository from your Account, no Snyk product analyzes your repository any longer. {% endhint %} * Remove only the **Code analysis** Project from your Snyk Account in one of the following ways: @@ -15,24 +15,24 @@ If you remove the entire repository from your Account, your repository will no l * Delete the Project from your Snyk Account. {% hint style="info" %} -If you remove only the **Code analysis** Project, other Snyk products that are enabled in your account will continue to analyze the imported repository. +If you remove only the **Code analysis** Project, other Snyk products that are enabled in your account continue to analyze the imported repository. {% endhint %} ## **Remove imported repository methods** -To select the right method for you for removing repositories from Snyk testing, consider what will happen in each of the following actions: +To select the right method for removing repositories from Snyk testing, consider what happens in each of the following actions: -* Deactivating an imported repository will: - * Remove the webhook from Snyk to the SCM repository. - * Disable pull request tests for new vulnerabilities. - * Disable the Fix Pull Requests option from being opened for newly discovered vulnerabilities - * Disable recurring tests; email alerts about newly discovered vulnerabilities will be turned off. -* Deleting a Snyk Project or an imported repository will: - * Delete the entire Project or repository and all its historical snapshot data from Snyk. - * Remove the webhook from the SCM repository. +* Deactivating an imported repository does the following: + * Removes the webhook from Snyk to the SCM repository. + * Disables pull request tests for new vulnerabilities. + * Disables the Fix Pull Requests option from being opened for newly discovered vulnerabilities. + * Disables recurring tests and turns off email alerts about newly discovered vulnerabilities. +* Deleting a Snyk Project or an imported repository does the following: + * Deletes the entire Project or repository and all its historical snapshot data from Snyk. + * Removes the webhook from the SCM repository. {% hint style="info" %} -Deleting a Snyk Project or an imported repository will not have any effect on your source code. +Deleting a Snyk Project or an imported repository does not have any effect on your source code. If you want to remove specific directories or files from the Snyk Code test, use [the exclude option in the `.snyk` file](exclude-directories-and-files-from-project-import.md). {% endhint %} @@ -43,7 +43,7 @@ For instructions on deleting repositories, see the Project actions [Delete, Acti ## **Deactivate and delete a Snyk Code Project** -To stop Snyk Code from testing an imported repository, you can either deactivate or delete the **Code analysis** Project in the repository. The **Code analysis** Project will no longer be active in the repository and Snyk Code will stop testing the repository, but other Snyk products will continue to scan the repository files. +To stop Snyk Code from testing an imported repository, you can either deactivate or delete the **Code analysis** Project in the repository. The **Code analysis** Project is no longer active in the repository, and Snyk Code stops testing the repository, but other Snyk products continue to scan the repository files. Follow these steps to deactivate or delete the Code analysis Project: @@ -59,11 +59,11 @@ Follow these steps to deactivate or delete the Code analysis Project: Deactivating a Project keeps it on the **Projects** page along with the issues count from the last scan, which contributes to the Target-level aggregate when Projects are grouped by Target. Deleting the Project removes all values from the page. {% endhint %} -The **Code analysis** Project you selected is either deactivated or deleted, and its repository will no longer be tested by Snyk Code. +The **Code analysis** Project you selected is either deactivated or deleted, and Snyk Code no longer tests its repository. If you want Snyk Code to resume its testing after you delete or deactivate the **Code analysis** Project of a repository, do the following: * After deleting the Code analysis Project, re-import the repository to Snyk and then refresh the **Projects** page to view the results of the re-import. -* After deactivating the Code analysis Project, re-activate the **Code analysis** Project via the **Settings** page of the Project. After you deactivate a Project, the **Deactivate project** button changes to **Activate project**, and a new **Activate** button appears at the top of the page. Click one of these buttons to re-activate the Project: +* After deactivating the Code analysis Project, re-activate the **Code analysis** Project through the **Settings** page of the Project. After you deactivate a Project, the **Deactivate project** button changes to **Activate project**, and a new **Activate** button appears at the top of the page. Click one of these buttons to re-activate the Project:

Activate project button on Code analysis Project Settings page

diff --git a/scan-fix-and-prevent/scan-with-snyk/project-repositories/snyk-repo-content-sync.md b/scan-fix-and-prevent/scan-with-snyk/project-repositories/snyk-repo-content-sync.md index ff763b1f5558..24d975648f30 100644 --- a/scan-fix-and-prevent/scan-with-snyk/project-repositories/snyk-repo-content-sync.md +++ b/scan-fix-and-prevent/scan-with-snyk/project-repositories/snyk-repo-content-sync.md @@ -31,6 +31,6 @@ Push events trigger synchronization using webhooks. Snyk creates a webhook when ## Considerations for Early Access -* Ignore history: For file renames, path changes, or .Net Framework upgrades, Snyk treats the change as a delete and create action. Snyk does not carry over the Project history and previous ignores to the new Project. +* Ignore history: For file renames, path changes, or .NET Framework upgrades, Snyk treats the change as a delete and create action. Snyk does not carry over the Project history and previous ignores to the new Project. * Manual deactivations: When you enable this feature, previously deactivated Projects remain inactive. To reactivate a Project, navigate to the relevant Snyk Project and click **Activate**. * PR checks: Snyk detects new Projects only when you merge them into the monitored branch. Snyk does not detect them during pull request checks. diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/README.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/README.md index e820b712c228..284dc2325cc3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/README.md @@ -2,7 +2,7 @@ ## Snyk Fix PRs -Fix pull or merge requests are created automatically by Snyk when new issues are identified in Project tests or a retest is run on a Project that has identified vulnerabilities. This feature applies to Projects imported through an SCM integration such as GitHub Enterprise or Azure. +Snyk creates fix pull or merge requests automatically when it identifies new issues in Project tests or when you run a retest on a Project that has identified vulnerabilities. This feature applies to Projects imported through an SCM integration such as GitHub Enterprise or Azure. For more information on how integrations use fix and upgrade pull requests, see [Upgrade open source dependencies with automatic PRs](snyk-pull-or-merge-requests/enable-automatic-upgrade-prs-for-new-dependency-upgrades.md). @@ -12,15 +12,15 @@ For a full description of Snyk Fix PRs, see [Snyk Fix Pull Requests](snyk-pull-o ## PR Checks -Pull request checks are tests that run on generated pull requests to identify new issues with Projects. This allows you to prevent issues from being introduced into your code before merging to the main branch. +Pull request checks are tests that run on generated pull requests to identify new issues with Projects. This lets you prevent issues from entering your code before you merge to the main branch. -PR Checks that are configured to “Only fail when the issues found have a fix available” rely on Snyk FixPR support and, therefore, will not alert for projects in languages that do not support FixPRs. +PR Checks that are configured to “Only fail when the issues found have a fix available” rely on Snyk Fix PR support and, therefore, do not alert for Projects in languages that do not support Fix PRs. For a full description of PR Checks, see [Pull Request Checks](pull-request-checks/). ## The differences between Fix PRs and PR Checks -* Snyk Fix pull or merge requests are initiated by Snyk when a new issue is identified in a Project test or retest. PR Checks or merge requests are initiated by Snyk when there are code changes in an Organization or Project. +* Snyk initiates Fix pull or merge requests when it identifies a new issue in a Project test or retest. Snyk initiates PR Checks or merge requests when there are code changes in an Organization or Project. * Snyk Fix PRs are used for the remediation of issues. PR checks are used for the prevention of issues. * Snyk Fix PRs are automatic or manual requests made to resolve issues with fixes available, for example, an upgrade or a patch. PR checks are tests made on code changes based on conditions you [configured](pull-request-checks/configure-pull-request-checks.md) during setup, which identify vulnerabilities that could affect your code before the merge. * Snyk Fix PRs trigger when an issue is detected from a daily scan or test. PR checks trigger when you make a code change in a PR. diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/README.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/README.md index 7f67be027dc9..27c09869215d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/README.md @@ -2,27 +2,27 @@ ## Introduction to automated security scans with PR checks -The [Snyk PR Checks](configure-pull-request-checks.md) feature allows developers to auto-scan their PRs for issues before merging their code. As Snyk acts as an automated pseudo-team member (an “expert security reviewer”), it finds potential issues, leaving review notes on your PR before the code is committed. +The [Snyk PR Checks](configure-pull-request-checks.md) feature lets developers auto-scan their PRs for issues before merging their code. As Snyk acts as an automated pseudo-team member (an “expert security reviewer”), it finds potential issues, leaving review notes on your PR before you commit the code. -While PRs are the points in the development process where code reviews happen, PR Checks allow security scanning to be integrated with developer workflows, empowering dev teams and helping to prevent security issues from occurring in deployed code. +While PRs are the points in the development process where code reviews happen, PR Checks integrate security scanning with developer workflows, empowering dev teams and helping to prevent security issues from occurring in deployed code. -As part of the [Snyk Pull Request Experience](pull-request-experience.md), the Snyk Issue Summary Comment feature allows you to receive a PR comment on each pull request, summarizing the most recent PR Check results according to the type of check and the count of findings by severity. This reduces context switching by displaying additional information about the PR Check scan results in the pull request. +As part of the [Snyk Pull Request Experience](pull-request-experience.md), the Snyk Issue Summary Comment feature lets you receive a PR comment on each pull request, summarizing the most recent PR Check results according to the type of check and the count of findings by severity. This reduces context switching by displaying additional information about the PR Check scan results in the pull request. ## **Test the change** -The Snyk PR Checks feature allows you to test a change to the current codebase to see if that change introduces a problem. This change testing makes it easier to maintain the security of your codebase on an ongoing basis. +The Snyk PR Checks feature lets you test a change to the current codebase to see if that change introduces a problem. This change testing helps you maintain the security of your codebase on an ongoing basis. For developers, change-related flaws are relevant and easy to fix, and fixing change-related flaws rather than accumulated flaws makes rolling out secure code easier. You can detect security issues early in the development process, see the test results immediately after you write new code, and find and fix issues as they emerge, all in your native workflow. ## **Testing “before” and “after”** -The Snyk PR Checks feature runs live tests of the “before and after” branch with the PR and fails only if the new branch has more issues. This allows you to address problems that have been introduced since the last scan, for example, new vulnerabilities introduced externally. Snyk PR Checks are triggered by a change in your code, and find issues across the entire repository. Thus, a PR check finds issues in your code as well as other issues introduced since the last Snyk scan.Use the Snyk PR Checks feature to prevent new security issues from entering your codebase by automatically scanning code changes in real time as soon as you submit a pull request (PR) in your source code manager (SCM). +The Snyk PR Checks feature runs live tests of the “before and after” branch with the PR and fails only if the new branch has more issues. This lets you address problems introduced since the last scan, for example, new vulnerabilities introduced externally. A change in your code triggers Snyk PR Checks, which find issues across the entire repository. A PR check finds issues in your code as well as other issues introduced since the last Snyk scan. Use the Snyk PR Checks feature to prevent new security issues from entering your codebase by automatically scanning code changes in real time as soon as you submit a pull request (PR) in your source code manager (SCM). ## Why use PR Checks | Benefits | Details | | --------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| Automatically scanned pull request | Scan code changes in real-time as soon as a pull request is submitted, to catch potential issues before they go into production. | +| Automatically scanned pull request | Scan code changes in real time as soon as you submit a pull request, to catch potential issues before they go into production. | | Results displayed in your source code manager | Make use of security reviews and notes left by Snyk on your pull requests. | | Code change testing for security issues | Test changes to your codebase for any security issues, ensuring that your code stays secure over time. | | Branch testing |

Test branches before and after implementing changes to fail only if the new branch has introduced issues. Prevent merging pull requests with failed security issues.
Note that Snyk monitors all pull requests made to the monitored repository.

| @@ -40,7 +40,7 @@ The following diagram explains how Snyk Checks PRs in your development workflow. PR checks proceed as follows: 1. A developer creates a pull request (PR) in an SCM integrated with Snyk. -2. A webhook is triggered from the SCM to Snyk +2. The SCM triggers a webhook to Snyk. 3. Snyk automatically scans the code changes in the PR for issues. 4. Snyk leaves security reviews and notes on the PR. 5. The developer can view the PR Checks results and fix identified issues before merging the code. diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/analyze-pr-checks-results.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/analyze-pr-checks-results.md index 59cc65574cb7..eba3362b7d05 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/analyze-pr-checks-results.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/analyze-pr-checks-results.md @@ -12,7 +12,7 @@ Check the status of the PR Checks results in the integrated SCM to identify secu The following status indicators can appear for your Snyk PR checks in the integrated SCM: -
Result statusDescription
Success/PassedNo issues were discovered and the manifest file was not changed.
PendingThe PR Checks are still running.
Failed/Issues foundSecurity issues were identified in the pull request. In this scenario, you need to manually set the result status to Passed.
ErrorOut-of-sync package.json and package.lock files, failure to find or to read the manifest file.
CanceledThe test limit has been reached.
+
Result statusDescription
Success/PassedSnyk discovered no issues and the manifest file did not change.
PendingThe PR Checks are still running.
Failed/Issues foundSnyk identified security issues in the pull request. In this scenario, you must manually set the result status to Passed.
ErrorOut-of-sync package.json and package.lock files, failure to find or to read the manifest file.
CanceledThe test reached the test limit.
{% hint style="info" %} For false positive or false negative results, see [Troubleshooting PR Checks](troubleshoot-pr-checks.md). @@ -54,15 +54,15 @@ Confirm your selected issue and click **Open a Fix PR** to open a pull request i 2. Find the conversation card showing the PR Checks results. For this example, the result is set to **Failed** and is manually changed to **Passed**. {% hint style="info" %} -Issues that have previously been ignored via the Snyk Web UI in the associated Open Source or code analysis Project are not flagged in these checks. This reflects [ignored issues](../../../manage-risk/prioritize-issues-for-fixing/ignore-issues/) across feature branch PRs. +Issues that you have previously ignored through the Snyk Web UI in the associated Open Source or code analysis Project are not flagged in these checks. This reflects [ignored issues](../../../manage-risk/prioritize-issues-for-fixing/ignore-issues/) across feature branch PRs. {% endhint %}
PR Checks card in the Conversations tab, GitHub.

PR Checks card in the Conversations tab, GitHub

-3. Expand list of files that have been checked for this issue. +3. Expand the list of files that Snyk checked for this issue. 4. (Optional) Click **View test page** to examine the issue details.\ \ - You can get a complete picture of the vulnerability by clicking **Show more detail** for technical security information and remediation options.\ + To get a complete picture of the vulnerability, click **Show more detail** for technical security information and remediation options.\ \ To return to the main issue page, click **Project**. @@ -73,7 +73,7 @@ Issues that have previously been ignored via the Snyk Web UI in the associated O
Marking PR Checks result as successful.

Marking PR Checks result as successful

{% hint style="warning" %} -Marking a vulnerability as successful does not ignore the issue but only allows the security checks for the PR to pass in this current branch. If the issue is not fixed, it shows up in future commits and PR Checks after you merge it with the target branch. +Marking a vulnerability as successful does not ignore the issue but only lets the security checks for the PR pass in this current branch. If you do not fix the issue, it shows up in future commits and PR Checks after you merge it with the target branch. {% endhint %} The issue is marked as **Passed** and shows up as **Skipped** in the PR Checks card in GitHub. diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/configure-pull-request-checks.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/configure-pull-request-checks.md index d734e17e1968..13dec221dca0 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/configure-pull-request-checks.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/configure-pull-request-checks.md @@ -5,7 +5,7 @@ PR Checks for **Bitbucket Server** integrations require Bitbucket Server version 7.4 and above, or Bitbucket Data Center version 8 or above.\ \ -When using a brokered connection Snyk Broker version 5.4.9 and above is required. +When using a brokered connection, you must use Snyk Broker version 5.4.9 and above. {% endhint %} ## Prerequisites for automated PR Checks @@ -52,7 +52,7 @@ The configuration settings apply to all Projects in that Organization. You can a * [ ] **Code Analysis**: Enable this option to fail the PR on new vulnerabilities detected in your Git repository. If the severity is higher than your threshold, the PR is not merged into the main branch. * [ ] **Fail conditions**: Select the severity threshold at which the PR fails. For example, if you select **Medium**, the PR fails on issues found at this level or higher, while it is merged for **Low** severity issues. -PR Checks that are configured to “Only fail when the issues found have a fix available” rely on Snyk FixPR support and, therefore, will not alert for projects in languages that do not support FixPR Checks. +PR Checks that are configured to “Only fail when the issues found have a fix available” rely on Snyk FixPR support and so do not alert for projects in languages that do not support FixPR Checks. {% hint style="info" %} A PR test is configured to be optional or blocking within your source control management platform, such as GitHub’s branch protection rules. To learn more on issue prevention, visit [Phase 6: Rolling out the prevention stage](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/implementation-guides/enterprise-implementation-guide/automate-prevention-measures). @@ -71,13 +71,13 @@ If you cannot see the **Code Analysis** section, ensure that your user has the G * [ ] **Only fail when the PR is adding a dependency with issues**: Set this condition to fail PR when there is at least one dependency with security issues. * [ ] **Fail if the repo has any issues**: Set this condition to fail a PR for any security issues found in the Git repository. * [ ] **Only fail for high or critical severity issues**: Select additional failure conditions based on the severity threshold. -* [ ] **Only fail when the issues found have a fix available**: Set this condition on for the PR check to fail when the PR introduces new vulnerabilities that are fixable by Snyk. PR checks don't fail on newly introduced vulnerabilities if Snyk is unable to fix them. +* [ ] **Only fail when the issues found have a fix available**: Set this condition on for the PR check to fail when the PR introduces new vulnerabilities that are fixable by Snyk. PR checks don't fail on newly introduced vulnerabilities if Snyk cannot fix them. -When switched on, this will cause the PR check to fail when the PR introduces new vulnerabilities that are fixable by Snyk. PR checks will not fail on newly introduced vulnerabilities if Snyk is unable to fix them. +When switched on, this causes the PR check to fail when the PR introduces new vulnerabilities that are fixable by Snyk. PR checks do not fail on newly introduced vulnerabilities if Snyk cannot fix them.
Pull request check settings to analyze open-source and licensing issues.

PR check settings to analyze open-source and licensing issues

-4. Either click **Save** to save the changes, select the Save dropdown and click **Apply changes to all overridden Projects** to extend the current configuration to Projects with custom settings. For more information, see [Configure PR Checks at the Project level](configure-pull-request-checks.md#configure-pr-checks-at-the-project-level). +4. Either click **Save** to save the changes, or select the **Save** dropdown and click **Apply changes to all overridden Projects** to extend the current configuration to Projects with custom settings. For more information, see [Configure PR Checks at the Project level](configure-pull-request-checks.md#configure-pr-checks-at-the-project-level). ## Configure PR checks at the Project level diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/pull-request-experience.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/pull-request-experience.md index 84e85eb1fe79..ee191984f65c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/pull-request-experience.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/pull-request-experience.md @@ -16,15 +16,15 @@ The Pull Request Experience consists of the following features: Issue summary comment provides a collated view of the last PR Check results, categorizing findings by severity and type directly within the pull request. -Inline comments give a granular view of the pull request with information on severity, the data flow of vulnerabilities, and more. This allows you to make quick decisions on issue prioritization and remediation. +Inline comments give a granular view of the pull request with information on severity, the data flow of vulnerabilities, and more. This lets you make quick decisions on issue prioritization and remediation. -Snyk Agent fix in the PR enables action to be taken based on the previous features in the Pull Request Experience and the recommendations given. +Snyk Agent fix in the PR lets you act on the previous features in the Pull Request Experience and the recommendations given. ## Prerequisites ### User role requirement -To configure and manage the pull request experience, the user must be a [Group Admin](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/pre-defined-roles#group-level-permissions). This is to ensure access to all integrations for setup as the pull request experience is configured at the Organization level. +To configure and manage the pull request experience, you must be a [Group Admin](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/pre-defined-roles#group-level-permissions). This ensures access to all integrations for setup, because you configure the pull request experience at the Organization level. ### Pull request checks enablement @@ -43,11 +43,11 @@ Ensure the following is complete: In addition to the general SCM and PR Checks prerequisites, certain features in the pull request experience have their own requirements: * To configure the inline comments feature, enable the **Code analysis** PR checks setting. This is located on the Organization level under **Settings** > **Integrations**. -* If you are using the GitHub Integration, specify a dedicated GitHub account by supplying a **GitHub Personal Access Token (PAT)** in the integration settings. This is required to be able to add inline comments or Agent Fix +* If you are using the GitHub Integration, specify a dedicated GitHub account by supplying a **GitHub Personal Access Token (PAT)** in the integration settings. This is required to add inline comments or Agent Fix. ### SCM permission and access scope requirements -The pull request experience integrates with various SCM platforms, each with specific requirements for a successful configuration with Snyk. Your existing SCM integration setup will work with the Pull Request experience out of the box, except for GitHub (OAuth) which requires an additional Fix PR token. For additional information, see [User permissions and access scopes](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/user-permissions-and-access-scopes). +The pull request experience integrates with various SCM platforms, each with specific requirements for a successful configuration with Snyk. Your existing SCM integration setup works with the Pull Request experience out of the box, except for GitHub (OAuth), which requires an additional Fix PR token. For additional information, see [User permissions and access scopes](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/user-permissions-and-access-scopes). {% hint style="info" %} For information on which SCM integrations are supported in each pull request experience feature, see the individual feature sections: [Issue Summary Comment](pull-request-experience.md#issue-summary-comment), [Inline Comments](pull-request-experience.md#inline-comments), and [Snyk Agent Fix in the PR](pull-request-experience.md#snyk-agent-fix-in-the-pr). @@ -73,7 +73,7 @@ The issue summary comment feature adds a comment to each pull request, summarizi The inline comments feature adds a detailed comment for each issue identified by the Snyk Code pull request check. Each comment includes the severity level, the name, and a short description of the issue, helpful links for further information, and, if applicable, the data flow. For best results, Snyk recommends generating and applying fixes for a single inline comment at a time to avoid situations where applying a fix causes conflicts with another previously generated fix. {% hint style="info" %} -This feature is limited to 10 inline comments at pull request level. The summary comment will display a message if the cap is surpassed. +This feature is limited to 10 inline comments at pull request level. The summary comment displays a message if you surpass the cap. {% endhint %} For GitLab and Azure Repos, consider the following conditions: @@ -90,10 +90,10 @@ For Brokered integrations, the Data Flow section in the inline comments is avail **Release status** Snyk Agent fix in the PR is in [Early Access](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/snyk-release-process#early-access-features).\ -Snyk Agent fix in the PR will work only on inline comments created after the feature is enabled. +Snyk Agent fix in the PR works only on inline comments created after you enable the feature. {% endhint %} -The Snyk Agent fix in the PR feature enables the user to request and apply fixes for vulnerabilities identified by the Snyk Code pull request check and posted as inline comments. By enabling this feature, the user is able to interact with inline comments in the following way: +The Snyk Agent fix in the PR feature lets you request and apply fixes for vulnerabilities identified by the Snyk Code pull request check and posted as inline comments. When you enable this feature, you can interact with inline comments in the following way: * Request an initial fix by replying to an inline comment using the `@snyk /fix` command. @@ -102,14 +102,14 @@ The Snyk Agent fix in the PR feature enables the user to request and apply fixes

Request a fix by replying to the inline comment

* Request a different suggestion by replying with the `@snyk /fix` command to a previously generated fix. Snyk Agent fix can generate up to five potential fixes, depending on the issue type. -* Apply a specific fix by using the `@snyk /apply #` command, where # is the number of the suggestion the user wishes to apply. A commit is created by Snyk on the PR branch, containing the selected fix. +* Apply a specific fix by using the `@snyk /apply #` command, where # is the number of the suggestion you want to apply. Snyk creates a commit on the PR branch, containing the selected fix. ### Exceptions * The `@snyk /fix` command can be used only for automatically fixable vulnerabilities, identified in the inline comments with a zap icon and command description. See [fix-code-vulnerabilities-automatically.md](../../snyk-code/manage-code-vulnerabilities/fix-code-vulnerabilities-automatically.md "mention") for supported languages and limitations. * Fixes expire after the time displayed in each suggestion, in accordance with the [How Snyk handles your data #Cache retention period related to vulnerability source data](https://app.gitbook.com/s/ELvljsaLKPkSpffOkmsQ/how-snyk-handles-your-data#cache-retention-period-related-to-vulnerability-source-data "mention"). After expiration, a new fix can be requested by using the `@snyk /fix` command. * Snyk Agent fix in the PR is not supported for [Snyk Code Local Engine](../../snyk-code/snyk-code-local-engine.md). -* The `@snyk /fix` and `@snyk /apply #` commands can be used only as replies to the Inline Comments created by Snyk, commands created on other comment threads will not be processed. +* The `@snyk /fix` and `@snyk /apply #` commands can be used only as replies to the Inline Comments created by Snyk. Snyk does not process commands created on other comment threads. ## Troubleshooting @@ -160,7 +160,7 @@ The following features require specific Snyk Broker versions: ### The Snyk Agent fix in the PR is not working after enabling the setting -When you enable the Snyk Agent Fix in the PR setting, a background process is initiated to upgrade the [Snyk webhooks](../snyk-pull-or-merge-requests/#snyk-scm-webhooks) in the user's repository to include the pull request comment event subscription required for the feature. This process can take a couple of minutes to complete. During this time, the feature will not be fully active or available, and Snyk will not be able to react to commands in the PR. +When you enable the Snyk Agent Fix in the PR setting, Snyk starts a background process to upgrade the [Snyk webhooks](../snyk-pull-or-merge-requests/#snyk-scm-webhooks) in your repository to include the pull request comment event subscription required for the feature. This process can take a couple of minutes to complete. During this time, the feature is not fully active or available, and Snyk cannot react to commands in the PR. To troubleshoot the webhook upgrade process, go to the repository settings page of your SCM, and confirm that the Snyk webhook is subscribed to the 'Pull request review comments' event. diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/troubleshoot-pr-checks.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/troubleshoot-pr-checks.md index 5b03e8ac9b18..9ff05ed38b1a 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/troubleshoot-pr-checks.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/pull-request-checks/troubleshoot-pr-checks.md @@ -7,20 +7,20 @@ The following table lists general issues with PR checks and how to address them. | Scenario | Description | Action | | --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | PR check not triggered. | The repository is imported to Snyk, but when a PR is raised it does not trigger a PR check. |
  1. Check the Project and Integration settings to make sure PR checks are configured.
  2. Check the Project Settings integration page for a banner advising you that a webhook is absent.

    Double-check integration permission scopes (visit Git repositories).

    If you still cannot create a webhook, contact support.
| -| PR check is expected but does not run. | The PR check is listed in the Git repository (SCM) as expected but never completes. |

This issue is generally caused by a Branch Protection rule requiring the PR check. If the Project has been disabled or removed from Snyk, the PR check will not run, but the branch protection rule is still in force until removed or edited.

Check for Branch Protection rules and confirm that the Project is imported and active.

| -| Multiple Security and Licence PR checks run on a single Pull Request. | When a PR is submitted, multiple Snyk PR checks of the same type run against it, possibly with different results. |

If a repository is imported into multiple Snyk Organizations, PR checks will run on the repository for any configured Organization.

Check the name of the PR check as it includes the Organization name against which the check is run. Alternatively, selecting the PR check details will take you to the results for the relevant Organization.

| -| PR Check found vulnerabilities but Pull Request is not blocked. | Controlling whether a PR test is optional or blocking is configured within your source control management platform, such as GitHub’s branch protection rules. | To learn more about issue prevention, visit [Phase 6: Rolling out the prevention stage.](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/implementation-guides/enterprise-implementation-guide/automate-prevention-measures) | +| PR check is expected but does not run. | The PR check is listed in the Git repository (SCM) as expected but never completes. |

A Branch Protection rule requiring the PR check generally causes this issue. If you disabled or removed the Project from Snyk, the PR check does not run, but the branch protection rule is still in force until you remove or edit it.

Check for Branch Protection rules and confirm that the Project is imported and active.

| +| Multiple Security and Licence PR checks run on a single Pull Request. | When you submit a PR, multiple Snyk PR checks of the same type run against it, possibly with different results. |

If you import a repository into multiple Snyk Organizations, PR checks run on the repository for any configured Organization.

Check the name of the PR check, because it includes the Organization name against which the check runs. Alternatively, selecting the PR check details takes you to the results for the relevant Organization.

| +| PR Check found vulnerabilities but Pull Request is not blocked. | You configure whether a PR test is optional or blocking in your source control management platform, such as GitHub’s branch protection rules. | To learn more about issue prevention, visit [Phase 6: Rolling out the prevention stage.](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/implementation-guides/enterprise-implementation-guide/automate-prevention-measures) | ## Open-source and licensing checks -PR checks that are configured to “Only fail when the issues found have a fix available” will not alert for projects in languages that do not support Fix PR checks. For more information, see [Supported languages](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/supported-languages/supported-languages-list) to check feature support. +PR checks that are configured to “Only fail when the issues found have a fix available” do not alert for projects in languages that do not support Fix PR checks. For more information, see [Supported languages](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/supported-languages/supported-languages-list) to check feature support. If you come across false positive or false negative results, you can take action to diagnose and report the issue. | Scenario | Description | Action | | -------------- | ------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| False positive | The result is marked as Failed by Snyk because it has identified an issue that does not actually exist. |

Contact support to update the dependency version if Snyk has misidentified an issue for a package version.

If you want to push the changes forward, you can mark the result as successful. For more information, see Example: fix dependency issues with PR Checks.

| -| False negative | The result is marked as Passed by Snyk because it failed to detect an issue that actually exists. |

To address the issue, you can submit a vulnerability disclosure.

If Snyk did not detect the vulnerability due to a misidentified package or the absence of code trace, contact support.

| +| False positive | Snyk marks the result as Failed because it has identified an issue that does not exist. |

Contact support to update the dependency version if Snyk has misidentified an issue for a package version.

If you want to push the changes forward, you can mark the result as successful. For more information, see Example: fix dependency issues with PR Checks.

| +| False negative | Snyk marks the result as Passed because it failed to detect an issue that exists. |

To address the issue, you can submit a vulnerability disclosure.

If Snyk did not detect the vulnerability due to a misidentified package or the absence of code trace, contact support.

| ## Code analysis checks diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/README.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/README.md index f3038e28dc97..d2aa5d08f074 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/README.md @@ -1,18 +1,18 @@ # Snyk Pull or Merge Requests -In addition to providing fix advice, Snyk enables you create automatic or manual pull requests for supported package managers and ecosystems. To create PRs automatically in implementations with Snyk Broker, your administrator must upgrade to v4.55.0 or later. +In addition to providing fix advice, Snyk lets you create automatic or manual pull requests for supported package managers and ecosystems. To create PRs automatically in implementations with Snyk Broker, your administrator must upgrade to v4.55.0 or later. {% hint style="info" %} For the basic steps in fixing vulnerabilities, see [Fix your vulnerabilities](../../snyk-open-source/manage-vulnerabilities/fix-your-vulnerabilities.md). To ensure your language is supported, see [Languages supported for Fix Pull Requests or Merge Requests](../../snyk-open-source/manage-vulnerabilities/troubleshoot-fixing-vulnerabilities-with-snyk-open-source.md#languages-supported-for-fix-pull-requests-or-merge-requests) and [Supported browsers](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/getting-started-guides/getting-started#supported-browsers) pages. {% endhint %} {% hint style="info" %} -Administrators and account owners can manage the settings for Snyk upgrade pull requests from the Snyk Web UI at both the Organization and Project levels. You can configure whether the feature is enabled (the default) and specify the conditions under which Snyk should submit upgrade pull requests, if at all. +Administrators and account owners can manage the settings for Snyk upgrade pull requests from the Snyk Web UI at both the Organization and Project levels. You can configure whether the feature is enabled (the default) and specify the conditions under which Snyk submits upgrade pull requests, if at all. {% endhint %} ## Manual Fix PRs -For specific supported languages, you can create pull requests to remediate issues using the Snyk web UI. These combine Snyk fix advice with the list of remediated vulnerabilities to create a pull request that developers can review and merge into their repo's main branch. +For specific supported languages, you can create pull requests to remediate issues using the Snyk Web UI. These combine Snyk fix advice with the list of remediated vulnerabilities to create a pull request that developers can review and merge into their repository's main branch. You can start the process from any supported Project's open source vulnerability view. diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/breakability-risk-levels.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/breakability-risk-levels.md index 985f92e851e8..5840a759ae10 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/breakability-risk-levels.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/breakability-risk-levels.md @@ -6,7 +6,7 @@ Breakability analysis is in Early Access and available only with Enterprise plans. To enable the feature, see [Snyk Preview](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/snyk-hierarchy/snyk-preview). {% endhint %} -Snyk analyzes dependency upgrades to predict if a proposed change will break your build or application. Breakability analysis assigns a risk level to each upgrade to help you decide whether to auto-merge a fix or review it manually. +Snyk analyzes dependency upgrades to predict whether a proposed change breaks your build or application. Breakability analysis assigns a risk level to each upgrade to help you decide whether to auto-merge a fix or review it manually. Snyk assesses the practical impact of a change rather than relying only on version numbers. For example, a major version update (v2.0) can appear risky based on the version number, even if the code change is trivial. @@ -20,7 +20,7 @@ Snyk classifies risk based on two factors: {% hint style="info" %} With breakability analysis, Snyk sends package information to a Large Language Model (LLM). This information includes the current and proposed upgrade versions. Snyk does not transmit application data. Future features involving application context require you to enable them separately. -Ensure to review AI-generated content for accuracy before use. +Review AI-generated content for accuracy before use. {% endhint %} ## Risk level definitions and actions @@ -87,7 +87,7 @@ The following use cases show how the logic applies. | ---------------------- | ----------------------- | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | | Security patch | From `1.4.4` to `1.4.5` | Low | The changelog confirms only security fixes and no behavioral changes. | | Ancient runtime drop | From `3.0` to `4.0` | Low | The upgrade is a major version, but the only change is dropping Node.js v4 (EOL 2018). There is no practical impact. | -| Missing documentation | From `2.1` to `2.2` | Medium | The upgrade is a minor version, but there is no changelog. Snyk cannot detemine if it is safe, so it flags it for review. | +| Missing documentation | From `2.1` to `2.2` | Medium | The upgrade is a minor version, but there is no changelog. Snyk cannot determine if it is safe, so it flags it for review. | | API removal | From `3.0` to `4.0` | High | The changelog confirms that `_.pluck` was removed and must be replaced with `_.map`. Code changes are required. | | Long term support drop | From `5.0` to `6.0` | High | The upgrade drops support for Java 17, which is an active LTS. This upgrade breaks builds that are running on standard environments. | | | | | | diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/apply-a-custom-pr-template.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/apply-a-custom-pr-template.md index 5faff3aafcdc..fce8529bb517 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/apply-a-custom-pr-template.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/apply-a-custom-pr-template.md @@ -2,11 +2,11 @@ ## Create and manage a custom PR template using the API -You can create a custom PR template using the API endpoint [Create or update pull request template for Group](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/pull-request-templates#post-groups-group_id-settings-pull_request_template). Send an API request that contains a JSON payload with the custom properties. This request configures a Group-level pull request template that will be used on any Organization or Project within that Group. The pull request template created using the Snyk API can be updated at any time, and all Projects in the Group are automatically updated with the latest changes. +You can create a custom PR template using the API endpoint [Create or update pull request template for Group](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/pull-request-templates#post-groups-group_id-settings-pull_request_template). Send an API request that contains a JSON payload with the custom properties. This request configures a Group-level pull request template for use on any Organization or Project in that Group. You can update the pull request template created using the Snyk API at any time, and Snyk automatically updates all Projects in the Group with the latest changes. API configuration of PR templates is available only at the Group level. -When a custom template is uploaded using an API request, all Snyk PRs in that Group adopt this format, effectively switching off the default Snyk template for the customizable properties. Strings are the only acceptable values; lists and numbers are not allowed. +When you upload a custom template using an API request, all Snyk PRs in that Group adopt this format, effectively switching off the default Snyk template for the customizable properties. Strings are the only acceptable values. Lists and numbers are not allowed. If any customizable properties are missing from your custom template, Snyk reverts to the default values for these properties when opening a pull request. @@ -16,7 +16,7 @@ The following properties are customizable using the API: * `commit_message` - customize the PR commit message * `description` - customize the PR description -You cannot customize the branch name for your PRs. The branch name of your PRs will use the Snyk default value. +You cannot customize the branch name for your PRs. The branch name of your PRs uses the Snyk default value. You can retrieve the custom PR template for your Group using the endpoint [Get pull request template for Group](https://apidocs.snyk.io/?#get-/groups/-group_id-/settings/pull_request_template). This is useful if you want to consider changing your template, and in troubleshooting. @@ -28,7 +28,7 @@ To delete the template, use the endpoint [Delete pull request template for group Manually create the YAML template by using the [mustache](https://mustache.github.io) syntax for templating and add the file to your Project or repository. -When a custom template is uploaded to your Project, all PRs from Snyk for the Project adopt this format, effectively switching off the default Snyk template for the customized properties. Strings are the only acceptable values; lists and numbers are not allowed. If any customizable properties are missing from your template, Snyk reverts to the default values for these properties when opening a pull request. +When you upload a custom template to your Project, all PRs from Snyk for the Project adopt this format, effectively switching off the default Snyk template for the customized properties. Strings are the only acceptable values. Lists and numbers are not allowed. If any customizable properties are missing from your template, Snyk reverts to the default values for these properties when opening a pull request. #### YAML multiline operators @@ -56,7 +56,7 @@ The following properties are customizable: * `commitMessage` - customize the PR commit message * `description` - customize the PR description -You cannot customize the branch name for your PRs. The branch name of your PRs will use the Snyk default value. +You cannot customize the branch name for your PRs. The branch name of your PRs uses the Snyk default value. ### Use the YAML custom PR template diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/troubleshooting-and-limitations-for-custom-pr-templates.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/troubleshooting-and-limitations-for-custom-pr-templates.md index f4aadfdf41f1..abb325e53f8f 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/troubleshooting-and-limitations-for-custom-pr-templates.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/troubleshooting-and-limitations-for-custom-pr-templates.md @@ -24,9 +24,9 @@ You can add Jira tickets to your PR, but Snyk is limited to those created using ### Failure to open PR -If a PR cannot be opened, Snyk cannot identify errors when a PR cannot be opened. +If a PR cannot be opened, Snyk cannot identify the errors that prevented it. ### No line between variables -When you are customizing the YAML file, it is possible that a new line will not be added between variables when two lines start with a variable `{{}}`. +When you are customizing the YAML file, a new line might not be added between variables when two lines start with a variable `{{}}`. diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/variables-list-and-description.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/variables-list-and-description.md index 91b70ec97f95..af177f6fad61 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/variables-list-and-description.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/customize-pr-templates/variables-list-and-description.md @@ -25,7 +25,7 @@ To automatically link Jira to the relevant pull requests, include a list of asso **Output** -The commit message of your PR will be: +The commit message of your PR is: ```json This pull request is from Snyk and relates to JIRA-1,JIRA-2,JIRA-3 @@ -53,7 +53,7 @@ This is the Snyk Project URL and can be used to link to the Snyk Project page. **Output** -The description of your PR will be: +The description of your PR is: ```yaml To find more details, see the Snyk project https://app.snyk.io/org/my-org/project/xx-xxx-xx-xx @@ -81,7 +81,7 @@ This is the Snyk Project name. You can add the Snyk Project name to your descrip **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fix applied to project my-org/project:filename @@ -107,7 +107,7 @@ This is the Snyk Organization name. You can add the Snyk Organization name to yo **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fix applied by my-org @@ -115,7 +115,7 @@ Fix applied by my-org **`package_name: string`** -This is the name of the package being fixed or upgraded. When more than one package is changed, this variable will default to the first one. +This is the name of the package being fixed or upgraded. When more than one package is changed, this variable defaults to the first one. Follow this example to display in the description the package name of the first dependency being fixed in the PR. @@ -135,7 +135,7 @@ Follow this example to display in the description the package name of the first **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fixes adm-zip @@ -143,7 +143,7 @@ Fixes adm-zip **`package_from: string`** -This is the version of the package that is being fixed or upgraded. In cases where more than one package is changed, this variable will default to the `from` version of the first one. +This is the version of the package that is being fixed or upgraded. In cases where more than one package is changed, this variable defaults to the `from` version of the first one. **Input** @@ -161,7 +161,7 @@ This is the version of the package that is being fixed or upgraded. In cases whe **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fix is applied by moving from 0.4.7 @@ -169,7 +169,7 @@ Fix is applied by moving from 0.4.7 **`package_to: string`** -The package is transitioning to this particular version. In cases where more than one package is changed, this variable will default to the `to` version of the first one. +The package is transitioning to this particular version. In cases where more than one package is changed, this variable defaults to the `to` version of the first one. **Input** @@ -187,7 +187,7 @@ The package is transitioning to this particular version. In cases where more tha **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fix is applied by moving to 0.5.2 @@ -212,7 +212,7 @@ This is the number of issues in your Project or repository that are covered by t **Output** -The description of your PR will be: +The description of your PR is: ```yaml The PR will fix 98 issues. @@ -394,7 +394,7 @@ This variable is for container projects only. It can be used to display the name **Output** -The description of your PR will be: +The description of your PR is: ``` We recommend upgrading to node:xx.xx.x @@ -420,7 +420,7 @@ This variable is for container projects only. It can be used to display the curr **Output** -The description of your PR will be: +The description of your PR is: ``` The current base image is: node:xx.xx.x @@ -448,7 +448,7 @@ For example, `docker.io/library/node:18-alpine` becomes `node:18-alpine`. **Output** -The description of your PR will be: +The description of your PR is: ``` Upgrade to node:18-alpine @@ -476,7 +476,7 @@ For example, `docker.io/library/node:16` becomes `node:16`. **Output** -The description of your PR will be: +The description of your PR is: ``` Upgrading from node:16 @@ -527,7 +527,7 @@ commitMessage: | **Output** -The commit message of your PR will be: +The commit message of your PR is: ```yaml This pull request is from Snyk and relates to JIRA-1,JIRA-2,JIRA-3 @@ -548,7 +548,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml To find more details, see the Snyk project https://app.snyk.io/org/my-org/project/xx-xxx-xx-xx @@ -569,7 +569,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fix applied to project my-org/project:filename @@ -588,7 +588,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fix applied by my-org @@ -596,7 +596,7 @@ Fix applied by my-org **`package_name: string`** -This is the name of the package being fixed or upgraded. When more than one package is changed, this variable will default to the first one. +This is the name of the package being fixed or upgraded. When more than one package is changed, this variable defaults to the first one. Follow this example to display in the description the package name of the first dependency being fixed in the PR. @@ -609,7 +609,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fixes adm-zip @@ -617,7 +617,7 @@ Fixes adm-zip **`package_from: string`** -This is the version of the package that is being fixed or upgraded. In cases where more than one package is changed, this variable will default to the `from` version of the first one. +This is the version of the package that is being fixed or upgraded. In cases where more than one package is changed, this variable defaults to the `from` version of the first one. **Input** @@ -629,7 +629,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fix is applied by moving from 0.4.7 @@ -637,7 +637,7 @@ Fix is applied by moving from 0.4.7 **`package_to: string`** -The package is transitioning to this particular version. In cases where more than one package is changed, this variable will default to the `to` version of the first one. +The package is transitioning to this particular version. In cases where more than one package is changed, this variable defaults to the `to` version of the first one. **Input** @@ -649,7 +649,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Fix is applied by moving to 0.5.2 @@ -668,7 +668,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml The PR will fix 98 issues. @@ -677,7 +677,7 @@ The PR will fix 98 issues. **`product_is_container: boolean`** -This variable can be used to customize attributes based on whether the PR is a Container product. Currently there are two different product types at Snyk which can open PRs (Open Source PRs and Container Prs). Using this variable will help you customise your template to differentiate between the two. +This variable can be used to customize attributes based on whether the PR is a Container product. Currently there are two different product types at Snyk which can open PRs (Open Source PRs and Container Prs). Using this variable will help you customize your template to differentiate between the two. **Input** @@ -702,7 +702,7 @@ If your project is a Container project, the description will be: **`product_is_open_source: boolean`** -This variable can be used to customize attributes based on whether the PR is an Open Source product. Currently there are two different product types at Snyk which can open PRs (Open Source PRs and Container Prs). Using this variable will help you customise your template to differentiate between the two. +This variable can be used to customize attributes based on whether the PR is an Open Source product. Currently there are two different product types at Snyk which can open PRs (Open Source PRs and Container Prs). Using this variable will help you customize your template to differentiate between the two. **Input** @@ -739,7 +739,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Is this a fix pr? true @@ -758,7 +758,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Is this a backlog pr? false @@ -777,7 +777,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Is this an upgrade pr? false @@ -829,7 +829,7 @@ This variable is for container projects only. It can be used to display the name **Output** -The description of your PR will be: +The description of your PR is: ``` We recommend upgrading to node:xx.xx.x @@ -855,7 +855,7 @@ This variable is for container projects only. It can be used to display the curr **Output** -The description of your PR will be: +The description of your PR is: ``` The current base image is: node:xx.xx.x @@ -876,7 +876,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Upgrade to node:18-alpine @@ -897,7 +897,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml Upgrading from node:16 @@ -916,7 +916,7 @@ description: | **Output** -The description of your PR will be: +The description of your PR is: ```yaml This is a fix pull request diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-backlog-prs-for-previously-known-vulnerabilities.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-backlog-prs-for-previously-known-vulnerabilities.md index 9fcac813f729..03d3b57b73b5 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-backlog-prs-for-previously-known-vulnerabilities.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-backlog-prs-for-previously-known-vulnerabilities.md @@ -11,10 +11,10 @@ When Snyk creates automatic PRs for vulnerabilities, the following rules are app * If you select **Retest now** for the Project, a scan is run manually, and the 24-hour window is marked as having had a scan run. No automatic PR is created until the next automated scan runs. * One pull request is created per Project with a [priority score](../../../manage-risk/prioritize-issues-for-fixing/priority-score.md) of 700 and above. -* Fixing a vulnerability by upgrading a package may sometimes introduce a new vulnerability. Snyk will only automatically create such a pull request if the fixed vulnerabilities are a higher severity than any new ones introduced. +* Fixing a vulnerability by upgrading a package can sometimes introduce a new vulnerability. Snyk automatically creates such a pull request only if the fixed vulnerabilities are a higher severity than any new ones introduced. * Pull requests are created based on the **Test & Automated Pull Request Frequency** settings. * To update the **Test & Automated Pull Request Frequency**, navigate to **Projects** and select your Open Source Project. - * Navigate to **Settings** and select an option from the pulldown list. + * Navigate to **Settings** and select an option from the dropdown list. To determine when your last 24-hour window began, check the Project issue card for **Snapshot taken by recurring test**. @@ -42,7 +42,7 @@ The configuration settings apply to all Projects in that Organization. You can a This retrieves previously declared vulnerabilities from the Project's backlog. 4. Select the **Fix Strategy** for your Backlog PRs. -* By default, the fix strategy will be a single PR at the vulnerability level. Snyk opens one PR each day for issues in your backlog, fixing the top vulnerability it finds. +* By default, the fix strategy is a single PR at the vulnerability level. Snyk opens one PR each day for issues in your backlog, fixing the top vulnerability it finds. * You can check **Fix all vulnerabilities for the same dependency in a single PR**. This selects the vulnerability with the highest priority and a fix to resolve it, as well as fixes for other vulnerabilities in the same dependency. 5. Click **Save**. diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-fix-prs.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-fix-prs.md index 83256d84200e..a373bdbccbc1 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-fix-prs.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-fix-prs.md @@ -15,7 +15,7 @@ The following rules are applied to the creation of automatic PRs for vulnerabili * One pull request is created per Project. * A new vulnerability is a vulnerability in the current recurring scan that was not present in the previous scan of the same Project. * If either the vulnerability is new and has a fix available or the fix is new and is not ignored, a Fix PR can be created. -* Fixing a vulnerability by upgrading a package may sometimes introduce a new vulnerability. Snyk will only automatically create a pull request if the fixed vulnerabilities are of a higher severity than any new ones introduced. +* Fixing a vulnerability by upgrading a package can sometimes introduce a new vulnerability. Snyk automatically creates a pull request only if the fixed vulnerabilities are of a higher severity than any new ones introduced. For known vulnerabilities, visit [Configure Automatic Backlog PRs.](enable-automatic-backlog-prs-for-previously-known-vulnerabilities.md) @@ -40,7 +40,7 @@ If you check **Fix all vulnerabilities for the same dependency in a single PR**, ## Set creation thresholds for score and severity -For every new actionable vulnerability found on each recurring test, Snyk raises a Fix PR. This may not be ideal depending on the velocity you are looking for in your Organization, so setting up specific criteria to match your needs can be achieved by setting thresholds. +For every new actionable vulnerability found on each recurring test, Snyk raises a Fix PR. This might not be ideal depending on the velocity you are looking for in your Organization, so you can set thresholds to match your needs. To decide which automatic Fix PRs are visible to you, you can set a custom threshold for **Score** or **Severity**. Depending on your Organization's configuration, the dropdown contains either the **Risk Score** or the **Priority Score**. diff --git a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-upgrade-prs-for-new-dependency-upgrades.md b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-upgrade-prs-for-new-dependency-upgrades.md index 32077ad43357..c65f64b2fd3b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-upgrade-prs-for-new-dependency-upgrades.md +++ b/scan-fix-and-prevent/scan-with-snyk/pull-requests/snyk-pull-or-merge-requests/enable-automatic-upgrade-prs-for-new-dependency-upgrades.md @@ -6,7 +6,7 @@ This feature is supported for the following SCM integrations: GitHub, GitHub Enterprise, GitHub Cloud App, Bitbucket Server, Bitbucket Cloud, Bitbucket Connect, GitLab, and Azure Repos. {% endhint %} -Keeping dependencies up-to-date is crucial for security, performance, and compatibility. Snyk simplifies the process by scanning Projects for outdated dependencies and proposing updates through automated pull requests. This allows teams to: +Keeping dependencies up-to-date is crucial for security, performance, and compatibility. Snyk simplifies the process by scanning Projects for outdated dependencies and proposing updates through automated pull requests. This lets teams: * Review and merge changes in a controlled way. * Keep Projects aligned with the latest package versions. @@ -37,7 +37,7 @@ You can also use this feature with Snyk Broker. To use this feature, you must up After importing a Git repository, Snyk continuously monitors for vulnerabilities, license, and dependency health issues. In addition to fix advice through the web UI, Snyk can automatically create pull requests (PRs) to solve for a variety of vulnerability types according to your configuration settings. -You can configure Snyk to regularly check your dependency health, recommend dependency upgrades, and automatically submit PRs for upgrades for either an entire Organization or a specific Project. After configuration, Snyk will automatically create PRs for all applicable dependencies as upgrades become available for scanned Projects. +You can configure Snyk to regularly check your dependency health, recommend dependency upgrades, and automatically submit PRs for upgrades for either an entire Organization or a specific Project. After configuration, Snyk automatically creates PRs for all applicable dependencies as upgrades become available for scanned Projects. {% hint style="info" %} Automatic dependency upgrade PRs are available only for the following SCM integrations: GitHub, GitHub Enterprise, and Bitbucket Cloud. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/README.md index 5cdc3bf93f6e..88e622341c24 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/README.md @@ -2,7 +2,7 @@ ## Overview -Snyk Code is a developer-first static application security testing (SAST) solution. By scanning code in real-time and providing actionable insights directly in the developer workflow across IDEs, repositories, and CI/CD pipelines, you can identify and address vulnerabilities early on. The AI-based engine results in fewer false positives for your developers, improving code quality and security. You can scan your code using the following options: +Snyk Code is a developer-first static application security testing (SAST) solution. By scanning code in real time and providing actionable insights directly in the developer workflow across IDEs, repositories, and CI/CD pipelines, you can identify and address vulnerabilities early on. The AI-based engine results in fewer false positives for your developers, improving code quality and security. You can scan your code using the following options: * Snyk web UI (including [PR checks](../pull-requests/pull-request-checks/)) * [Snyk IDE](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/snyk-ide-plugins-and-extensions) @@ -25,7 +25,7 @@ The following table shows the Snyk Code features, including analysis, managing s Snyk Code is powered by a semantic, AI-based analysis engine and can analyze the following in your code: -* API usage: Identifies multiple potential issues, including API misuses, null dereferences, and type mismatches, by modeling the use of memory in variables and references. This mechanism can also identify the use of insecure functions. +* API use: Identifies multiple potential issues, including API misuses, null dereferences, and type mismatches, by modeling the use of memory in variables and references. This mechanism can also identify the use of insecure functions. * Coding issues: Finds problems such as dead code, branches that are predefined, and branches having the same code on each side. * Control flow: Identifies null dereference or race conditions by modeling each possible control flow in the application. * Data flow: Follows the flow of data within the application from the source to the sink. Combined with AI-based learning of external insecure data sources, data sinks, and sanitation functions, this enables a strong taint analysis. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/configure-snyk-code.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/configure-snyk-code.md index fb94d0428622..d1534218192c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/configure-snyk-code.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/configure-snyk-code.md @@ -8,7 +8,7 @@ To use Snyk Code in an [IDE](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/inte 2. [Integrate Git repository with Snyk](configure-snyk-code.md#integrate-git-repository-with-snyk) 3. [Import repositories to scan with Snyk Code](configure-snyk-code.md#import-repositories-to-scan-with-snyk-code) -Snyk Code only scans and tests new repositories that are imported to Snyk. If a repository has already been imported, Snyk Code analysis will not be applied. To analyze repositories that have already been imported, you will need to [re-import them](import-project-with-snyk-code.md#re-import-repository-to-snyk). +Snyk Code only scans and tests new repositories that are imported to Snyk. If you have already imported a repository, Snyk Code analysis does not apply to it. To analyze repositories that you have already imported, [re-import them](import-project-with-snyk-code.md#re-import-repository-to-snyk). ## Prerequisites for using Snyk Code in Snyk Web UI diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/README.md index 3d5c51fec884..75cfbb4f03bb 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/README.md @@ -26,7 +26,7 @@ The following provides an overview of the testing process in Snyk Code based on ### Retesting code repository -If you want to check for the most recent vulnerabilities in your repository, you can do a manual test by selecting the **Retest now** option. This will trigger Snyk Code to take a fresh snapshot of your repository and analyze its source code files. The results will then be displayed on the Code Analysis page. Take into consideration that Snyk counts a manual test as a new test. See [What counts as a test?](https://app.gitbook.com/s/ELvljsaLKPkSpffOkmsQ/what-counts-as-a-test) +If you want to check for the most recent vulnerabilities in your repository, you can do a manual test by selecting the **Retest now** option. This triggers Snyk Code to take a fresh snapshot of your repository and analyze its source code files. The results then appear on the Code Analysis page. Take into consideration that Snyk counts a manual test as a new test. See [What counts as a test?](https://app.gitbook.com/s/ELvljsaLKPkSpffOkmsQ/what-counts-as-a-test) You can also use the **Retest now** option to apply the exclusion rules of the `.snyk` file to an imported repository. See [Exclude directories and files from Project import](../../import-project-repository/exclude-directories-and-files-from-project-import.md). @@ -97,7 +97,7 @@ To access the repository on the integrated Git repository platform, navigate to The result history is shown on the **History** page of the **Code Analysis** Project. This page displays the snapshots taken when a test was performed. You can review Snyk Code test results for all the testing phases. See [Code testing from import to retest](./#code-testing-from-import-to-retest). -On the **History** page, only two distinct snapshots are displayed. A snapshot is deemed unique if either the repository or its associated vulnerability findings have altered since the last assessment, resulting in a snapshot that showcases these changes. If there have been no changes in the repository or the vulnerability results since the last test, the new snapshot will replicate the prior one. Consequently, this will be listed as an additional test run on the **History** page. This means while the page may present multiple test entries, only up to two will feature distinct results. +The **History** page displays only two distinct snapshots. A snapshot is unique if either the repository or its associated vulnerability findings have changed since the last assessment, resulting in a snapshot that shows these changes. If there have been no changes in the repository or the vulnerability results since the last test, the new snapshot replicates the prior one. As a result, the page lists this as an additional test run. This means that while the page can present multiple test entries, only up to two feature distinct results. To view Project history: @@ -122,8 +122,7 @@ Manage Project settings as follows: Snyk Code goes beyond simple static analysis by tracking vulnerabilities across multiple scans, even as your codebase evolves. This ensures consistent and accurate vulnerability management, regardless of code refactoring, file renaming, or positional changes.\ \ -Consider a scenario where a vulnerability exists in `file1.js` on line 45. After a code refactor, the vulnerability persists but is now located in a different file and line. To effectively address such scenarios, Snyk Code employs a sophisticated issue-tracking system. To tracks vulnerabilities\ -Snyk Code performs the following: +Consider a scenario where a vulnerability exists in `file1.js` on line 45. After a code refactor, the vulnerability persists but is now located in a different file and line. To address such scenarios, Snyk Code uses an issue-tracking system. To track vulnerabilities, Snyk Code performs the following: 1. Fingerprint matching: * Generates a min-hash of the code's syntax tree for each vulnerability. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/breakdown-of-code-analysis.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/breakdown-of-code-analysis.md index 5ddf6a7df599..503b3636efac 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/breakdown-of-code-analysis.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/breakdown-of-code-analysis.md @@ -6,7 +6,7 @@ When you import repositories, Snyk Code automatically tests for vulnerabilities ## Code analysis components -This table summarises the elements of a Code analysis Project. +This table summarizes the elements of a Code analysis Project.
ComponentDescription
HeaderIncludes the details of the imported repository with a link to the repository in the Git repository, the Project name, and the Projects tabs: Overview, History, and Settings.
The Project Summary Information areaIncludes the dates of the repository import and the last test of the repository, the Retest now option for an on-demand test, the name of the user who imported the repository, the name of the Project owner, and the number of code files that were analyzed and not analyzed. See Retesting code repository
Project filtersIncludes a set of pre-defined criteria for filtering the displayed issues.
Vulnerability issuesIncludes the vulnerability issues that Snyk Code discovered in the imported repository.
Data flowDisplays the taint flow of the issue in the code.
Fix analysisProvides additional details about the discovered vulnerability type, best practices for preventing this issue, and code examples of fixes.
CWEThe CWE (Common Weakness Enumeration) ID of the specific vulnerability type and a link to the CWE website, where this vulnerability type is described. See Example: CWE-22: Path Traversal.
Open repository external linkQuick access to the integrated Git repository for immediate remediation.
Imported byThe Git repository username who imported the analyzed repository.
Project ownerIdentifies the lead for the Project in your Organization for administrative purposes only; it does not impact the Snyk Project itself. This is not a required field and is left blank by default.
EnvironmentThe Environment attribute describes the software's context, ranging from client-side (Frontend) to server-side (Backend), private (Internal) to public (External), across platforms like Mobile, Cloud (SaaS), On-Premises, Hosted services, and Distributed systems.
Business criticalityWhen the Risk Score feature is enabled, the Business Criticality attribute automatically influences the score, scaling it to the most significant attribute level. See Risk Score.
LifecycleThe Lifecycle attribute categorizes a Pro, Development, or Sandbox.
TagsThe Snyk Project tags feature enables the addition, removal, and use of custom metadata tags to organize and filter Projects, simplifying Project management and navigation.
Analysis summaryThe number of code files analyzed in the repository and the percentage of the analyzed files out of the total repository code files.
Repo breakdown
  • Analyzed Files: Includes files that have been reviewed by Snyk Code, encompassing recognized extensions and programming languages.
  • Unanalyzed Files: Consists of text files yet to be analyzed because of unsupported languages or extensions.
  • Unknown: Files without recognized extensions, potentially including multimedia content (such as pictures and videos), binaries, proprietary format files, or any other formats that fall outside Snyk Code's scope of interest.
@@ -14,11 +14,11 @@ This table summarises the elements of a Code analysis Project. Data flow shows the location of the discovered issue in your source code and how it flows throughout your application. It shows the taint flow of the issue in the code, with a step-by-step visualization from the source to the sink, presenting the code lines of all the steps in the flow. -The source is the input point of the potential problem. This is a point in the application where a user or an external device can enter data, which will potentially violate the security of the application. For example, in an SQL Injection issue, the source will be a form or any other data input area filled by a user. +The source is the input point of the potential problem. This is a point in the application where a user or an external device can enter data that can potentially violate the security of the application. For example, in an SQL Injection issue, the source is a form or any other data input area filled by a user. -The sink is the operation in the code where the application executes the problem. This point must receive clean input, or it can be exploited. For example, in an SQL Injection issue, the sink will be the internal operation that instructs the DB to perform certain actions according to the received input. +The sink is the operation in the code where the application executes the problem. This point must receive clean input, or an attacker can exploit it. For example, in an SQL Injection issue, the sink is the internal operation that instructs the DB to perform certain actions according to the received input. -Every issue discovered by Snyk Code has a data flow. If an issue has only one step, for example, in the case of hardcoded secrets, the source of the issue will be displayed on the Data flow page. +Every issue discovered by Snyk Code has a data flow. If an issue has only one step, for example, in the case of hardcoded secrets, the source of the issue appears on the Data flow page. ### View Data flow @@ -41,7 +41,7 @@ In the following Path Traversal issue, the developer has not sanitized the input ### Open Data flow external link -To open the displayed source code on the Git repository, select the file name above the right panel. In this example, the file name is "routes/profileImageUrlUpload.ts". +To open the displayed source code on the Git repository, select the file name. In this example, the file name is "routes/profileImageUrlUpload.ts". The source code appears in the integrated Git repository, showing you exactly where to fix the vulnerability. You can make the required fix to address the vulnerability in your code. @@ -55,7 +55,7 @@ To explore in-depth details about the specific vulnerability identified, you can Some vulnerabilities contain links to interactive lessons on understanding, fixing, and preventing vulnerability. See [Snyk Learn](https://learn.snyk.io/). -
Fis analysis page for Path Traversal vulnerability

Fix analysis page for Path Traversal vulnerability

+
Fix analysis page for Path Traversal vulnerability

Fix analysis page for Path Traversal vulnerability

### View Fix analysis @@ -75,7 +75,7 @@ The **Fix analysis** page enables you to do the following: ### **Open Fix analysis external link** -To open the code fix for the vulnerability on the Git repository, select the Git repository above the right panel. This will show you the differences in the Git repository code that address the issue. In this example, the Git repository name is "eclipse-vertx/vert.x". +To open the code fix for the vulnerability on the Git repository, select the Git repository name. This shows you the differences in the Git repository code that address the issue. In this example, the Git repository name is "eclipse-vertx/vert.x".
Data flow of a Path Traversal vulnerability issue.

Fix analysis of a Path Traversal vulnerability issue

@@ -124,6 +124,6 @@ For CWE-22 Path Traversal, if the vulnerability occurs in a test, it is Low seve ## Example: CWE-601: Open Redirect -For CWE-2601 Open Redirect, if the vulnerability occurs in a test, it is Low severity. If not, and it comes from a direct source, it is Medium severity. +For CWE-601 Open Redirect, if the vulnerability occurs in a test, it is Low severity. If not, and it comes from a direct source, it is Medium severity.
Decision flow chart for Priority Score CWE-601 Open Redirect

Decision flow chart for Priority Score CWE-601 Open Redirect

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/fix-code-vulnerabilities-automatically.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/fix-code-vulnerabilities-automatically.md index 1ae03fb0f263..e6ba9e2e1d9e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/fix-code-vulnerabilities-automatically.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/manage-code-vulnerabilities/fix-code-vulnerabilities-automatically.md @@ -8,7 +8,7 @@ As of May 2026, Snyk Agent Fix has been upgraded to a new agentic architecture f Snyk Agent Fix provides production-ready code fixes to address security vulnerabilities and code quality flaws detected by Snyk Code. It offers full rule coverage for all supported languages. -Snyk Agent Fix uses an agentic architecture that combines Snyk proprietary security intelligence with advanced large language models (LLMs). Key advantages include: +Snyk Agent Fix uses an agentic architecture that combines Snyk proprietary security intelligence with large language models (LLMs). Key advantages include: * Dynamic few-shot prompting: Instead of relying on fine-tuning, the architecture uses the Snyk database of more than 35,000 expert-written fixes to provide real-world context to the LLM during inference. Every sample includes vulnerable code from real open-source projects and fixes written by Snyk security experts. * Agentic retries: If a generated fix fails a Snyk Code scan, the system analyzes the error, feeds it back into the model, and generates a corrected version. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-local-engine.md b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-local-engine.md index b6246a167d1f..88c54bac9642 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-local-engine.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-code/snyk-code-local-engine.md @@ -1,6 +1,6 @@ # Snyk Code Local Engine -Snyk Code Local Engine (SCLE) is a fully contained version of the Snyk Code Engine that allows you to avoid uploading your code to the internet. When you use the Local Engine, only the scan is performed locally. Your scan results are uploaded to Snyk so you can view them on the Snyk Web UI. +Snyk Code Local Engine (SCLE) is a fully contained version of the Snyk Code Engine that lets you avoid uploading your code to the internet. When you use the Local Engine, only the scan runs locally. Snyk uploads your scan results so you can view them on the Snyk Web UI. This high-level architecture diagram shows the components and their interactions. Snyk scans a request for a Git repository through the Snyk Code Local Engine, which returns the results to Snyk. @@ -29,13 +29,13 @@ The core requirements to deploy the Snyk Code Local Engine are: The Snyk Code Local Engine is modular and can be customized to run specific integrations or everything at once. It can also scale as you prefer, with one or multiple nodes. -Each of the Kubernetes nodes will require at least the following free resources to run it: +Each of the Kubernetes nodes requires at least the following free resources to run it: * 55 GB RAM * 14 Core CPU * 50GB Ephemeral Storage -The size of the minimum node will depend on what your environment requires, but these are the minimum free resources required. +The size of the minimum node depends on what your environment requires, but these are the minimum free resources required. The total required resources for each flavor of the Snyk Code Local Engine are identified in the following list. Actual memory and storage consumption depend on the usage and the size of repositories scanned. The minimum total required resources can then be divided into multiple nodes. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/README.md index 63d3d79f4527..873ad5d9385d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/README.md @@ -8,7 +8,7 @@ Containers provide a standard packaging format for applications, but container i ## Snyk Container functions -Snyk Container provides tools and integrations to quickly find and fix vulnerabilities. This allows you to create images that have security built-in from the start. +Snyk Container provides tools and integrations to quickly find and fix vulnerabilities. This lets you create images that have security built-in from the start. ## Snyk Container integrations diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/README.md index f7746634552e..f0a56f62e6d3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/README.md @@ -10,7 +10,7 @@ For example, it is common to use the Snyk CLI to provide fast feedback to develo The main Container integrations are: -* CLI: Use for local investigation or testing an image you have built. This integration enables you to get early feedback on your machine and use as a gatekeeping stage in CI. It also serves a tool in CD for Snyk to capture snapshots and identify newly discovered vulnerabilities. For details, see [Snyk CLI for container security](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-container). +* CLI: Use for local investigation or testing an image you have built. This integration gives you early feedback on your machine and serves as a gatekeeping stage in CI. It also serves a tool in CD for Snyk to capture snapshots and identify newly discovered vulnerabilities. For details, see [Snyk CLI for container security](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-container). * SCM: Snyk can detect Dockerfiles directly from Git repositories and provide recommendations for updating the base image to a less vulnerable one. For details, see [Scan your Dockerfile](../scan-your-dockerfile/). * Container registries: Use to test a large number of images or if you cannot modify many CI pipelines. * Kubernetes: Monitor running workloads with additional context concerning how the workload has been configured to run. For details, see [Overview of the Kubernetes integration](../kubernetes-integration/overview-of-kubernetes-integration/). @@ -21,6 +21,6 @@ For cloud-hosted container registries, Snyk does not import and scan images that ## Choose your Snyk Container integration -Depending on your needs and context, in order to monitor for new vulnerabilities in container images, Snyk recommends choosing one of the following integration points: CLI, a container registry integration, or Kubernetes integration. By choosing only one of these testing methods, you can ensure the best outcome when identifying vulnerabilities and reduce noise. +Depending on your needs and context, to monitor for new vulnerabilities in container images, Snyk recommends choosing one of the following integration points: CLI, a container registry integration, or Kubernetes integration. By choosing only one of these testing methods, you can ensure the best outcome when identifying vulnerabilities and reduce noise. Because the Snyk CLI is highly customizable with CLI options, it has the broadest scope of all the integrations. You can run `snyk container monitor` as part of your continuous deployment pipeline and capture a snapshot of the container image as it is being deployed. For more information, see [Snyk CLI for Snyk Container](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-snyk-container). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/README.md index 4fa33090acbe..188d86dcb455 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/README.md @@ -1,6 +1,6 @@ # Integrate with Amazon Elastic Container Registry (ECR) -Snyk integrates with Amazon Elastic Container Registry (ECR) to enable you to import your Projects and monitor your containers for vulnerabilities. Snyk tests the Projects you have imported for any known security vulnerabilities found at a frequency you control. +Snyk integrates with Amazon Elastic Container Registry (ECR) so you can import your Projects and monitor your containers for vulnerabilities. Snyk tests the Projects you have imported for any known security vulnerabilities found at a frequency you control. Refer to the following pages for details: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/amazon-elastic-container-registry-ecr-add-images-to-snyk.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/amazon-elastic-container-registry-ecr-add-images-to-snyk.md index cef90d19d554..f9fdc5ec519b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/amazon-elastic-container-registry-ecr-add-images-to-snyk.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/amazon-elastic-container-registry-ecr-add-images-to-snyk.md @@ -19,18 +19,18 @@ Log in to your account and navigate to the relevant Group and Organization you w 2. If you want to import all of the associated images, select any of the repositories. 3. To select multiple images, expand and collapse repositories. 4. Click **Add selected images.**\ - A status bar appears at the top of the page as the images are imported; you can continue working in the meantime. + A status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. 5. When the import ends, a notification of success or failure appears at the top of the page. Click **Refresh Page** to view the **Projects** page with the newly imported images.\ Images are grouped by repository and linked individually to a detailed **Projects** page. -6. You can now connect your Git repo to this Project to use your Dockerfile for enriched fix advice.\ +6. You can now connect your Git repository to this Project to use your Dockerfile for enriched fix advice.\ For more information, see [Detect vulnerable base images from your Dockerfile](../../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). You can filter to view only ECR Projects, which are marked with a unique icon.
Projects list displaying an ECR Project

Example of an ECR Project

-Amazon ECR integration works like other Snyk integration. To continue to monitor, fix, and manage your Projects, see the relevant pages in the Snyk user documentation. +Amazon ECR integration works like other Snyk integrations. To continue to monitor, fix, and manage your Projects, see the relevant pages in the Snyk user documentation. {% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. See [Detecting application vulnerabilities in container images ](../../use-snyk-container/detect-application-vulnerabilities-in-container-images.md)for more information. +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. See [Detecting application vulnerabilities in container images ](../../use-snyk-container/detect-application-vulnerabilities-in-container-images.md)for more information. {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/configure-integration-for-amazon-elastic-container-registry-ecr.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/configure-integration-for-amazon-elastic-container-registry-ecr.md index f1a65a6c1d60..a514e28608bc 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/configure-integration-for-amazon-elastic-container-registry-ecr.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/configure-integration-for-amazon-elastic-container-registry-ecr.md @@ -1,14 +1,14 @@ # Configure integration for Amazon Elastic Container Registry (ECR) {% hint style="warning" %} -When you connect to the ECR integration, ensure that the us-east-2 region is activated. This is required for the STS (Security Token Service) to work properly. For more information, see the [related support article](https://support.snyk.io/s/article/Connecting-to-ECR-Integration-gives-error-Could-not-connect-to-ECR-Please-ensure-your-credentials-are-correctly-configured). +When you connect to the ECR integration, ensure that the us-east-2 region is activated. The STS (Security Token Service) requires this region to work properly. For more information, see the [related support article](https://support.snyk.io/s/article/Connecting-to-ECR-Integration-gives-error-Could-not-connect-to-ECR-Please-ensure-your-credentials-are-correctly-configured). {% endhint %} This page explains how to enable integration between one Amazon ECR registry and a Snyk Organization and start managing your image security. To integrate with multiple registries, create a unique Organization for each one. To enable integration, you must first create a read-only AWS Identity and Access Management (IAM) role. The role delegates read-only access to all repositories in your registry for Snyk per Organization by indicating the list of permitted Snyk-assigned Organization IDs. -After you create the IAM role, when integrating additional organizations, you can add the additional Organization IDs as needed. +After you create the IAM role, when integrating additional Organizations, you can add the additional Organization IDs as needed. Additionally, after you create the IAM role, allow a few minutes for AWS to update the role on their servers before continuing: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/enable-snyk-permissions-to-access-amazon-elastic-container-registry-ecr-for-the-first-time.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/enable-snyk-permissions-to-access-amazon-elastic-container-registry-ecr-for-the-first-time.md index a65c56965cc6..84107abcfc1f 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/enable-snyk-permissions-to-access-amazon-elastic-container-registry-ecr-for-the-first-time.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-amazon-elastic-container-registry-ecr/enable-snyk-permissions-to-access-amazon-elastic-container-registry-ecr-for-the-first-time.md @@ -1,7 +1,7 @@ # Enable Snyk permissions to access Amazon Elastic Container Registry (ECR) for the first time {% hint style="warning" %} -When you connect to the ECR integration, ensure that the us-east-2 region is activated. This is required for the STS (Security Token Service) to work properly. For more information, see the [related support article](https://support.snyk.io/s/article/Connecting-to-ECR-Integration-gives-error-Could-not-connect-to-ECR-Please-ensure-your-credentials-are-correctly-configured). +When you connect to the ECR integration, ensure that the us-east-2 region is activated. The STS (Security Token Service) requires this region to work properly. For more information, see the [related support article](https://support.snyk.io/s/article/Connecting-to-ECR-Integration-gives-error-Could-not-connect-to-ECR-Please-ensure-your-credentials-are-correctly-configured). {% endhint %} This process explains how to set up a resource role in AWS and the necessary policies. For additional information, see the [Amazon ECR documentation](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr_managed_policies.html). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-digitalocean.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-digitalocean.md index d311295d6a29..64a078f58d4e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-digitalocean.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-digitalocean.md @@ -1,6 +1,6 @@ # Integrate with DigitalOcean -Snyk integrates with DigitalOcean to enable you to import your container images and monitor them for vulnerabilities. +Snyk integrates with DigitalOcean so you can import your container images and monitor them for vulnerabilities. Snyk tests the images you have imported (Projects) for any known security vulnerabilities, testing them at a frequency you control, and alerts you when new issues are detected. @@ -26,18 +26,18 @@ This page explains how to set up DigitalOcean integration in Snyk and start mana If you are using self-hosted DigitalOcean, contact [Snyk Support](https://support.snyk.io) to provide you with a token. For more information, see [Snyk Container for self-hosted container registries (with Broker)](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/snyk-broker/snyk-broker-container-registry-agent/integrate-with-self-hosted-container-registries-broker). {% hint style="info" %} -For a successful connection, ensure you have a repository in DigitalOcean repository. +For a successful connection, ensure you have a repository in DigitalOcean. {% endhint %} -Snyk tests the connection values, and the page reloads, now displaying DigitalOcean integration information. The **Add your DigitalOcean images to Snyk** button becomes available.If the connection to DigitalOcean fails, a notification appears under the **Connected to DigitalOcean** section. +Snyk tests the connection values, and the page reloads, now displaying DigitalOcean integration information. The **Add your DigitalOcean images to Snyk** button becomes available. If the connection to DigitalOcean fails, a notification appears under the **Connected to DigitalOcean** section. When the connection is successful, you can use Snyk to scan your images from DigitalOcean. ## Scan container images from DigitalOcean in Snyk -Snyk tests and monitors your DigitalOcean container images by evaluating the image tags in your repositories. After you import images to Snyk, your image vulnerabilities are identified and can be triaged easily. +Snyk tests and monitors your DigitalOcean container images by evaluating the image tags in your repositories. After you import images to Snyk, Snyk identifies your image vulnerabilities so you can triage them. -The steps follow to add images from DigitalOcean to Snyk. +Follow these steps to add images from DigitalOcean to Snyk. ## **Prerequisites for DigitalOcean image scanning** @@ -53,8 +53,8 @@ The steps follow to add images from DigitalOcean to Snyk. The view **Which images do you want to test?** opens, displaying the available images for your connected registry, grouped by each of your repositories 4. Select single or multiple images to be imported to Snyk.\ You can select by choosing a specific image or by selecting an entire repository. You can also search by image name to find specific images to import. -5. To finish, click **Add selected repositories** on the top right.\ - A status bar appears at the top of the page as the images are imported; you can continue working in the meantime. +5. To finish, click **Add selected repositories**.\ + A status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. 6. When the import ends: 1. You can view the newly imported image, marked with a **NEW** tag, on the **Projects** page. Images are grouped by repository and are each linked individually to a detailed **Project** page. 2. An **import log** becomes available; you can reach it at the top of the Projects list. @@ -65,5 +65,5 @@ DigitalOcean imports are indicated with a unique icon. You can filter the integr
Example of DigitalOcean Projects

DigitalOcean Projects in Projects listing

{% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-docker-hub/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-docker-hub/README.md index 39050257ea32..ba6c5d6b1629 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-docker-hub/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-docker-hub/README.md @@ -1,6 +1,6 @@ # Integrate with Docker Hub -Snyk integrates with Docker Hub to enable you to import snapshots of your Projects to the Snyk Web UI and then test and monitor image layers directly from your registries. Refer to these pages for details: +Snyk integrates with Docker Hub so you can import snapshots of your Projects to the Snyk Web UI and then test and monitor image layers directly from your registries. Refer to these pages for details: * [Configure integration for Docker Hub](configure-the-integration-with-docker-hub.md) * [Docker Hub - add Projects and images to the Snyk UI](docker-hub-add-projects-and-images-to-the-snyk-ui.md) diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-docker-hub/docker-hub-add-projects-and-images-to-the-snyk-ui.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-docker-hub/docker-hub-add-projects-and-images-to-the-snyk-ui.md index 069227ab1fe9..64b1e743273e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-docker-hub/docker-hub-add-projects-and-images-to-the-snyk-ui.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-docker-hub/docker-hub-add-projects-and-images-to-the-snyk-ui.md @@ -19,11 +19,11 @@ Snyk tests and monitors Docker Hub repositories and images by evaluating root fo * Expand and collapse repositories to select multiple images. 5. Click **Add selected repositories**. - On the **Projects** page, a status bar appears at the top of the page as the images are imported; you can continue working in the meantime. + On the **Projects** page, a status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. 6. When the import ends, a notification of success or failure appears at the top of the **Projects** page.\ Click **Refresh** to view the **Projects** page with the newly imported images.\ Images are grouped by repository and are each linked individually to a detailed **Projects** page. -7. You can now connect your Git repository to this Project in order to use your Dockerfile for enriched fix advice. For more information, see [Detect vulnerable base images from your Dockerfile](../../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). +7. You can now connect your Git repository to this Project to use your Dockerfile for enriched fix advice. For more information, see [Detect vulnerable base images from your Dockerfile](../../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). When repositories and images are imported, a confirmation appears in green at the top of the screen. Docker Hub files are indicated with a unique icon. @@ -31,8 +31,8 @@ You can also filter to view only Docker Hub Projects.

Example of a Docker Hub Project

-Docker Hub integration works like other Snyk integrations. To continue to monitor, fix and manage your Projects, see the relevant pages in the Snyk documentation. +Docker Hub integration works like other Snyk integrations. To continue to monitor, fix, and manage your Projects, see the relevant pages in the Snyk documentation. {% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. See [Detecting application vulnerabilities in container images ](../../use-snyk-container/detect-application-vulnerabilities-in-container-images.md)for more information. +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. See [Detecting application vulnerabilities in container images ](../../use-snyk-container/detect-application-vulnerabilities-in-container-images.md)for more information. {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-github-container-registry.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-github-container-registry.md index 3acd69920392..7642c34ad130 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-github-container-registry.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-github-container-registry.md @@ -1,6 +1,6 @@ # Integrate with GitHub Container registry -Snyk integrates with the GitHub Container registry to enable you to import your container images and monitor them for vulnerabilities. +Snyk integrates with the GitHub Container registry so you can import your container images and monitor them for vulnerabilities. Snyk tests the images you have imported (Projects) for any known security vulnerabilities, testing them at a frequency you control, and alerts you when new issues are detected. @@ -33,7 +33,7 @@ See the Snyk blog to learn more about [container registry security and security ## Scan images from GitHub Container registry in Snyk -Snyk tests and monitors your GitHub container images by evaluating their tags in your repositories. After you have imported images to Snyk, image vulnerabilities are identified and can be triaged efficiently. +Snyk tests and monitors your GitHub container images by evaluating their tags in your repositories. After you have imported images to Snyk, Snyk identifies image vulnerabilities so you can triage them. Follow these steps to add images from the GitHub container registry to Snyk. @@ -52,8 +52,8 @@ Follow these steps to add images from the GitHub container registry to Snyk. Note that GitHub Container Registry does not follow docker v2 API. Therefore, it is not possible to list images in repositories. Therefore you must specify the images you wish to scan manually. 5. Select single or multiple images to be imported to Snyk.\ You can choose a specific image or an entire repository. You can also search by image name to find specific images to import. -6. To finish, click **Add selected repositories** on the top-right.\ - A status bar appears at the top of the page as the images are imported; you can continue working in the meantime. +6. To finish, click **Add selected repositories**.\ + A status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. 7. When the import ends: * You can view the newly imported image, marked with a **NEW** tag, on the **Projects** page. Images are grouped by repository and are each linked individually to a detailed **Project** page. * An import log becomes available; you can reach it at the top of the Projects list. @@ -64,5 +64,5 @@ GitHub container registry imports are designated with a unique icon. You can fil

Example of a GitHub Project

{% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-gitlab-container-registry.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-gitlab-container-registry.md index 1a5830a98cd5..eda25ba8576d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-gitlab-container-registry.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-gitlab-container-registry.md @@ -1,6 +1,6 @@ # Integrate with GitLab Container Registry -Snyk integrates with GitLab Container Registry to enable you to import your container images and monitor them for vulnerabilities. +Snyk integrates with GitLab Container Registry so you can import your container images and monitor them for vulnerabilities. Snyk tests the images you have imported (Projects) for any known security vulnerabilities, testing them at a frequency you control, and alerts you when new issues are detected. @@ -32,9 +32,9 @@ When the connection is successful, you can use Snyk to scan your images from Git ## Scan images from GitLab Container Registry in Snyk -Snyk tests and monitors your GitLab container images by evaluating the image tags in your repositories. After you have imported images to Snyk, your image vulnerabilities are identified and can be triaged easily. +Snyk tests and monitors your GitLab container images by evaluating the image tags in your repositories. After you have imported images to Snyk, Snyk identifies your image vulnerabilities so you can triage them. -The steps follow for adding images from GitLab Container Registry to Snyk. +Follow these steps to add images from GitLab Container Registry to Snyk. ## **Prerequisites for GitLab container image scanning** @@ -51,8 +51,8 @@ The steps follow for adding images from GitLab Container Registry to Snyk. Note that GitLab Container Registry does not follow Docker v2 API. Therefore, it is not possible to list images in a repository, and you must manually specify the images you wish to scan. 5. Select single or multiple images to be imported to Snyk.\ You can select by choosing a specific image or selecting an entire repository. You can also search by image name to find specific images to import. -6. To finish, click **Add selected repositories** on the top right.\ - A status bar appears at the top of the page as the images are imported; you can continue working in the meantime. +6. To finish, click **Add selected repositories**.\ + A status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. 7. When the import ends: * You can view the newly imported image, marked with a **NEW** tag, on the **Projects** page. Images are grouped by repository and are each linked individually to a detailed **Project** page. * An import log becomes available; you can reach it at the top of the Projects list. @@ -63,5 +63,5 @@ GitLab Container Registry imports are designated with a unique icon. You can fil

Example of a GitLab Project

{% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-google-artifact-registry-gar.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-google-artifact-registry-gar.md index c165983ff3a7..d1965bb56b57 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-google-artifact-registry-gar.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-google-artifact-registry-gar.md @@ -50,16 +50,16 @@ To add images from GAR: * Type the name of a single image for import in the **Image Name** field. * Select any of the repositories for which you want to import all of the associated images. * Expand and collapse repositories to select multiple images across multiple repositories. -4. Click **Add selected repositories**. As the images are imported, a status bar appears at the top of the page. You can continue working while Snyk imports the images. +4. Click **Add selected repositories**. As Snyk imports the images, a status bar appears at the top of the page. You can continue working while Snyk imports the images. When the import ends, a notification of success or failure appears at the top of the page. Click **Refresh** to view the **Projects** page with the newly imported images. The images are grouped by repository and linked individually to a detailed **Projects** page. -You can now connect your Git repo to this Project in order to use your Dockerfile for enriched fix advice. For more information, see [Adding your Dockerfile and testing your base image](../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). +You can now connect your Git repository to this Project to use your Dockerfile for enriched fix advice. For more information, see [Adding your Dockerfile and testing your base image](../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). GAR files are indicated with a unique icon. You can now filter to view only those Projects.

Examples of GAR Projects

{% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-google-container-registry-gcr.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-google-container-registry-gcr.md index 502eb96bc530..c6a5936a5ea6 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-google-container-registry-gcr.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-google-container-registry-gcr.md @@ -1,7 +1,7 @@ # Integrate with Google Container Registry (GCR) {% hint style="warning" %} -Google Container Registry (GCR) has been [officially deprecated](https://cloud.google.com/container-registry/docs/release-notes#May_15_2023) by Google and is no longer supported. Google has replaced GCR with the new Google Artifact Registry (GAR). All Snyk customers should **immediately** migrate to the [Snyk GAR integration](integrate-with-google-artifact-registry-gar.md). \ +Google Container Registry (GCR) has been [officially deprecated](https://cloud.google.com/container-registry/docs/release-notes#May_15_2023) by Google and is no longer supported. Google has replaced GCR with the new Google Artifact Registry (GAR). All Snyk customers must **immediately** migrate to the [Snyk GAR integration](integrate-with-google-artifact-registry-gar.md). \ \ Note that Google currently redirects `gcr.io` paths to GAR. Your legacy Snyk GCR integration may continue to work if the credentials provided to Snyk also have the `roles/artifactregistry.reader` and `roles/resourcemanager.projects.list` roles authorized for them. However, this redirect may stop functioning in the future. We strongly recommend that you migrate to the [Snyk GAR integration](integrate-with-google-artifact-registry-gar.md) at the earliest to avoid any unwanted service interruptions. {% endhint %} @@ -16,7 +16,7 @@ From the relevant project in Google, ensure you have created a service account f To enable GCR permissions: -1. Go to the Google Cloud Platform Console [Credentials](https://console.cloud.google.com/apis/credentials) page, select the Project that you want to integrate with, and then select setting up a new service account key. +1. Navigate to the Google Cloud Platform Console [Credentials](https://console.cloud.google.com/apis/credentials) page, select the Project that you want to integrate with, and then select setting up a new service account key. 2. From the view that opens choose the service account from the dropdown list that you created for this integration and configure a new key for that account with these values: * **Service account name** - assign a unique name for the account to help you remember its uses later on. * **Role** - Storage Object Viewer (roles/storage.objectViewer) @@ -46,7 +46,7 @@ You must be onboarded to your Organization by an administrator and have configur Snyk tests and monitors Google Container Registry (GCR) container images by evaluating root folders and custom file locations. -To add images from GAR: +To add images from GCR: 1. In the Snyk Web UI, navigate to the Organization you want to manage. 2. Navigate to **Projects** > **Add Projects**. The list of integrations already configured in your account opens. The view displays all of the available images for the registry to which you connected, grouped by each of your repositories. @@ -58,12 +58,12 @@ To add images from GAR: When the import ends, a notification of success or failure appears at the top of the page. Click **Refresh** to view the **Projects** page with the newly imported images. The images are grouped by repository and linked individually to a detailed **Projects** page. -You can now connect your Git repo to this Project in order to use your Dockerfile for enriched fix advice. For more information, see [Adding your Dockerfile and testing your base image](../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). +You can now connect your Git repository to this Project to use your Dockerfile for enriched fix advice. For more information, see [Adding your Dockerfile and testing your base image](../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). GCR files are indicated with a unique icon. You can now filter to view only those Projects.

Examples of GCR Projects

{% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-harbor-container-registry.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-harbor-container-registry.md index daa1ae5f21b4..e34a12c8ca35 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-harbor-container-registry.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-harbor-container-registry.md @@ -5,7 +5,7 @@ This feature is available only with Enterprise plans. For more information, see [pricing plans](https://snyk.io/plans/). {% endhint %} -Snyk integrates with Harbor Container Registry to enable you to import your container images and monitor them for vulnerabilities. +Snyk integrates with Harbor Container Registry so you can import your container images and monitor them for vulnerabilities. Snyk tests the images you have imported (referred to as Projects) for any known security vulnerabilities, testing them at a frequency you control, and alerts you when new issues are detected. @@ -33,11 +33,11 @@ Integration setup requires a Harbor user with sufficient permissions to access t Snyk tests the connection values, and the page reloads, now displaying Harbor integration information. The **Add your Harbor images to Snyk** button becomes available. If the connection to Harbor fails, a notification appears under the **Connected to Harbor** section. -Once the connection is successful, you can use Snyk to scan your images from Harbor. +When the connection is successful, you can use Snyk to scan your images from Harbor. ## Scan container images from Harbor in Snyk -Snyk tests and monitors your Harbor container images by evaluating the image tags in your repositories. After your container images are imported to Snyk, your image vulnerabilities are identified and can be triaged easily. +Snyk tests and monitors your Harbor container images by evaluating the image tags in your repositories. After you import your container images to Snyk, Snyk identifies your image vulnerabilities so you can triage them. Follow these instructions to add images from Harbor to Snyk. @@ -54,8 +54,8 @@ Follow these instructions to add images from Harbor to Snyk. 3. Select the **Harbor** option or **Other** if Harbor does not appear. 4. The view **Which images do you want to test?** opens, displaying all of the available images for your connected registry, grouped by each of your repositories. 5. Select single or multiple images to be imported to Snyk by choosing a specific image or by selecting an entire repository. You can also search by image name to find specific images to import. -6. To finish, click **Add selected repositories** on the top right.\ - A status bar appears at the top of the page as the images are imported; you can continue working in the meantime. +6. To finish, click **Add selected repositories**.\ + A status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. 7. When the import ends: 1. You can view the newly imported image, marked with a **NEW** tag, on the **Projects** page. Images are grouped by repository and are each linked individually to a detailed Projects page. 2. An import log becomes available; you can reach it from the top of the Projects list. @@ -66,5 +66,5 @@ Harbor imports are indicated with a unique icon. You can also filter to view onl
Harbor Projects in Projects listing

Harbor Projects in Projects listing

{% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/README.md index 97965b85cac7..89aee8d756d8 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/README.md @@ -5,7 +5,7 @@ This feature is available only with Enterprise plans. For more information, see [pricing plans](https://snyk.io/plans/). {% endhint %} -Snyk integrates with JFrog Artifactory Container Registry to enable you to import your Projects and monitor your containers for vulnerabilities. Snyk tests the Projects you have imported for any known security vulnerabilities found at a frequency you control. +Snyk integrates with JFrog Artifactory Container Registry so you can import your Projects and monitor your containers for vulnerabilities. Snyk tests the Projects you have imported for any known security vulnerabilities found at a frequency you control. Refer to the following pages for details: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/add-artifactory-images-to-snyk.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/add-artifactory-images-to-snyk.md index 4e5b3b093bcc..41906ffe036c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/add-artifactory-images-to-snyk.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/add-artifactory-images-to-snyk.md @@ -10,24 +10,24 @@ Snyk tests and monitors your Artifactory container images by evaluating the tags ## **Steps to adding Artifactory images to Snyk** * Log in to your account and navigate to the relevant Group and Organization you want to manage. -* Go to **Projects** and click **Add projects**. The list of integrations already configured on your account opens. +* Navigate to **Projects** and click **Add projects**. The list of integrations already configured on your account opens. * The view **Which images do you want to test?** opens, displaying all of the available images for the registry to which you connected, grouped by each of your repositories. * Select single or multiple images using any or all of the following methods: - * Type the name of a single image for import in the Image Name field (at number 1, the image name field, in the image above), - * Select any of the repositories if you want to import all of the associated images (at number 2, the second item listed in the image above). - * Expand and collapse repositories to select multiple images (at number 3, the third image listed in the image above) across multiple repositories. + * Type the name of a single image for import in the **Image Name** field. + * Select any of the repositories if you want to import all of the associated images. + * Expand and collapse repositories to select multiple images across multiple repositories. * Click **Add selected repositories**. - A status bar appears at the top of the page as the images are imported; you can continue working in the meantime. -* When the import ends, a notification of success or failure appears at the top of the page. Click Refresh to view the Projects page with the newly imported images. Images are grouped by repository and are each linked individually to a detailed Projects page. -* You can now connect your Git repo to this Project in order to use your Dockerfile for enriched fix advice. For more information, see [Adding your Dockerfile and testing your base image](../../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). + A status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. +* When the import ends, a notification of success or failure appears at the top of the page. Click **Refresh** to view the **Projects** page with the newly imported images. Images are grouped by repository and are each linked individually to a detailed **Projects** page. +* You can now connect your Git repository to this Project to use your Dockerfile for enriched fix advice. For more information, see [Adding your Dockerfile and testing your base image](../../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). -Images are indicated with a unique icon. You can filter to view only the Artifactory Projects. +Images are indicated with a unique icon. You can filter to view only the Artifactory Projects.
List of Artifactory Projects

List of Artifactory Projects

-Artifactory integration works like other Snyk integrations. To continue to monitor, fix and manage your Projects, see the relevant pages in the Snyk user documentation. +Artifactory integration works like other Snyk integrations. To continue to monitor, fix, and manage your Projects, see the relevant pages in the Snyk user documentation. {% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. For more information, see [Detecting application vulnerabilities in container images](../../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/configuring-your-jfrog-artifactory-container-registry-integration.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/configuring-your-jfrog-artifactory-container-registry-integration.md index 3e5e2dcfe270..04b33885205b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/configuring-your-jfrog-artifactory-container-registry-integration.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-jfrog-artifactory/configuring-your-jfrog-artifactory-container-registry-integration.md @@ -15,7 +15,7 @@ The instructions on this page explain how to enable integration between one Arti 2. Navigate to **Integrations**. From the list of integrations, select **Artifactory.**\ The configuration page opens. 3. Enter your credentials: - * **Username and Password -** use your Artifactory login credentials. If you're using SSO configuration, you must generate an access token in Artifactory and use the token details to login. + * **Username and Password -** use your Artifactory login credentials. If you are using SSO configuration, you must generate an access token in Artifactory and use the token details to log in. * **Container registry name -** the full registry URL: `.jfrog.io/artifactory/api/docker/`

Artifactory account credentials

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-microsoft-azure-container-registry-acr/add-images-to-snyk-from-acr.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-microsoft-azure-container-registry-acr/add-images-to-snyk-from-acr.md index 994ed75c26e1..36813c7a8c72 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-microsoft-azure-container-registry-acr/add-images-to-snyk-from-acr.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-microsoft-azure-container-registry-acr/add-images-to-snyk-from-acr.md @@ -10,26 +10,26 @@ Snyk tests and monitors Microsoft Azure Container Registry (ACR) container image ## Steps to add images to Snyk from ACR 1. Log in to your account and navigate to the relevant Group and Organization you want to manage. -2. Go to **Projects**, and click **Add projects**. The list of integrations already configured on your account opens. +2. Navigate to **Projects**, and click **Add projects**. The list of integrations already configured on your account opens. The view **Which images do you want to test?** opens, displaying all of the available images for the registry to which you connected, grouped by each of your repositories, similar to the following: 1. Select single or multiple images using any or all of the following methods: - 1. Type the name of a single image for import in the **Image Name** field (at number 1, the Image Name field in the image above), - 2. Select any of the repositories if you want to import all of the associated images (at number 2, the second item listed in the image above). - 3. Expand and collapse repositories to select multiple images at number 3, the third item listed in the image above) across multiple repositories. + 1. Type the name of a single image for import in the **Image Name** field. + 2. Select any of the repositories if you want to import all of the associated images. + 3. Expand and collapse repositories to select multiple images across multiple repositories. 2. Click **Add selected repositories**. - A status bar appears at the top of the page as the images are imported; you can continue working in the meantime. + A status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. 3. When the import ends, a notification of success or failure appears at the top of the page. Click **Refresh** to view the **Projects** page with the newly imported images.\ Images are grouped by repository and linked individually to a detailed Projects page. -4. You can now connect your Git repository to this Project in order to use your Dockerfile for enriched fix advice.\ +4. You can now connect your Git repository to this Project to use your Dockerfile for enriched fix advice.\ For more information, see [Adding your Dockerfile and testing your base image](../../scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md). ACR files are indicated with a unique icon. You can filter to view only ACR Projects. -ACR integration works like other Snyk integrations. To continue to monitor, fix and manage your Projects, see the relevant pages in the Snyk user documentation. +ACR integration works like other Snyk integrations. To continue to monitor, fix, and manage your Projects, see the relevant pages in the Snyk user documentation. {% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. For more information, see [Detecting application vulnerabilities in container images](../../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-nexus-container-registry.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-nexus-container-registry.md index 1df95f5730ac..74a93c5a4eb7 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-nexus-container-registry.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-nexus-container-registry.md @@ -5,7 +5,7 @@ This feature is available only with Enterprise plans. For more information, see [pricing plans](https://snyk.io/plans/). {% endhint %} -Snyk integrates with Nexus Container Registry to enable you to import your container images and monitor them for vulnerabilities. +Snyk integrates with Nexus Container Registry so you can import your container images and monitor them for vulnerabilities. Snyk tests the images you have imported (Projects) for any known security vulnerabilities, testing them at a frequency you control, and alerts you when new issues are detected. @@ -34,7 +34,7 @@ If the connection to Nexus fails, a notification appears under the **Connected t When the connection is successful, you can use Snyk to scan your images from Nexus. -Snyk tests and monitors your Nexus container images by evaluating the image tags in your repositories. After you have imported images to Snyk, the image vulnerabilities are identified and can be triaged easily. +Snyk tests and monitors your Nexus container images by evaluating the image tags in your repositories. After you have imported images to Snyk, Snyk identifies the image vulnerabilities so you can triage them. Follow these steps to add images from Nexus to Snyk. @@ -52,8 +52,8 @@ Follow these steps to add images from Nexus to Snyk. The view **Which images do you want to test?** view opens, displaying all available images for your connected registry, grouped by each of your repositories. 4. Select single or multiple images to be imported to Snyk.\ You can choose a specific image or select an entire repository. You can also search by image name to find specific images to import. -5. To finish, click **Add selected repositories** on the top-right.\ - A status bar appears at the top of the page as the images are imported; you can continue working in the meantime. +5. To finish, click **Add selected repositories**.\ + A status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. 6. When the import ends: 1. You can view the newly imported image, marked with a **NEW** tag, on the **Projects** page. Images are grouped by repository and are each linked individually to a detailed **Project** page. 2. An **import log** becomes available; you can reach it at the top of the Projects list. @@ -64,5 +64,5 @@ Nexus imports are indicated with a unique icon. You can also filter to view only
Nexus Project in Projets listing

Example of a Nexus Project

{% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-quay-container-registry.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-quay-container-registry.md index 67e1f7eb8918..89b121c6d45b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-quay-container-registry.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/container-registry-integrations/integrate-with-quay-container-registry.md @@ -1,6 +1,6 @@ # Integrate with Quay Container Registry -Snyk integrates with Quay Container Registry to enable you to import your container images and monitor them for vulnerabilities. +Snyk integrates with Quay Container Registry so you can import your container images and monitor them for vulnerabilities. Snyk tests the images you have imported (Projects) for any known security vulnerabilities, testing them at a frequency you control, and alerts you when new issues are detected. @@ -28,7 +28,7 @@ Snyk tests the connection values, and the page reloads, displaying Quay integrat When the connection succeeds, you can use Snyk to scan your images from Quay. -Snyk tests and monitors your Quay container images by evaluating the tags in your repositories. After import to Snyk, your image vulnerabilities are identified and can be triaged easily. +Snyk tests and monitors your Quay container images by evaluating the tags in your repositories. After import to Snyk, Snyk identifies your image vulnerabilities so you can triage them. ## Scan container images from Quay in Snyk @@ -47,8 +47,8 @@ Snyk tests and monitors your Quay container images by evaluating the tags in you 5. Select single or multiple images to be imported to Snyk.\ You can select by choosing a specific image or by selecting an entire repository.\ You can also search by image name to find specific images to import. -6. To finish, click **Add selected repositories** at the top right.\ - A status bar appears at the top of the page as the images are imported; you can continue working in the meantime. +6. To finish, click **Add selected repositories**.\ + A status bar appears at the top of the page as Snyk imports the images. You can continue working in the meantime. 7. When the import ends: 1. You can view the newly imported image, marked with a **NEW** tag, on the **Projects** page; Images are grouped by repository and linked individually to a detailed **Project** page.\ An **import log** becomes available; you can reach it at the top of the Projects list. @@ -57,5 +57,5 @@ Snyk tests and monitors your Quay container images by evaluating the tags in you Quay imports are designated with a unique icon. You can filter to view only Quay Projects. {% hint style="info" %} -For application vulnerabilities within container images, any changes to the application will not be reflected with a manual or recurring retest. A re-import of the image is required. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). +For application vulnerabilities in container images, a manual or recurring retest does not reflect any changes to the application. You must re-import the image. For more information, see [Detecting application vulnerabilities in container images](../use-snyk-container/detect-application-vulnerabilities-in-container-images.md). {% endhint %} diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/README.md index d6fa97a00550..eda6448b8520 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/README.md @@ -29,7 +29,7 @@ After Snyk has the list of installed software, Snyk looks that up in the Snyk Vu Snyk supports testing OCI-compliant and Docker v2-compliant images but does not support images that combine both OCI and Docker v2 standards into a single archive. {% endhint %} -When providing public base image recommendations, Snyk's logic considers the origin repository, flavor, and version of the base image it detects. This means that Snyk's upgrade recommendations aim to reduce the number or severity of found vulnerabilities, with minor version upgrades typically maintaining compatibility with the currently used base image. +When providing public base image recommendations, Snyk considers the origin repository, flavor, and version of the base image it detects. This means that the Snyk upgrade recommendations aim to reduce the number or severity of found vulnerabilities, with minor version upgrades typically maintaining compatibility with the base image you use. ## Official advisory resources used by Snyk Container diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/operating-system-distributions-supported-by-snyk-container.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/operating-system-distributions-supported-by-snyk-container.md index be4b63c3edd3..d1e4bef5af36 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/operating-system-distributions-supported-by-snyk-container.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/operating-system-distributions-supported-by-snyk-container.md @@ -2,7 +2,7 @@ Snyk detects vulnerabilities in images based on operating systems listed on this page along with the specific versions that are supported. For the latest updates, see [Snyk updates](https://updates.snyk.io). -If you use an unsupported distribution, for example, one that has reached its end of life (EOL) and is no longer being maintained, Snyk displays a message to tell you the distribution is unsupported. Due to a lack of security updates for unsupported distributions, it is possible that you will not receive notifications about vulnerabilities. However, it does not mean that your image is secure. +If you use an unsupported distribution, for example, one that has reached its end of life (EOL) and is no longer being maintained, Snyk displays a message to tell you the distribution is unsupported. Due to a lack of security updates for unsupported distributions, you might not receive notifications about vulnerabilities. However, this does not mean that your image is secure. {% hint style="info" %} Snyk also supports images using packages from these distributions, but without the associated package manager, such as Distroless images. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/severity-levels-of-detected-linux-vulnerabilities.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/severity-levels-of-detected-linux-vulnerabilities.md index 581841336848..5d523b13c1e9 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/severity-levels-of-detected-linux-vulnerabilities.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/how-snyk-container-works/severity-levels-of-detected-linux-vulnerabilities.md @@ -10,7 +10,7 @@ In certain cases, NVD assigns a different CVSS vector and severity score from th ## Relative importance feature -Relative importance asserts a common severity for a vulnerability and shows the underlying detailed information for that severity based on multiple sources. This allows developers and analysts to view a common level of importance and exposes the underlying information that contributed to the asserted severity. +Relative importance asserts a common severity for a vulnerability and shows the underlying detailed information for that severity based on multiple sources. This lets developers and analysts view a common level of importance and exposes the underlying information that contributed to the asserted severity. Snyk supports relative importance in Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), CentOS, Amazon Linux, Oracle Linux, and SUSE Linux Enterprise Server (SLES). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/authenticate-to-private-container-registries.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/authenticate-to-private-container-registries.md index b7a8aac95851..8c3082cb0133 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/authenticate-to-private-container-registries.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/authenticate-to-private-container-registries.md @@ -2,9 +2,9 @@ If you are using private container registries, you must create a `dockercfg.json` file that contains the credentials to the registry. Then you must create a secret, which must be called `snyk-monitor`. -The `dockercfg.json` file is necessary to allow the monitor to look up images in private registries. Usually, your credentials are in `$HOME/.docker/config.json`. However, the credentials must also be added to the `dockercfg.json` file. The Snyk Controller is not able to access these registries if the credentials are only stored in `$HOME/.docker/config.json` +The `dockercfg.json` file is necessary to allow the monitor to look up images in private registries. Usually, your credentials are in `$HOME/.docker/config.json`. However, the credentials must also be added to the `dockercfg.json` file. The Snyk Controller cannot access these registries if the credentials are only stored in `$HOME/.docker/config.json` -The steps below explain how to authenticate to private container registries. +The following steps explain how to authenticate to private container registries. ## Configure the dockercfg.json file @@ -15,7 +15,7 @@ Ensure the file containing your credentials is named `dockercfg.json`. This file {% endhint %} {% hint style="info" %} -Ensure the formatting is correct, including new line characters and whitespace in the `dockercfg.json` file. Malformed files will result in authentication failures. +Ensure the formatting is correct, including new line characters and whitespace in the `dockercfg.json` file. Malformed files result in authentication failures. {% endhint %} The locations where your cluster runs and where your registries run determine the combination of entries in your `dockercfg.json` file. The file can contain credentials for multiple registries. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/install-the-snyk-controller-on-amazon-elastic-kubernetes-service-amazon-eks.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/install-the-snyk-controller-on-amazon-elastic-kubernetes-service-amazon-eks.md index 8df350ad18b0..691f7e5c7a5b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/install-the-snyk-controller-on-amazon-elastic-kubernetes-service-amazon-eks.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/install-the-snyk-controller-on-amazon-elastic-kubernetes-service-amazon-eks.md @@ -8,13 +8,13 @@ Ensure you have reviewed the [prerequisites for installing the Snyk Controller]( The installation steps work best for EKS and ECR with the same AWS account. If you have a different setup, contact [Snyk support](https://support.snyk.io). {% endhint %} -Installing the Snyk Controller enables you to import and test your running EKS workloads and identify vulnerabilities in their associated images and configurations that can make the workloads less secure. After the workload is imported, Snyk continues to monitor the workload, identifying additional security issues, as new images are deployed and the workload configuration changes. +Installing the Snyk Controller lets you import and test your running EKS workloads and identify vulnerabilities in their associated images and configurations that can make the workloads less secure. After the workload is imported, Snyk continues to monitor the workload, identifying additional security issues, as new images are deployed and the workload configuration changes. The steps described below provide instructions for configuring the Snyk Controller to pull and scan private images from ECR. To install Amazon EKS: -1\. Access your Kubernetes environment. Run the following command in order to add the Snyk Charts repository to Helm: +1\. Access your Kubernetes environment. Run the following command to add the Snyk Charts repository to Helm: ``` helm repo add snyk-charts https://snyk.github.io/kubernetes-monitor --force-update @@ -51,18 +51,18 @@ kubectl create secret generic snyk-monitor \ --from-literal=serviceAccountApiToken=bdca4123-dbca-4343-bbaa-1313cbad4231 ``` -5\. Attach policies or roles for nodes. You can do this using one of the below options: +5\. Attach policies or roles for nodes. You can do this using one of the following options: #### Attach policies for worker nodes 1. Attach the `NodeInstanceRole` policy. See [Using Amazon ECR Images with Amazon EKS](https://docs.aws.amazon.com/AmazonECR/latest/userguide/ECR_on_EKS.html). 2. Attach the `AmazonEC2ContainerRegistryReadOnly` policy to your EKS worker nodes.\ - The Snyk Controller is now able to pull private images when running on those worker nodes. + The Snyk Controller can now pull private images when running on those worker nodes. #### Create an EKS node role for your Node Group and add the Trust Relationship for the IAM Role 1. Follow the instructions on [Amazon EKS node IAM role](https://docs.aws.amazon.com/eks/latest/userguide/create-node-role.html) and check your existing node role. Ensure you have attached the policy `AmazonEC2ContainerRegistryReadOnly`**.** -2. For the Snyk Controller to successfully assume the IAM role and pull images from ECR, the role's trust policy must be configured to trust your EKS cluster's OIDC provider. Create the trust policy document in JSON format and apply this trust policy document to the IAM role that the Snyk Controller will use. +2. For the Snyk Controller to successfully assume the IAM role and pull images from ECR, the role's trust policy must be configured to trust your EKS cluster's OIDC provider. Create the trust policy document in JSON format and apply this trust policy document to the IAM role that the Snyk Controller uses. ``` { diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/install-the-snyk-controller-with-openshift-4-and-operatorhub.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/install-the-snyk-controller-with-openshift-4-and-operatorhub.md index 7e9dcc7d3fea..1c13e23825f6 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/install-the-snyk-controller-with-openshift-4-and-operatorhub.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/install-the-snyk-controller-with-openshift-4-and-operatorhub.md @@ -1,5 +1,5 @@ # Install the Snyk Controller with OpenShift 4 and OperatorHub -The Snyk Controller V2 is currently not available in the OpenShift Marketplace nor available as a community version. +The Snyk Controller V2 is not available in the OpenShift Marketplace nor available as a community version. You can still install Snyk Controller V2 in OpenShift using the Helm install instructions. See [Install the Snyk Controller with Helm (Azure and Google Cloud Platform)](install-the-snyk-controller-with-helm-azure-and-google-cloud-platform.md). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/optional-installation-steps-for-snyk-controller-with-helm.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/optional-installation-steps-for-snyk-controller-with-helm.md index f97eb6703f2f..4dcd7138cef3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/optional-installation-steps-for-snyk-controller-with-helm.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/install-the-snyk-controller/optional-installation-steps-for-snyk-controller-with-helm.md @@ -118,7 +118,7 @@ helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \ By default, Snyk ignores scanning certain namespaces believed to be internal to Kubernetes. For the full list, see [Configuring excluded namespaces](https://github.com/snyk/kubernetes-monitor/tree/master/snyk-monitor#configuring-excluded-namespaces).\ \ -You can change the default, as Snyk allows you to configure the excluded namespaces. +You can change the default, as Snyk lets you configure the excluded namespaces. When you add your own list of namespaces to exclude with the `excludedNamespaces` setting, Snyk overrides the default settings and uses the list of namespaces you provide. @@ -151,7 +151,7 @@ helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \ ## Configure Snyk Controller CPU -If more or less CPU is required in order to deploy the controller, configure the HelmChart default value for requests (X) and limits (Y) with the `--set` flag. +If more or less CPU is required to deploy the controller, configure the HelmChart default value for requests (X) and limits (Y) with the `--set` flag. ``` helm upgrade --install snyk-monitor snyk-charts/snyk-monitor \ diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/integrate-with-sysdig.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/integrate-with-sysdig.md index 212b50ccbfbc..de934f9cffb6 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/integrate-with-sysdig.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/integrate-with-sysdig.md @@ -7,7 +7,7 @@ To enhance its capabilities when detecting workload information, Snyk has partne For a successful integration with Sysdig, the Snyk Controller requires an extra Sysdig Secret in the `snyk-monitor` namespace. The Sysdig Secret name is `snyk-sysdig-secret`. {% hint style="info" %} -Execute the commands below after installing Sysdig, in order to allow the Snyk Controller to detect Sysdig in the cluster. +Run the following commands after installing Sysdig, to allow the Snyk Controller to detect Sysdig in the cluster. {% endhint %} Create the `snyk-sysdig-secret` in the `snyk-monitor` namespace: @@ -38,7 +38,7 @@ Your Snyk Controller now collects data from Sysdig every 30 minutes. ## Enrich Snyk vulnerability data and priority score -To enrich the priority score of vulnerabilities it detects, Snyk uses packages executed at runtime. This allows Snyk to better prioritize which vulnerabilities to fix first. The priority score is available on both the **Project** page and in the [Snyk public API](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/projects-v1#org-orgid-project-projectid-aggregated-issues). +To enrich the priority score of vulnerabilities it detects, Snyk uses packages executed at runtime. This lets Snyk better prioritize which vulnerabilities to fix first. The priority score is available on both the **Project** page and in the [Snyk public API](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/projects-v1#org-orgid-project-projectid-aggregated-issues). ![Packages executed at runtime](<../../../.gitbook/assets/image (13).png>) @@ -51,7 +51,7 @@ After enabling the Sysdig integration, allow 30 minutes before manually importin ## Application support -For application vulnerabilities, Snyk currently provides support for the following languages: +For application vulnerabilities, Snyk provides support for the following languages: * Java * JavaScript diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/README.md index ebd4ca355108..4b7e963312f6 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/README.md @@ -5,7 +5,7 @@ Kubernetes integration is available only with Enterprise plans. For more information, see [plans and pricing](https://snyk.io/plans/). {% endhint %} -Snyk is able to integrate with Kubernetes, enabling you to import and scan your running workloads. This helps you identify vulnerabilities in their associated images and configurations that can make those workloads less secure. After workloads are imported, Snyk continues to monitor them and to identify additional security issues as new images are deployed and the workload configuration changes. +Snyk integrates with Kubernetes, letting you import and scan your running workloads. This helps you identify vulnerabilities in their associated images and configurations that can make those workloads less secure. After workloads are imported, Snyk continues to monitor them and to identify additional security issues as new images are deployed and the workload configuration changes. ## **How Kubernetes integration works** @@ -46,7 +46,7 @@ Snyk Container Kubernetes integration uses Red Hat UBI (Universal Base Image). Before downloading or using this application, you must agree to the Red Hat subscription agreement located on the [Red Hat website](https://www.redhat.com/en/about/agreements). If you do not agree with these terms, do not download or use the application. -If you have an existing Red Hat Enterprise Agreement (or other negotiated agreement with Red Hat) with terms that govern subscription services associated with Containers, then your existing agreement will be the controlling agreement. +If you have an existing Red Hat Enterprise Agreement (or other negotiated agreement with Red Hat) with terms that govern subscription services associated with Containers, then your existing agreement is the controlling agreement. ## Kubernetes integration troubleshooting diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/enable-the-kubernetes-integration.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/enable-the-kubernetes-integration.md index 85716778627c..bf4bc13e9494 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/enable-the-kubernetes-integration.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/enable-the-kubernetes-integration.md @@ -27,7 +27,7 @@ In this window, the following sections are available: | Section | Description | | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| **Connected to Kubernetes** |

This section appears after you have successfully connected, allowing you to add your workloads from the Dashboard, from the Projects page.

When the Kubernetes integration is not yet set up, this is the only section that appears in this window, together with the Connect button. See Overview of the Kubernetes integration.

| +| **Connected to Kubernetes** |

This section appears after you have successfully connected, letting you add your workloads from the Dashboard, from the Projects page.

When the Kubernetes integration is not yet set up, this is the only section that appears in this window, together with the Connect button. See Overview of the Kubernetes integration.

| | **Integration ID** |

The Integration ID is a UUID and appears in the format abcd1234-abcd-1234-abcd-1234abcd1234.

| | **Snyk controller versions** | Displays the version of the Snyk controller you have installed on your clusters. | -| **Disconnect from Kubernetes** | Allows you to remove this integration from this Organization. To do this, click **Disconnect**. | +| **Disconnect from Kubernetes** | Lets you remove this integration from this Organization. To do this, click **Disconnect**. | diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/how-snyk-controller-handles-your-data.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/how-snyk-controller-handles-your-data.md index d4bd2c9db284..ea18b63270a0 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/how-snyk-controller-handles-your-data.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/how-snyk-controller-handles-your-data.md @@ -3,9 +3,9 @@ After you install the Snyk Controller in your Kubernetes cluster, it pulls images from your container registries: 1. The Snyk Controller has read-only access to the Kubernetes workloads and container registries. -2. The Snyk Controller pulls images to disk, scans them, and then deletes the images once the scanning completes. -3. The Snyk Controller collects only the minimum relevant information in order to perform vulnerability analysis, specifically the list of dependencies in the image and the workload metadata. -4. The data that the Snyk Controller collects is stored in Snyk's backend, but it is deleted after eight days. Below is the data that Snyk Controller collects: +2. The Snyk Controller pulls images to disk, scans them, and then deletes the images after the scanning completes. +3. The Snyk Controller collects only the minimum relevant information to perform vulnerability analysis, specifically the list of dependencies in the image and the workload metadata. +4. The data that the Snyk Controller collects is stored in the Snyk backend, but it is deleted after eight days. The Snyk Controller collects the following data: * Workload metadata (Kubernetes configuration): * Labels, annotations * PodSpec diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/supported-workloads-container-registries-languages-and-operating-systems.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/supported-workloads-container-registries-languages-and-operating-systems.md index 3a3d715974a0..97c4c37d5204 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/supported-workloads-container-registries-languages-and-operating-systems.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/kubernetes-integration/overview-of-kubernetes-integration/supported-workloads-container-registries-languages-and-operating-systems.md @@ -18,7 +18,7 @@ The Controller detects these workloads by tracing the chain of owner references For example, given a Pod, the Controller can detect that it is owned by a ReplicaSet, which in turn is owned by a Deployment, which in turn has no other owners. The workload detected is thus the Deployment. -In cases where a workload is owned by a Custom Resource, the `snyk monitor` currently cannot proceed and must assume that the current workload is the topmost parent that the Controller was able to process. +In cases where a workload is owned by a Custom Resource, the `snyk monitor` cannot proceed and must assume that the current workload is the topmost parent that the Controller could process. ## Supported container registries diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-container-images.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-container-images.md index 41c8846234db..ec5261baffca 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-container-images.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-container-images.md @@ -27,7 +27,7 @@ You can see the history of all the repositories and container registry images im To see vulnerability information for that Project, select an imported Project from the target list. -Click on a Project entry to see details of the vulnerabilities found, including where it was introduced, how to fix it, and other details about the vulnerability. +Click a Project entry to see details of the vulnerabilities found, including where it was introduced, how to fix it, and other details about the vulnerability. ## Fix vulnerabilities in your container images diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/README.md index 2c7230a92bb5..71e06379ce8b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/README.md @@ -1,6 +1,6 @@ # Scan your Dockerfile -Snyk Container allows you to analyze your Dockerfile and scan base images from the Dockerfile. +Snyk Container lets you analyze your Dockerfile and scan base images from the Dockerfile. ## Prerequisites for Dockerfile analysis diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/automatically-link-your-dockerfile-with-container-images-using-labels.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/automatically-link-your-dockerfile-with-container-images-using-labels.md index 158d2410b650..876bf378ea8b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/automatically-link-your-dockerfile-with-container-images-using-labels.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/automatically-link-your-dockerfile-with-container-images-using-labels.md @@ -1,10 +1,10 @@ # Automatically link your Dockerfile with container images using labels -Snyk allows you to link manually or automatically from a Dockerfile to all container images built from it. You can use this to understand the security impact on your running applications and understand which images can be better secured or need to be rebuilt when you take action and update the Dockerfile base image. +Snyk lets you link manually or automatically from a Dockerfile to all container images built from it. You can use this to understand the security impact on your running applications and understand which images you can secure better or must rebuild when you take action and update the Dockerfile base image. ## How linked images work -When it is imported or rescanned, the image is analyzed and scanned for vulnerabilities. Image labels are also retrieved from the image manifest. Snyk then checks that: +When you import or rescan the image, Snyk analyzes and scans it for vulnerabilities. Snyk also retrieves image labels from the image manifest. Snyk then checks that: * Image labels defining the Dockerfile location exist: * (Mandatory) `org.opencontainers.image.source` - URL to the Project repository, for example, `org.opencontainers.image.source="https://github.com/example/test"` @@ -25,9 +25,9 @@ Using container registry integration, you can get automatic links between import ## Automatically update and remove links -Links are automatically updated if the Dockerfile labels are updated and are targeting a new location. This can happen during a re-scan or during a recurring scan. +Snyk automatically updates links if the Dockerfile labels are updated and target a new location. This can happen during a rescan or during a recurring scan. -Links are removed if: +Snyk removes links if: * The image Project or Dockerfile Project is deleted. * The Dockerfile labels are updated so that they target the Dockerfile location without an existing Project in Snyk or diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md index 242200e8ac68..c8d831841ee9 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/detect-vulnerable-base-images-from-your-dockerfile.md @@ -36,13 +36,13 @@ The following information is displayed: **Current image**, **Minor upgrades**, * ## Scan the base image from a Dockerfile -Snyk detects vulnerable base images by scanning your Dockerfile when you import a Git repository. This allows you to examine security issues before building the image and thus helps solve potential problems before they land in your registry or in production. +Snyk detects vulnerable base images by scanning your Dockerfile when you import a Git repository. This lets you examine security issues before building the image and helps solve potential problems before they land in your registry or in production. {% hint style="info" %} When scanning Dockerfiles, Snyk can provide vulnerability information and base image recommendations for supported base images. If you need help, contact [Snyk Support](https://support.snyk.io). {% endhint %} -After you [integrate your Git repository with Snyk](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/organization-level-integrations), any Dockerfiles in that repository are automatically identified and shown in the Web UI as Projects. +After you [integrate your Git repository with Snyk](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/organization-level-integrations), Snyk automatically identifies any Dockerfiles in that repository and shows them in the Web UI as Projects.

Dockerfiles displayed in the Project list

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/fix-vulnerable-base-images-in-your-dockerfile.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/fix-vulnerable-base-images-in-your-dockerfile.md index 772dda3ab634..c9a5f0cf5d98 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/fix-vulnerable-base-images-in-your-dockerfile.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/scan-your-dockerfile/fix-vulnerable-base-images-in-your-dockerfile.md @@ -2,7 +2,7 @@ ## Automatic Pull Requests (PRs) -Snyk detects vulnerable base images by scanning your Dockerfile when importing a Git repository and helps you fix them using automatic pull requests. This allows you to examine security issues before you build the image and fix them before they land in your registry or in production. +Snyk detects vulnerable base images by scanning your Dockerfile when importing a Git repository and helps you fix them using automatic pull requests. This lets you examine security issues before you build the image and fix them before they land in your registry or in production. Supported Git-based repository managers for Dockerfile fix PRs include: @@ -15,7 +15,7 @@ Supported Git-based repository managers for Dockerfile fix PRs include: * GitHub Server * Azure Repos -For any Dockerfile Project created in Snyk, if the base image is a [Docker Official image](https://docs.docker.com/docker-hub/official_images/), the results include a list of suitable base images that can be used instead of the existing, more vulnerable one. For more information, see [Analyze and fix container images](../use-snyk-container/analyze-and-fix-container-images.md). +For any Dockerfile Project created in Snyk, if the base image is a [Docker Official image](https://docs.docker.com/docker-hub/official_images/), the results include a list of suitable base images you can use instead of the existing, more vulnerable one. For more information, see [Analyze and fix container images](../use-snyk-container/analyze-and-fix-container-images.md). Snyk then automatically issues a fix pull request against your Dockerfile to upgrade to the latest minor version available. @@ -35,7 +35,7 @@ To enable automatic update PRs, navigate to **Settings** > **Integrations** and ## Open a fix PR manually -Alternatively, you can open a fix PR manually from the Project page by clicking **Open a Fix PR** for the base image version you wish to upgrade to. +Alternatively, you can open a fix PR manually from the Project page by clicking **Open a Fix PR** for the base image version you want to upgrade to.
Open a fix PR to upgrade the base image

Open a fix PR

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/analyze-and-fix-container-images.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/analyze-and-fix-container-images.md index d2bbcfa9790c..95db5a6ec3c7 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/analyze-and-fix-container-images.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/analyze-and-fix-container-images.md @@ -67,7 +67,7 @@ When providing public base image recommendations, Snyk bases its logic on the or The Snyk recommendations for upgrading the base image refer to: * **Minor upgrades**: the safest and best minor upgrade available -* **Major upgrades**: an option for a major upgrade that will reduce more vulnerabilities but with greater risk +* **Major upgrades**: an option for a major upgrade that reduces more vulnerabilities but with greater risk * **Alternative upgrades**: viable image options for replacing your current base image with possible different base images that provide the least amount of vulnerabilities. * Recommendation to rebuild your base image if it is outdated. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/detect-application-vulnerabilities-in-container-images.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/detect-application-vulnerabilities-in-container-images.md index 917802cc4cc4..fbaa8b8f7fd7 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/detect-application-vulnerabilities-in-container-images.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/detect-application-vulnerabilities-in-container-images.md @@ -2,19 +2,19 @@ In one scan, Snyk can detect the vulnerabilities in your application dependencies from container images, as well as from the operating system. -Detecting application vulnerabilities is intended for scanning third-party images. This feature was not designed for detecting issues in code developed in-house, where the user has access to the source code and can shift left and detect Issues earlier in the SDLC by using Snyk Code and Snyk Open Source. +Detecting application vulnerabilities is intended for scanning third-party images. This feature is not designed for detecting issues in code developed in-house, where the user has access to the source code and can shift left and detect issues earlier in the SDLC by using Snyk Code and Snyk Open Source. Detecting application vulnerabilities in container images for Container Registry integration is supported for Node, Ruby, PHP, Python, Go binaries, and Java. For the CLI and Kubernetes, this feature is supported for Node, PHP, Python, Go binaries, and Java. After you integrate with a container registry and import your Projects, Snyk scans your image for vulnerabilities. -For application Projects created from images that are imported from container registry integrations, the applications are not re-imported during recurring scans or manual rescans. +For application Projects created from images that are imported from container registry integrations, Snyk does not re-import the applications during recurring scans or manual rescans. -Instead, the application dependencies that are found during the initial image import are scanned for new vulnerabilities. +Instead, Snyk scans the application dependencies found during the initial image import for new vulnerabilities. -If new dependencies are introduced in an application within an image, they will not be detected by recurring scans or manual rescans. To detect new or updated applications within images from container registries, you must re-import the image to Snyk. +If new dependencies are introduced in an application within an image, recurring scans or manual rescans do not detect them. To detect new or updated applications within images from container registries, you must re-import the image to Snyk. -For applications found in images imported from the Kubernetes integration, existing applications will be re-imported, but new apps added to the image will not be imported during recurring scans. To detect new applications within images from Kubernetes, you must re-import the image to Snyk. +For applications found in images imported from the Kubernetes integration, Snyk re-imports existing applications, but does not import new apps added to the image during recurring scans. To detect new applications within images from Kubernetes, you must re-import the image to Snyk. ## Enable container registries vulnerability scan @@ -47,7 +47,7 @@ Snyk Container CLI supports scanning Java applications embedded in container ima ### Nested jars depth option -When `--app-vulns` is enabled, you can also use the `--nested-jars-depth=n` option to set how many levels of nested jars Snyk will unpack. The implicit default is 1. When you specify 2, it means that Snyk unzips jars in jars; 3 means Snyk unzips jars in jars in jars, and so on. +When `--app-vulns` is enabled, you can also use the `--nested-jars-depth=n` option to set how many levels of nested jars Snyk unpacks. The implicit default is 1. When you specify 2, it means that Snyk unzips jars in jars; 3 means Snyk unzips jars in jars in jars, and so on. To opt out of any scans you feel are unnecessary, use `--nested-jar-depth=0` . @@ -57,7 +57,7 @@ Snyk Container CLI could report Maven packages suffixed with a version of @unkno ## View application vulnerabilities and licensing issues -When the **Detect application vulnerabilities** feature is enabled, it allows you to see: +When the **Detect application vulnerabilities** feature is enabled, you can see: * Dependency vulnerabilities and licensing issues of manifest files detected in your container image * Vulnerabilities detected in operating system packages. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/detect-the-container-base-image.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/detect-the-container-base-image.md index 142a0ea89414..aaa63d678daa 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/detect-the-container-base-image.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/detect-the-container-base-image.md @@ -1,6 +1,6 @@ # Detect the container base image -Detecting vulnerable base images allows you to identify the source of your vulnerabilities and fix them by updating the base image according to recommendations. +Detecting vulnerable base images lets you identify the source of your vulnerabilities and fix them by updating the base image according to recommendations. You can detect your base image after you configure a [container integration](../#snyk-container-integrations) (such as the CLI or a container registry integration). @@ -12,12 +12,12 @@ For details about supported container registries, see [Container security integr To identify vulnerable base images, you can use one of the following methods: -* Auto-detection - when Snyk analyses your container image, it extracts relevant metadata from the image manifest, and detects the base image. This method analyses `rootfs` layers from the image manifest, which can be equivalent to more than one image or image tag in DockerHub. +* Auto-detection - when Snyk analyzes your container image, it extracts relevant metadata from the image manifest, and detects the base image. This method analyzes `rootfs` layers from the image manifest, which can be equivalent to more than one image or image tag in DockerHub. * Dockerfile - Snyk can also detect vulnerable base images using your Dockerfile. It can either be attached with a `--file` flag to your CLI `snyk container test` scan, linked from an SCM through your Project settings, or detected and scanned when you import a Git repository. Compared to auto-detection, using your Dockerfile can be more accurate but requires an additional step.\ \ For multi-stage Dockerfiles, Snyk detects the base image included in the image introduced in the final `FROM` line. According to [Docker's multi-stage build documentation](https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds), this happens because using multiple `FROM` statements lets you "selectively copy artifacts from one stage to another, leaving behind everything you don't want in the final image." -For either method, a Project in the Snyk UI is created. +For either method, Snyk creates a Project in the Snyk UI. {% hint style="info" %} Snyk supports only a subset of official Docker images. If you need help, contact [Snyk Support](https://support.snyk.io). @@ -33,7 +33,7 @@ When you scan a Docker image in Snyk, you can see the instruction in the image l If the base image is a Snyk-supported image, the results include recommendations for upgrades to resolve some of the discovered vulnerabilities. -This allows you to see vulnerability counts in minor and major upgrades and in alternative base images, which might have fewer vulnerabilities. Based on this information, you can decide whether to upgrade your base image and which one is the best. +This lets you see vulnerability counts in minor and major upgrades and in alternative base images, which might have fewer vulnerabilities. Based on this information, you can decide whether to upgrade your base image and which one is the best. You can see the base image vulnerabilities in your Project among the vulnerabilities added by your instructions, sorted by their priority score. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/sync-your-container-registry.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/sync-your-container-registry.md index 77224a2846fb..2a11758fc25a 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/sync-your-container-registry.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/sync-your-container-registry.md @@ -12,8 +12,8 @@ The sync process runs on a schedule you define and performs the following action * Lists tags: Snyk enumerates all available image tags for each repository. * Applies policy: Snyk evaluates the images against your import policy to determine which images to import or delete. * Creates output: - * For each matching repository, Snyk creates a target (e.g., `mycompany/web-app`). The target naming follows the pattern: `{repository_name}` - * For each matching image tag, Snyk creates a Project under that target (e.g., `mycompany/web-app:latest`), which contains the vulnerability scan results. The Project naming follows the pattern: `{repository_name}:{tag}` + * For each matching repository, Snyk creates a target (for example, `mycompany/web-app`). The target naming follows the pattern: `{repository_name}` + * For each matching image tag, Snyk creates a Project under that target (for example, `mycompany/web-app:latest`), which contains the vulnerability scan results. The Project naming follows the pattern: `{repository_name}:{tag}` ## Policy configuration diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/README.md index 3f34097d984a..246be016eb43 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/README.md @@ -12,9 +12,9 @@ When scanning a container image, Snyk provides recommendations based on the base Customers often maintain their own internal base images, built on top of Docker Official Images or other upstream images. These are provided as a service to a wider set of development teams. For example: `somecompany/base-python:3.12.1`. -The Custom Base Image Recommendation feature (CBIR) allows Snyk to recommend an image upgrade from a pool of your internal images. This allows teams to be notified of newer versions of their internal base images, along with a vulnerability count, in order to help with image selection.\ +The Custom Base Image Recommendation feature (CBIR) lets Snyk recommend an image upgrade from a pool of your internal images. This notifies teams of newer versions of their internal base images, along with a vulnerability count, to help with image selection.\ \ -Snyk does not use the vulnerability data in order to detemine which version to display. All versions in the pool of images to recommend that are considered upgrades to the current image are offered. This provides users with the most control over what images to recommend and which not.\ +Snyk does not use the vulnerability data to determine which version to display. Snyk offers all versions in the pool of images to recommend that are considered upgrades to the current image. This provides users with the most control over which images to recommend and which not.\ \ You can remove images that must not be recommended by disabling the **Include in recommendations** option. For more information, see [Mark the created Project as a custom base image](./#mark-the-created-project-as-a-custom-base-image). @@ -30,7 +30,7 @@ As opposed to public Docker Official Images, Snyk can detect a custom base image All custom base image recommendations are considered minor upgrades, regardless of the image tag. -To determine the latest version of a base image across Projects imported into the same repository, Snyk allows configuring a versioning schema. For more information, see [Versioning schemas for custom base images.](versioning-schema-for-custom-base-images.md) +To determine the latest version of a base image across Projects imported into the same repository, Snyk lets you configure a versioning schema. For more information, see [Versioning schemas for custom base images.](versioning-schema-for-custom-base-images.md) The Custom Base Image Recommendation feature supports Automatic fix PRs. If you are not using the latest version of the base image, then immediately after image import Snyk automatically issues a fix pull request against your Dockerfile to upgrade to the latest available custom base image version. @@ -39,14 +39,14 @@ The Custom Base Image Recommendation feature supports Automatic fix PRs. If you The recommendations provided by the CBIR feature rely on versioned tags that comply with the versioning schema configured. {% hint style="info" %} -It is possible to add the "latest" tag to this pool as a single selection, or as part of a custom versioning scheme. However, Snyk does not recommend doing this, as it negates the benefits of the CBIR feature. The following information considers that the recommendations are not configured with the "latest" tag included in recommendations. +You can add the "latest" tag to this pool as a single selection, or as part of a custom versioning scheme. However, Snyk does not recommend doing this, as it negates the benefits of the CBIR feature. The following information considers that the recommendations are not configured with the "latest" tag included in recommendations. {% endhint %} ### Latest and other rolling image tags Snyk recommends that you do not add the "latest" tag to the versioning schema pool along with other tags, so that Snyk does not provide this as an update. The same is true for other similar rolling tags. -For any image that uses the "latest" tag, Snyk recommends moving to the current latest image (by versioned tag) in that repository. This is because when the container that Snyk scans was built using the "latest" tag, this tag may or may not have referenced the same image that is considered the latest image. +For any image that uses the "latest" tag, Snyk recommends moving to the current latest image (by versioned tag) in that repository. This is because when the container that Snyk scans was built using the "latest" tag, this tag might not have referenced the same image that is considered the latest image. ### **Recommendations for upgrading the base image** @@ -70,7 +70,7 @@ The following steps explain how to configure custom base images. The team that i 1. From the Web UI, open the Project with the imported base image. 2. On the Project page, navigate to **Settings**. -3. Enable **Custom Base Image**. This allows Snyk to recognize this image as a base image in other Projects. +3. Enable **Custom Base Image**. This lets Snyk recognize this image as a base image in other Projects. 4. If you want Snyk to use this image as a source to determine the best upgrade path, enable **Include in recommendations**. {% hint style="info" %} @@ -109,7 +109,7 @@ Use `--file` (mandatory) to specify the path to the Dockerfile. ### Use a previously imported image and set the Dockerfile -You can modify previously imported container Projects in order to attach a Dockerfile. +You can modify previously imported container Projects to attach a Dockerfile. On the Project page for the application image, navigate to **Settings** and configure the Dockerfile by clicking **Configure Dockerfile** and selecting your source control system from the dropdown. @@ -124,7 +124,7 @@ Choose the Dockerfile repository and add the path to your Dockerfile. Click **Up Next, navigate to the **Project** page to see the recommendations for the image. {% hint style="info" %} -You may need to retest a Project when you set the Dockerfile for an existing project. +You might need to retest a Project when you set the Dockerfile for an existing project. {% endhint %}
Snyk custom base image recommendations displayed on a container Project page

Example of Custom Base Image Recommendations

@@ -132,4 +132,4 @@ You may need to retest a Project when you set the Dockerfile for an existing pro ## Known limitations of CBIR * When you scan an application image, custom base image recommendations do not appear unless you attach the Dockerfile to the scanned Project. -* The image registry is ignored when recommendations are given for custom base images. When Snyk shows recommendations and fix PRs, images with the same repository but different registries are treated as coming from the same registry (the current base image's registry). +* Snyk ignores the image registry when it gives recommendations for custom base images. When Snyk shows recommendations and fix PRs, it treats images with the same repository but different registries as coming from the same registry (the current base image's registry). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/custom-versioning-schema-for-custom-base-images.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/custom-versioning-schema-for-custom-base-images.md index 4db21a59daa5..416f41304812 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/custom-versioning-schema-for-custom-base-images.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/custom-versioning-schema-for-custom-base-images.md @@ -1,6 +1,6 @@ # Custom versioning schema for custom base images -The Custom Versioning Schema (CVS) is a way for Snyk to understand your company’s container image tag versioning schema. It enables Snyk to give more accurate base image upgrade recommendations. +The Custom Versioning Schema (CVS) is a way for Snyk to understand your company’s container image tag versioning schema. It helps Snyk give more accurate base image upgrade recommendations. ## Prerequisites for Snyk CVS @@ -8,7 +8,7 @@ CVS is part of the Snyk Container Custom Base Images feature. For more informati ## When to use CVS -If your container image's tags follow a versioning schema other than [Semantic Versioning](https://semver.org/) (SemVer), it is highly recommended that you select the Custom Versioning Schema for your image repositories. +If your container image's tags follow a versioning schema other than [Semantic Versioning](https://semver.org/) (SemVer), Snyk recommends that you select the Custom Versioning Schema for your image repositories. ## CVS expression guide @@ -24,17 +24,17 @@ snyk/example:1.2_V4 snyk/example:1.3_V1 ``` -Because this repository’s image tags do not follow the semantic versioning standard, it is necessary to describe the tags using a custom versioning schema. +Because this repository’s image tags do not follow the semantic versioning standard, you must describe the tags using a custom versioning schema. The `snyk/example` tag schema is defined by the following elements, in this order: 1. A number whose value has the highest significance (MAJOR part) 2. A period -3. Another number, whose significance is less than the first number number (MINOR part) +3. Another number, whose significance is less than the first number (MINOR part) 4. An underscore followed by the letter "V" (version) 5. A number whose value is the least significant. -For Snyk to understand the different parts and their role, it is necessary to define a schema. In this regular expression, named groups represent the significant variables. +For Snyk to understand the different parts and their role, you must define a schema. In this regular expression, named groups represent the significant variables. The schema below is a translated version of the above example and its elements. @@ -179,7 +179,7 @@ Since `1.3` and `1.3.5` have the same issue as `1.2` and `1.2.4`, the recommenda * CVS uses a subset of the ECMAScript regex. See the [guide on ECMAScript regex syntax by MDN](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions). * Backreferences and lookahead assertions are not supported. Internally, Snyk uses the RE2 library. For a full list of unsupported features, see [Syntax on re2 GitHub](https://github.com/google/re2/wiki/Syntax). -* Note that the regular expression string is parsed as an ECMAScript regex and then internally converted to RE2 syntax. For example, use the `(?re)` syntax for grouping. `(?Pre)` will not parse correctly. +* Note that the regular expression string is parsed as an ECMAScript regex and then internally converted to RE2 syntax. For example, use the `(?re)` syntax for grouping. `(?Pre)` does not parse correctly. * In the list of [supported features](https://github.com/google/re2/wiki/Syntax), take into consideration only the feature**,** not the syntax. ### Size limitations @@ -194,7 +194,7 @@ The maximum length of the expression is 1,000 characters, with up to 100 COMPARE ### Compare logic -* If a compare group is an unsigned integer, compare its numeric value. Else, it will be treated as a string. +* If a compare group is an unsigned integer, compare its numeric value. Otherwise, Snyk treats it as a string. * Comparison of non-numeric characters is done by comparing their sequences of UTF-16 code unit values. For more information, see [ECMAScript® 2023 Language Specification, 7.2.13 IsLessThan](https://tc39.es/ecma262/#sec-abstract-relational-comparison). ### Matcher logic diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/versioning-schema-for-custom-base-images.md b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/versioning-schema-for-custom-base-images.md index 34c6c91c78bd..a3b8019b5cd4 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/versioning-schema-for-custom-base-images.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-container/use-snyk-container/use-custom-base-image-recommendations/versioning-schema-for-custom-base-images.md @@ -6,7 +6,7 @@ You can manage the versioning schema for images imported to Projects for a repos Snyk recommends updating a custom base image to the latest available version from the pool of images imported as Projects, marked as custom base images, and enabled for recommendations. For more information, see [Enable CBIR](./#enable-cbir). -To determine which is the latest version, Snyk uses a versioning schema that allows comparing image tags. +To determine which is the latest version, Snyk uses a versioning schema that lets you compare image tags. Snyk supports the following versioning schemas. @@ -30,10 +30,10 @@ The following commonly used examples are not supported SemVer tags: ## Single Selection -This versioning schema allows you to manually set a single image as a recommendation. +This versioning schema lets you set a single image as a recommendation. -When selecting an image, any other previously selected images are automatically unselected. +When you select an image, Snyk automatically unselects any other previously selected images. ## Custom versioning schema -If none of the above schemas match your requirements, you may create a custom versioning schema. For more information, see [Custom Versioning Schema for custom base images](custom-versioning-schema-for-custom-base-images.md). +If none of the preceding schemas match your requirements, you can create a custom versioning schema. For more information, see [Custom Versioning Schema for custom base images](custom-versioning-schema-for-custom-base-images.md). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-essentials.md b/scan-fix-and-prevent/scan-with-snyk/snyk-essentials.md index 6778cc6f8951..8b15bff2c5e3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-essentials.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-essentials.md @@ -4,7 +4,7 @@ Snyk Essentials helps AppSec teams better operationalize and scale the use of Sn ## Overview -Snyk Essentials enables: +Snyk Essentials provides: * Automated app asset discovery: Continually discover application assets and classify them by business context, ensuring security is in sync with development. * Tailored security controls: Define and manage appropriate security and compliance requirements, and verify that the correct controls are in place. @@ -31,7 +31,7 @@ Snyk Essentials includes the following features: * You have the necessary permissions to onboard cloud-based SCM tools (Azure DevOps, GitHub, GitLab, and so on) to Snyk Essentials for repository asset discovery. {% hint style="info" %} -When you integrate a Git code repository with Snyk Essentials, you should use a secondary token with a broad, complete view of the code repository, not only of what you imported into Snyk. +When you integrate a Git code repository with Snyk Essentials, use a secondary token with a broad, complete view of the code repository, not only of what you imported into Snyk. Use a secondary token to countercheck everything onboarded using Snyk. @@ -60,7 +60,7 @@ The security controls associated with the asset. Navigate to the [Coverage contr ### Coverage -An assessment of whether applicable assets are scanned and tested by security tools (for example, Snyk Open Source), as it relates to an application security program. It represents a type of policy that allows you to specify what controls should be applied and, optionally, how often it needs to be run. +An assessment of whether applicable assets are scanned and tested by security tools (for example, Snyk Open Source), as it relates to an application security program. It represents a type of policy that lets you specify which controls to apply and, optionally, how often to run them. ### Tags diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/README.md index c7dcb712ca51..3e5a9324bcbc 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/README.md @@ -13,7 +13,7 @@ To set up an AWS integration, you need the following: * A new Snyk Organization, with appropriate feature flags assigned by your Snyk contact * A Snyk Group Administrator or Organization Administrator [role](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/user-management/pre-defined-roles) * Access to an [AWS](https://aws.amazon.com/) account and associated credentials with permissions to create a read-only IAM role -* Access to the [Terraform CLI](https://www.terraform.io/downloads), [AWS CLI](https://aws.amazon.com/cli/), or [AWS Management Console](https://console.aws.amazon.com) to create the IAM role for Snyk via Terraform or AWS CloudFormation +* Access to the [Terraform CLI](https://www.terraform.io/downloads), [AWS CLI](https://aws.amazon.com/cli/), or [AWS Management Console](https://console.aws.amazon.com) to create the IAM role for Snyk using Terraform or AWS CloudFormation * If you are using Terraform or the AWS CLI, ensure you configure it with your AWS credentials. See the instructions for [Terraform](https://registry.terraform.io/providers/hashicorp/aws/latest/docs#authentication-and-configuration) or the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html) * API only: An Organization-level [service account](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/service-accounts/service-accounts) with an Org Admin role to use the Snyk API * API only: An API client such as [curl](https://curl.se/), [HTTPie](https://httpie.io/), or [Postman](https://www.postman.com/) diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/README.md index 9b8f996c1363..b14e4538583c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/README.md @@ -1,14 +1,14 @@ # AWS Integration: API -Before you can onboard an AWS account to Snyk via the API, you need access to the AWS account and associated credentials with permissions to create a read-only Identity and Access Management (IAM) role. See the prerequisites on the [AWS integration](../) page. +Before you can onboard an AWS account to Snyk using the API, you need access to the AWS account and associated credentials with permissions to create a read-only Identity and Access Management (IAM) role. See the prerequisites on the [AWS integration](../) page. -The steps follow to onboard an AWS account via the API: +The steps follow to onboard an AWS account using the API: 1. [Download an infrastructure as code (IaC) template](step-1-download-iam-role-iac-template-api.md): to give Snyk permissions to scan your account. 2. [Create an AWS IAM role](step-2-create-the-snyk-iam-role-api.md): using the template you downloaded. 3. [Create and scan a Cloud Environment.](step-3-create-and-scan-a-cloud-environment-api.md) -When you have completed the steps, you will be able to do the following: +After you complete the steps, you can do the following: * View the cloud configuration issues Snyk finds. See [Manage cloud issues](../../../getting-started-with-cloud-scans/manage-cloud-issues/). * Prioritize your vulnerabilities with cloud context. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/step-1-download-iam-role-iac-template-api.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/step-1-download-iam-role-iac-template-api.md index 59e9427b382b..05459ef43828 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/step-1-download-iam-role-iac-template-api.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/step-1-download-iam-role-iac-template-api.md @@ -2,7 +2,7 @@ Before you can create a Cloud Environment, you must download an Infrastructure as Code (IaC) template declaring a read-only Identity and Access Management (IAM) role that Snyk can assume to scan the configuration of resources in your Amazon Web Services (AWS) account. -You will use this IaC template to provision the role in [Step 2: Create the Snyk IAM role](step-2-create-the-snyk-iam-role-api.md). +Use this IaC template to provision the role in [Step 2: Create the Snyk IAM role](step-2-create-the-snyk-iam-role-api.md). You can choose the template format, either [Terraform HCL](https://www.terraform.io/language/syntax/configuration) or [AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). The IAM permissions are identical in both, so pick the format you are most comfortable working with. @@ -76,7 +76,7 @@ Example response with CloudFormation template: The `data.attributes.data` field in the preceding output is an escaped JSON string containing the Terraform or CloudFormation template with the IAM role and policy. -Before you can use the template to provision the resources, you need to unescape the JSON. This can be accomplished in the following ways: +Before you can use the template to provision the resources, you need to unescape the JSON. You can do this in the following ways: * [Use jq](step-1-download-iam-role-iac-template-api.md#use-jq) * [Transform the content manually](step-1-download-iam-role-iac-template-api.md#transform-the-content-manually) @@ -90,7 +90,7 @@ Before you can use the template to provision the resources, you need to unescape | jq -r .data.attributes.data > snyk_iac_template ``` - This will place the properly-formatted template into the file `snyk_iac_template` in your current working directory. + This places the properly formatted template into the file `snyk_iac_template` in your current working directory. 3. Rename the file with a `.tf` extension (Terraform) or `.yaml` (CloudFormation). ### Transform the content manually @@ -101,7 +101,7 @@ Before you can use the template to provision the resources, you need to unescape ## Optional: Change IAM role name -By default, the name of the Snyk IAM role is `snyk-cloud-role`. If your Organization has specific role naming requirements, you have the option to change this name in the Terraform or CloudFormation template. +By default, the name of the Snyk IAM role is `snyk-cloud-role`. If your Organization has specific role naming requirements, you can change this name in the Terraform or CloudFormation template. In **Terraform**, the role name is on line 19: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/step-3-create-and-scan-a-cloud-environment-api.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/step-3-create-and-scan-a-cloud-environment-api.md index 2946b9bcfd8e..fe2b5371ee7f 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/step-3-create-and-scan-a-cloud-environment-api.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-api/step-3-create-and-scan-a-cloud-environment-api.md @@ -80,7 +80,7 @@ The response is a JSON document containing details about your newly created Clou } ``` -Snyk automatically triggers a scan when an environment is created. +Snyk automatically triggers a scan when you create an environment. {% hint style="info" %} The `data.attributes.status` field in the JSON output is set to `in_progress`. This means that Snyk has created your environment and has started scanning it. @@ -88,7 +88,7 @@ The `data.attributes.status` field in the JSON output is set to `in_progress`. T ## Check to see if the scan is finished -If you wish, see if the scan is finished by sending another API request in the format that follows to get environment details. You can find the environment ID in the `data.id` field of the JSON output when you create the environment. +To see if the scan is finished, send another API request in the format that follows to get environment details. You can find the environment ID in the `data.id` field of the JSON output when you create the environment. ``` curl -X GET \ diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/README.md index 5724c9273dcd..c94e947a905e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/README.md @@ -1,14 +1,14 @@ # AWS Integration: Web UI -Before you can onboard an AWS account via the Web UI, you need access to the AWS account and associated credentials with permissions to create a read-only Identity and Access Management (IAM) role. See the prerequisites on the [AWS integration](../) page. +Before you can onboard an AWS account using the Web UI, you need access to the AWS account and associated credentials with permissions to create a read-only Identity and Access Management (IAM) role. See the prerequisites on the [AWS integration](../) page. -The steps follow to onboard an AWS account via the Web UI: +The steps follow to onboard an AWS account using the Web UI: 1. ​[Download an infrastructure as code (IaC) template](step-1-download-iam-role-iac-template-web-ui.md) to give Snyk permissions to scan your account. 2. [Create an AWS IAM role](step-2-create-the-snyk-iam-role.md) using the template you downloaded. 3. [Create and scan a Cloud Environment](step-3-create-and-scan-a-cloud-environment-web-ui.md). -When you have completed the steps, you will be able to do the following: +After you complete the steps, you can do the following: * View the cloud configuration issues Snyk finds. See [Manage cloud issues](../../../getting-started-with-cloud-scans/manage-cloud-issues/). * Prioritize your vulnerabilities with cloud context. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/step-2-create-the-snyk-iam-role.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/step-2-create-the-snyk-iam-role.md index c69e4d5786e7..51e95a62c399 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/step-2-create-the-snyk-iam-role.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/step-2-create-the-snyk-iam-role.md @@ -7,7 +7,7 @@ You have downloaded the Terraform or Amazon Web Services (AWS) CloudFormation te The process to create the Snyk IAM role is the same whether you are using the [Snyk Web UI](step-1-download-iam-role-iac-template-web-ui.md) or [Snyk API](../aws-integration-api/step-1-download-iam-role-iac-template-api.md) to onboard your AWS account. -The IAM role you will provision has the following policies attached to it: +The IAM role you provision has the following policies attached to it: * The AWS-managed [SecurityAudit](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor) read-only policy. * A supplemental inline policy granting required read permissions not covered by SecurityAudit. @@ -42,7 +42,7 @@ terraform apply 4\. Enter `yes` when Terraform asks if you want to perform the actions. -Terraform then creates the IAM role. When the role has been created, you will see the following output: +Terraform then creates the IAM role. When the role has been created, you see the following output: ``` Apply complete! Resources: 1 added, 0 changed, 0 destroyed. @@ -78,15 +78,15 @@ If the output says `"CREATE_COMPLETE"`, AWS has finished creating your role. 1. Log in to the [AWS Management Console](https://console.aws.amazon.com). 2. Navigate to [CloudFormation](https://console.aws.amazon.com/cloudformation). -3. Select the **Create stack** button: +3. Select **Create stack**:
Select the Create stack button in the AWS Management Console

Select the Create stack button in the AWS Management Console

-4\. Select **With new resources (standard)** from the drop-down menu. +4\. Select **With new resources (standard)** from the dropdown menu. -5\. On the **Create stack** page, in the **Specify template** section and select **Upload a template file**. +5\. On the **Create stack** page, in the **Specify template** section, select **Upload a template file**. -6\. Click the **Choose file** button that appears and select your CloudFormation file containing the Snyk IAM role. +6\. Click **Choose file** and select your CloudFormation file containing the Snyk IAM role. 7\. Select **Next**. @@ -102,7 +102,7 @@ If the output says `"CREATE_COMPLETE"`, AWS has finished creating your role. 13\. Select **Create stack**. -14\. AWS launches the stack, and you'll see a page with stack details. You can select the **Refresh** button to refresh its status: +14\. AWS launches the stack, and you see a page with stack details. Select **Refresh** to refresh its status:

Select the Refresh button to refresh the stack status in the AWS Management Console

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/step-3-create-and-scan-a-cloud-environment-web-ui.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/step-3-create-and-scan-a-cloud-environment-web-ui.md index 028984a38470..fde36cc5d782 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/step-3-create-and-scan-a-cloud-environment-web-ui.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/aws-integration/aws-integration-web-ui/step-3-create-and-scan-a-cloud-environment-web-ui.md @@ -51,9 +51,9 @@ arn:aws:iam::123412341234:role/snyk-cloud-role ## Create and scan the AWS Environment 1. In the Snyk Web UI **Add AWS Environment** modal where you downloaded the IAM role template, enter your role ARN in the **IAM role ARN** field. -2. Optionally, enter an environment name. If one is not provided, Snyk will use your AWS account alias. +2. Optionally, enter an environment name. If one is not provided, Snyk uses your AWS account alias. 3. Select **Approve and begin scan**. -4. You will see a confirmation message: "AWS environment successfully added." Select **Add another environment** to return to the **Add AWS Environment** modal and onboard a new account, or select **Go to settings** if you are finished: +4. You see a confirmation message: "AWS environment successfully added." Select **Add another environment** to return to the **Add AWS Environment** modal and onboard a new account, or select **Go to settings** if you are finished:

Success message after adding an AWS environment in the Snyk Web UI

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/README.md index 085a547c2e38..8e24ed3bfec3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/README.md @@ -19,8 +19,8 @@ To add an Azure integration for cloud configurations, you need the following: * [A federated identity credential](https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation)\ If you are using Terraform to create this [resource](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential#api-permissions), your user must have either the Application Administrator or Global Administrator directory role. * [A service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object) with read-only permissions\ - If you are .using Terraform to create this [resource](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal), your user must have either the Application Administrator or Global Administrator directory role. -* Access to the [Terraform CLI](https://www.terraform.io/downloads) or Azure CLI ([locally](https://learn.microsoft.com/en-us/cli/azure/) or via the [Cloud Shell](https://portal.azure.com/#home)) to create the above resources via Terraform or Bash script\ + If you are using Terraform to create this [resource](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal), your user must have either the Application Administrator or Global Administrator directory role. +* Access to the [Terraform CLI](https://www.terraform.io/downloads) or Azure CLI ([locally](https://learn.microsoft.com/en-us/cli/azure/) or through the [Cloud Shell](https://portal.azure.com/#home)) to create these resources using Terraform or Bash script\ If you are using Terraform or the Azure CLI locally, ensure you configure it with your Azure credentials. See the instructions for [Terraform](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs#authenticating-to-azure-active-directory) or the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli). * API only: An Organization-level [service account](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/service-accounts/service-accounts) with an Org Admin role to use the Snyk API * API only: An API client such as [curl](https://curl.se/), [HTTPie](https://httpie.io/), or [Postman](https://www.postman.com/) diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-api/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-api/README.md index 42145d5fdaab..f0e8a6fbf701 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-api/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-api/README.md @@ -1,12 +1,12 @@ # Azure Integration: API -To onboard an Azure subscription to Snyk via the API: +To onboard an Azure subscription to Snyk using the API: 1. [Download an infrastructure as code (IaC) template or Bash script:](step-1-download-azure-app-registration-iac-template-or-script-api.md) to give Snyk permissions to scan your subscription. 2. [Create an Entra ID app registration:](step-2-create-the-entra-id-app-registration-api.md) using the template or script you downloaded. 3. [Create and scan a Cloud Environment.](step-3-create-and-scan-a-cloud-environment-for-azure-api.md) -When you have completed the steps, you will be able to do the following: +When you have completed the steps, you can do the following: * View the cloud configuration issues Snyk finds. See [Manage cloud issues](../../../getting-started-with-cloud-scans/manage-cloud-issues/). * Prioritize your vulnerabilities with cloud context. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-api/step-1-download-azure-app-registration-iac-template-or-script-api.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-api/step-1-download-azure-app-registration-iac-template-or-script-api.md index 8ed3c15009df..24f322f61b0a 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-api/step-1-download-azure-app-registration-iac-template-or-script-api.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-api/step-1-download-azure-app-registration-iac-template-or-script-api.md @@ -8,7 +8,7 @@ Before you can create a Cloud Environment for an Azure subscription, you must ** This infrastructure gives Snyk read-only permission to scan the configuration of resources in your subscription. -You will use the IaC template or Bash script you downloaded to **provision** the infrastructure in [Step 2: Create the Entra ID app registration (API)](step-2-create-the-entra-id-app-registration-api.md). +You use the IaC template or Bash script you downloaded to **provision** the infrastructure in [Step 2: Create the Entra ID app registration (API)](step-2-create-the-entra-id-app-registration-api.md). Both methods create the same infrastructure, so pick the method you are most comfortable working with. @@ -44,7 +44,7 @@ curl -X POST \ The preceding example is [curl](https://curl.se/), but you can use any API client, such as [Postman](https://www.postman.com/) or [HTTPie](https://httpie.io/). {% endhint %} -If you plan to use the [Azure Cloud Shell](https://portal.azure.com/#cloudshell/) to execute the Bash script instead of running the Azure CLI locally, execute the curl command above in the Cloud Shell. +If you plan to use the [Azure Cloud Shell](https://portal.azure.com/#cloudshell/) to execute the Bash script instead of running the Azure CLI locally, execute the preceding curl command in the Cloud Shell. ## Understand the API response @@ -90,7 +90,7 @@ Example response with Bash script: The `data.attributes.data` field in the preceding output is an escaped JSON string containing the Terraform template or Bash script with the Entra ID app registration, federated identity credential, and service principal. -Before you can use the template to provision the resources, you need to unescape the JSON. This can be accomplished in the following ways: +Before you can use the template to provision the resources, you need to unescape the JSON. You can do this in the following ways: * [Use jq](step-1-download-azure-app-registration-iac-template-or-script-api.md#use-jq) * [Transform the content manually](step-1-download-azure-app-registration-iac-template-or-script-api.md#transform-the-content-manually) @@ -100,7 +100,7 @@ Before you can use the template to provision the resources, you need to unescape 1. Download and install [jq](https://stedolan.github.io/jq/download/). 2. When you are submitting the API request during template retrieval, append the following to the end of the command:\ `| jq -r .data.attributes.data > snyk_azure_permissions`\ - This will place the properly-formatted template into the file `snyk_azure_permissions` in your current working directory. + This places the properly-formatted template into the file `snyk_azure_permissions` in your current working directory. 3. Rename the file with a `.tf` (Terraform) or `.sh` (Bash) extension. ### Transform the content manually diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/README.md index c375c7dac3d2..cf80e1c3760d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/README.md @@ -1,12 +1,12 @@ # Azure Integration: Web UI -The steps follow to onboard an Azure subscription to Snyk via the API: +The steps follow to onboard an Azure subscription to Snyk using the Web UI: 1. [Download an infrastructure as code (IaC) template or Bash script:](step-1-download-azure-app-registration-iac-template-or-script-web-ui.md) to give Snyk permissions to scan your subscription. 2. [Create an Entra ID app registration:](step-2-create-the-entra-id-app-registration.md) using the template or script you downloaded. 3. [Create and scan a Cloud Environment.](step-3-create-and-scan-a-cloud-environment-for-azure-web-ui.md) -When you have completed the steps, you will be able to do the following: +When you have completed the steps, you can do the following: * View the cloud configuration issues Snyk finds. See [Manage cloud issues](../../../getting-started-with-cloud-scans/manage-cloud-issues/). * Prioritize your vulnerabilities with cloud context. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-1-download-azure-app-registration-iac-template-or-script-web-ui.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-1-download-azure-app-registration-iac-template-or-script-web-ui.md index d9875d47ff3f..5984e2547340 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-1-download-azure-app-registration-iac-template-or-script-web-ui.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-1-download-azure-app-registration-iac-template-or-script-web-ui.md @@ -8,7 +8,7 @@ Before you can create a Cloud Environment for an Azure subscription, you must ** This infrastructure gives Snyk read-only permission to scan the configuration of resources in your subscription. -You will use the IaC template or Bash script you downloaded to provision the infrastructure in [Step 2: Create the Entra ID application](step-2-create-the-entra-id-app-registration.md). +You use the IaC template or Bash script you downloaded to provision the infrastructure in [Step 2: Create the Entra ID application](step-2-create-the-entra-id-app-registration.md). Both methods create the same infrastructure, so pick the method you are most comfortable working with. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-2-create-the-entra-id-app-registration.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-2-create-the-entra-id-app-registration.md index ddf8e86fb0e8..ad7d8cfb3707 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-2-create-the-entra-id-app-registration.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-2-create-the-entra-id-app-registration.md @@ -5,7 +5,7 @@ You have downloaded the Terraform template declaring the [Azure Active Directory (AD) application registration](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#application-registration), [federated identity credential](https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation), and [service principal](https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object) for Snyk. Now you need to provision the infrastructure. {% endhint %} -To scan an Azure subscription, Snyk takes the permissions of a service principal with a [Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader) role that allows Snyk to scan the configuration of your subscription resources. +To scan an Azure subscription, Snyk takes the permissions of a service principal with a [Reader](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#reader) role that lets Snyk scan the configuration of your subscription resources. Additionally, Snyk has a security feature that locks the federated credential for a subscription and tenant to the Organization that onboards it. This ensures that nobody can guess the credential's name and onboard it into a separate Organization to see those resources. @@ -14,12 +14,12 @@ Additionally, Snyk has a security feature that locks the federated credential fo You can create the app registration, federated identity credential, and service principal using one of the following tools, according to the type of file you downloaded from Snyk: * [Terraform](step-2-create-the-entra-id-app-registration.md#create-azure-app-registration-infrastructure-using-terraform): Terraform CLI -* [Bash](step-2-create-the-entra-id-app-registration.md#create-azure-app-registration-infrastructure-using-the-azure-cli): Azure CLI, installed locally or accessed via Cloud Shell +* [Bash](step-2-create-the-entra-id-app-registration.md#create-azure-app-registration-infrastructure-using-the-azure-cli): Azure CLI, installed locally or accessed through Cloud Shell ### Create Azure app registration infrastructure using Terraform {% hint style="info" %} -Before you use the [Terraform CLI](https://www.terraform.io/downloads), ensure you [configure it to use your Azure credentials](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs#authenticating-to-azure-active-directory). Your user must have either the Application Administrator or Global Administrator directory role. This is required to create the [federated identity credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential#api-permissions) and [service principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) via Terraform. +Before you use the [Terraform CLI](https://www.terraform.io/downloads), ensure you [configure it to use your Azure credentials](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs#authenticating-to-azure-active-directory). Your user must have either the Application Administrator or Global Administrator directory role. This is required to create the [federated identity credential](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/application_federated_identity_credential#api-permissions) and [service principal](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/service_principal) using Terraform. {% endhint %} 1. In your terminal, navigate to the directory containing the Terraform file you downloaded (named `snyk-permissions-azure.tf` if downloaded from the Snyk Web UI). @@ -37,7 +37,7 @@ terraform apply 4. Enter `yes` when Terraform asks if you want to perform the actions. -Terraform then provisions the infrastructure. When it is finished, you will see the following output: +Terraform then provisions the infrastructure. When it is finished, you see the following output: ``` Apply complete! Resources: 4 added, 0 changed, 0 destroyed. @@ -68,7 +68,7 @@ chmod 755 snyk-permissions-azure.sh ./snyk-permissions-azure.sh ``` -The Azure CLI then creates the AD app registration, federated identity credential, and service principal. When it is finished, you will see JSON output with information about the created infrastructure. +The Azure CLI then creates the AD app registration, federated identity credential, and service principal. When it is finished, you see JSON output with information about the created infrastructure. **Copy the application ID,** the last item in the output: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-3-create-and-scan-a-cloud-environment-for-azure-web-ui.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-3-create-and-scan-a-cloud-environment-for-azure-web-ui.md index f50c635a59ac..1dfa63a98996 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-3-create-and-scan-a-cloud-environment-for-azure-web-ui.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/step-3-create-and-scan-a-cloud-environment-for-azure-web-ui.md @@ -8,10 +8,10 @@ You have created the Azure app registration, federated identity credential, and The steps follow to create and scan a Cloud Environment for Azure using the Web UI. 1. In the Snyk Web UI **Add Azure Environment** modal where you downloaded the Terraform template or Bash script, enter your application ID in the **Application ID** field. -2. Optionally, enter an environment name. If one is not provided, Snyk will use your subscription name.\ +2. Optionally, enter an environment name. If one is not provided, Snyk uses your subscription name.\ ![Enter Application ID section of the Add Azure Environment modal in Snyk Cloud](../../../../../.gitbook/assets/snyk-cloud-onboard-azure-step-2.png) 3. Select **Approve and begin scan**. -4. You will see a confirmation message: "Azure environment successfully added." Select **Add another environment** to return to the **Add Azure Environment** modal and onboard a new subscription, or select **Go to settings** if you are finished. +4. You see a confirmation message: "Azure environment successfully added." Select **Add another environment** to return to the **Add Azure Environment** modal and onboard a new subscription, or select **Go to settings** if you are finished. You can now do the following: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/README.md index c5c795b44771..7afb696d0f7e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/README.md @@ -1,6 +1,6 @@ # Google Cloud integration -Snyk integrations with your [Google Cloud](https://cloud.google.com/) Projects to find issues in your cloud configurations and generate cloud context to help you prioritize your vulnerabilities. +Snyk integrates with your [Google Cloud](https://cloud.google.com/) Projects to find issues in your cloud configurations and generate cloud context to help you prioritize your vulnerabilities. You can onboard a Google Cloud account to Snyk using the following methods: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/README.md index 72a2fbbb3a12..43144b3968b6 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/README.md @@ -1,12 +1,12 @@ # Google Cloud Integration: API -To onboard a Google Cloud Project to Snyk via the API: +To onboard a Google Cloud Project to Snyk using the API: 1. [Download an infrastructure as code (IaC) template](step-1-download-service-account-iac-template-api.md) to give Snyk permissions to scan your account. 2. [Create a Google service account](step-2-create-the-google-service-account-api.md) using the template you downloaded. 3. [Create and scan a Cloud Environment.](step-3-create-and-scan-a-cloud-environment-for-google-api.md) -When you have completed the steps, you will be able to do the following: +When you have completed the steps, you can do the following: * View the cloud configuration issues Snyk finds. See [Manage cloud issues](../../../getting-started-with-cloud-scans/manage-cloud-issues/). * Prioritize your vulnerabilities with cloud context. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/step-1-download-service-account-iac-template-api.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/step-1-download-service-account-iac-template-api.md index 9b91cbf5c5b3..401928d5585c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/step-1-download-service-account-iac-template-api.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/step-1-download-service-account-iac-template-api.md @@ -4,7 +4,7 @@ Before you can create a Cloud Environment, you must download an infrastructure a The template also enables a set of [Google service APIs](https://cloud.google.com/service-usage/docs/enabled-service) for your Google Cloud Project. This ensures that Snyk can use the necessary APIs to scan your Project's resources. -You will use this IaC template to provision the role in [Step 2: Create the Google service account (API)](step-2-create-the-google-service-account-api.md). +You use this IaC template to provision the role in [Step 2: Create the Google service account (API)](step-2-create-the-google-service-account-api.md). ## Retrieve the IaC template @@ -54,7 +54,7 @@ The response is a JSON document like the one that follows (trimmed for length): The `data.attributes.data` field in the preceding output is an escaped JSON string containing the Terraform template with the Google service account. -Before you can use the template to provision the resources, you must unescape the JSON. This can be accomplished in either of the following ways: +Before you can use the template to provision the resources, you must unescape the JSON. You can do this in either of the following ways: * [Use `jq`](step-1-download-service-account-iac-template-api.md#use-jq) * [Transform the content manually](step-1-download-service-account-iac-template-api.md#transform-the-content-manually) @@ -68,7 +68,7 @@ Before you can use the template to provision the resources, you must unescape th | jq -r .data.attributes.data > snyk_google_iac_template.tf ``` -This will place the properly-formatted template into the file `snyk_google_iac_template.tf` in your current working directory. +This places the properly-formatted template into the file `snyk_google_iac_template.tf` in your current working directory. ### Transform the content manually diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/step-3-create-and-scan-a-cloud-environment-for-google-api.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/step-3-create-and-scan-a-cloud-environment-for-google-api.md index da74eca773ce..062cd69c7c35 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/step-3-create-and-scan-a-cloud-environment-for-google-api.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-api/step-3-create-and-scan-a-cloud-environment-for-google-api.md @@ -9,7 +9,7 @@ To send a request to the [Snyk API](https://apidocs.snyk.io/?version=2022-12-21% ## Send the Snyk API request -Send a request to the Snyk API in the format below to create the Cloud Environment: +Send a request to the Snyk API in the following format to create the Cloud Environment: ``` curl -X POST \ diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/README.md index f6d6c9334638..972527787ed5 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/README.md @@ -1,12 +1,12 @@ # Google Cloud Integration: Web UI -The steps follow to onboard a Google Cloud Project to Snyk via the Web UI: +The steps follow to onboard a Google Cloud Project to Snyk using the Web UI: 1. [Download an infrastructure as code (IaC) template](step-1-download-service-account-iac-template-web-ui.md) to give Snyk permissions to scan your Project. 2. [Create a Google service account](step-2-create-the-google-service-account-web-ui.md) using the template you downloaded. 3. [Create and scan a Cloud Environment.](step-3-create-and-scan-a-cloud-environment-for-google-web-ui.md) -When you have completed the steps, you wlll be able to do the following: +When you have completed the steps, you can do the following: * View the cloud configuration issues Snyk finds. See [Manage cloud issues](../../../getting-started-with-cloud-scans/manage-cloud-issues/). * Prioritize your vulnerabilities with cloud context. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-1-download-service-account-iac-template-web-ui.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-1-download-service-account-iac-template-web-ui.md index c7232d235725..4114537bdf8e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-1-download-service-account-iac-template-web-ui.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-1-download-service-account-iac-template-web-ui.md @@ -4,7 +4,7 @@ Before you can create a Cloud Environment, you must download an infrastructure a The template also enables a set of [Google service APIs](https://cloud.google.com/service-usage/docs/enabled-service) for your Google Cloud Project. This ensures that Snyk can use the necessary APIs to scan your Project's resources. -You will use this IaC template to provision the role in [Step 2: Create the Google service account](step-2-create-the-google-service-account-web-ui.md). +You use this IaC template to provision the role in [Step 2: Create the Google service account](step-2-create-the-google-service-account-web-ui.md). ## Download the IaC template diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-2-create-the-google-service-account-web-ui.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-2-create-the-google-service-account-web-ui.md index 9efaa253e0bb..171ca985f32b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-2-create-the-google-service-account-web-ui.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-2-create-the-google-service-account-web-ui.md @@ -7,7 +7,7 @@ You have downloaded the Terraform template declaring the [Google service account The process to create the Google service account is the same whether you are using the [Snyk Web UI](step-1-download-service-account-iac-template-web-ui.md) or [Snyk API](../google-cloud-integration-api/step-1-download-service-account-iac-template-api.md) to onboard your Google Project. -To scan a Google Cloud Project, Snyk takes the permissions of a tightly-scoped Google service account that allows Snyk to scan the configuration of your Project resources. +To scan a Google Cloud Project, Snyk takes the permissions of a tightly-scoped Google service account that lets Snyk scan the configuration of your Project resources. The service account you create is granted the following read-only Identity and Access Management (IAM) roles: @@ -28,7 +28,7 @@ Snyk scans the Google Cloud Project specified by the `project_id` [variable](htt default = "your-project-id" ``` -* Set the `project_id` variable when you apply the Terraform. In the following section, [Apply Terraform](step-2-create-the-google-service-account-web-ui.md#apply-terraform), you will apply Terraform to create the Google service account. At that time, you can use Terraform's [-var](https://www.terraform.io/language/values/variables#variables-on-the-command-line) option to set the `project_id` variable to your Project ID: +* Set the `project_id` variable when you apply the Terraform. In the following section, [Apply Terraform](step-2-create-the-google-service-account-web-ui.md#apply-terraform), you apply Terraform to create the Google service account. At that time, you can use Terraform's [-var](https://www.terraform.io/language/values/variables#variables-on-the-command-line) option to set the `project_id` variable to your Project ID: ``` terraform apply -var="project_id=your-project-id" @@ -59,7 +59,7 @@ terraform apply 4\. Enter `yes` when Terraform asks if you want to perform the actions. -Terraform then creates the Google service account. When it is finished, you will see the following output: +Terraform then creates the Google service account. When it is finished, you see the following output: ``` Apply complete! Resources: 22 added, 0 changed, 0 destroyed. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-3-create-and-scan-a-cloud-environment-for-google-web-ui.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-3-create-and-scan-a-cloud-environment-for-google-web-ui.md index 2954c461d463..4beed66c4498 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-3-create-and-scan-a-cloud-environment-for-google-web-ui.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/step-3-create-and-scan-a-cloud-environment-for-google-web-ui.md @@ -11,9 +11,9 @@ To create and scan a Cloud Environment for Google, you must provide the Google s For example, `snyk-cloud-mt-us-abcd1234@my-project.iam.gserviceaccount.com` 2. Enter the identity provider in the **Identity provider** field. This must be a full URL including workload identity pool ID, identity provider ID, and project ID.\ For example, `https://iam.googleapis.com/projects/12345567/locations/global/workloadIdentityPools/workload-identity-123456/providers/identity-provider-123456` -3. Optionally, enter an environment name. If one is not provided, Snyk will use your Google Project name. +3. Optionally, enter an environment name. If one is not provided, Snyk uses your Google Project name. 4. Select **Approve and begin scan**. -5. You will see a confirmation message: **Google Cloud environment successfully added**.\ +5. You see a confirmation message: **Google Cloud environment successfully added**.\ Select **Add another environment** to return to the **Add Google Cloud Environment** modal and onboard a new account, or select **Go to settings** if you are finished:

Success message after adding a Google Cloud environment in the Snyk Web UI

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/README.md index ca714a9e685d..320b6b753a5d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/README.md @@ -6,7 +6,7 @@ IaC custom rules are available only with Enterprise plans. For more information, see [plans and pricing](https://snyk.io/plans/). {% endhint %} -Snyk IaC includes a comprehensive list of security rules, covering AWS, Azure, GCP, and Kubernetes. These rules are based on security research, best practices, recognized standards, and benchmarks. They are actively maintained by Snyk’s security engineering team, and new rules are released on a regular basis. +Snyk IaC includes a comprehensive list of security rules, covering AWS, Azure, GCP, and Kubernetes. These rules are based on security research, best practices, recognized standards, and benchmarks. The Snyk security engineering team actively maintains them, and releases new rules on a regular basis. These rules are intended to meet most of your needs on your first scan, but you may need to enforce additional security rules for your system, such as tagging standards. @@ -35,6 +35,6 @@ Summary: * Snyk IaC custom rules: generate issues {% endhint %} -The Snyk platform allows you to create your own [policies](../../../manage-risk/policies/) to manage how you prioritize and triage the issues Snyk identifies during scanning. For example, you can define policies to change the priority of an issue from medium to high if it has specific attributes, or to bulk ignore issues if they meet certain criteria. +The Snyk platform lets you create your own [policies](../../../manage-risk/policies/) to manage how you prioritize and triage the issues Snyk identifies during scanning. For example, you can define policies to change the priority of an issue from medium to high if it has specific attributes, or to bulk ignore issues if they meet certain criteria. -The Snyk IaC custom rules functionality enables you to define your own rules for misconfiguration checks that you would like to enforce. The result of a custom rule failing on a configuration file is generating an issue. +The Snyk IaC custom rules functionality lets you define your own rules for misconfiguration checks that you want to enforce. The result of a custom rule failing on a configuration file is generating an issue. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/iac-custom-rules-within-a-pipeline.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/iac-custom-rules-within-a-pipeline.md index 300245ef62fe..37901ee9cab8 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/iac-custom-rules-within-a-pipeline.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/iac-custom-rules-within-a-pipeline.md @@ -14,16 +14,16 @@ Snyk uses the [snyk/custom-rules-example](https://github.com/snyk/custom-rules-e Aims: Configure our pipeline to: -* Verify that new rules or changes to the existing rules do nor break existing functionality. +* Verify that new rules or changes to the existing rules do not break existing functionality. * Publish the rules in `main` to an OCI registry. * Enforce the use of custom rules in other pipelines. * Optionally: Configure the custom rules using environment variables. ## Adding PR checks using GitHub Action -An example of a PR check can be seen in [https://github.com/snyk/custom-rules-example/pull/5](https://github.com/snyk/custom-rules-example/pull/5) where there is an attempt to add a new rule called `my_rule`. This is the same rule shown for [learning how to write a rule](writing-rules-using-the-sdk/writing-a-rule.md). +You can see an example of a PR check in [https://github.com/snyk/custom-rules-example/pull/5](https://github.com/snyk/custom-rules-example/pull/5), where there is an attempt to add a new rule called `my_rule`. This is the same rule shown for [learning how to write a rule](writing-rules-using-the-sdk/writing-a-rule.md). -To verify that this rule works as expected, unit tests were implemented. To run the unit tests as part of PR checks, a GitHub Action was configured previously under `.github/workflows` called `test.yml`: +To verify that this rule works as expected, this example implements unit tests. To run the unit tests as part of PR checks, a GitHub Action was configured previously under `.github/workflows` called `test.yml`: {% code title=".github/workflows/test.yml" %} ``` @@ -56,8 +56,8 @@ jobs: A few things to note about this workflow: * It was configured to run on all non-`main` branches, so that it runs when PRs are open. -* Steps were added steps to set up a Node.js environment to enable installing the `snyk-iac-rules` SDK using [npm](install-the-sdk.md#install-the-sdk-with-npm). -* A step was added to run `snyk-iac-rules test`, which will cause the PR check to fail if any of the tests fail. +* Steps were added to set up a Node.js environment to enable installing the `snyk-iac-rules` SDK using [npm](install-the-sdk.md#install-the-sdk-with-npm). +* A step was added to run `snyk-iac-rules test`, which causes the PR check to fail if any of the tests fail. {% hint style="info" %} You must configure your `main` branch under `Settings` -> `Branches`first, so that no one can push directly to `main`. @@ -67,7 +67,7 @@ You must configure your `main` branch under `Settings` -> `Branches`first, so th Another way to test the rules is by testing the contract with the [Snyk CLI](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli) by using the [Snyk IaC GitHub Action](https://github.com/snyk/actions/tree/master/iac), making sure the generated bundle can be read by the CLI. -To do this, you will need a step for installing the Snyk CLI and a `SNYK_TOKEN`, which can be found in your Snyk Account Settings. +To do this, you need a step for installing the Snyk CLI and a `SNYK_TOKEN`, which you can find in your Snyk Account Settings. {% code title=".github/workflows/test.yml" %} ``` @@ -101,7 +101,7 @@ You can also expand these tests to use [Shellspec](https://github.com/shellspec/ ## Publishing the custom rules -Once a PR passes its checks from the previous section and gets merged into the `main` branch, you can publish the Snyk rules to an OCI registry. This allows you to configure a separate pipeline, download the custom rules bundle from this location, and run the custom rules in order to catch misconfigurations. +After a PR passes its checks from the previous section and gets merged into the `main` branch, you can publish the Snyk rules to an OCI registry. This lets you configure a separate pipeline, download the custom rules bundle from this location, and run the custom rules to catch misconfigurations. For this, add another workflow under `.github/workflows` called `publish.yml`: @@ -147,7 +147,7 @@ It looks like the previous workflow, but there are a few things to note about th * It was configured to run only on `main` branches, so that it runs when PRs are merged. * A step was added to authenticate with Docker Hub, our chosen OCI registry. For a list of supported registries, read about [pushing bundles](writing-rules-using-the-sdk/pushing-a-bundle.md). Use the [docker/login-action](https://github.com/docker/login-action) GitHub Action to do that and be sure to configure the GitHub secrets under `Settings` -> `Secrets`. -* A step was added to run `snyk-iac-rules build` followed by `snyk-iac-rules push`, which will publish the generated custom rules bundle to an OCI registry. +* A step was added to run `snyk-iac-rules build` followed by `snyk-iac-rules push`, which publishes the generated custom rules bundle to an OCI registry. ## Versioning rules @@ -200,7 +200,7 @@ This means configuring the GitHub Action above with another job for updating Sny }' ``` -This API call will update the chosen Snyk Group and all the Organizations underneath it to use the configured custom rules bundle. +This API call updates the chosen Snyk Group and all the Organizations underneath it to use the configured custom rules bundle. {% hint style="info" %} To configure an Organization to use a different bundle, such as the `v2-beta` one, use the Snyk Settings page. You can either configure a new bundle or disable custom rules to allow using environment variables in the CI/CD pipeline to run the custom rules. @@ -227,7 +227,7 @@ jobs: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} ``` -The result is that the GitHub action will fail until the generated misconfigurations have been resolved: +The result is that the GitHub action fails until the generated misconfigurations have been resolved: ``` Testing example.tf... diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/sdk-reference.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/sdk-reference.md index 4c2b25caad3e..3f54ab2c4de9 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/sdk-reference.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/sdk-reference.md @@ -77,13 +77,13 @@ The mandatory configuration format you want to define your rule for. This genera `--severity`=`low`|`medium`|`high`|`critical` -The severity of the rule, which will show up when running the Snyk Infrastructure as Code CLI. +The severity of the rule, which shows up when running the Snyk Infrastructure as Code CLI. Default: `low` `--title`=`TITLE` -The title of the rule, which will show up when running the Snyk Infrastructure as Code CLI. +The title of the rule, which shows up when running the Snyk Infrastructure as Code CLI. ### Parse options diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/use-iac-custom-rules-with-cli/use-a-remote-iac-custom-rules-bundle.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/use-iac-custom-rules-with-cli/use-a-remote-iac-custom-rules-bundle.md index c285a6991bee..29ba5eb6790e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/use-iac-custom-rules-with-cli/use-a-remote-iac-custom-rules-bundle.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/use-iac-custom-rules-with-cli/use-a-remote-iac-custom-rules-bundle.md @@ -8,7 +8,7 @@ After successfully pushing your custom rules bundle, you can enforce the use of * [Snyk API](use-a-remote-iac-custom-rules-bundle.md#snyk-api-and-remote-custom-rules-bundle) * [Environment variables](use-a-remote-iac-custom-rules-bundle.md#environment-variables-and-remote-custom-rules-bundle) -Finally, after you have enforced your custom rules using one of these options, configure the Snyk Snyk CLI with your username and password to allow Snyk to authorize a pull from your OCI registry: +After you have enforced your custom rules using one of these options, configure the Snyk CLI with your username and password to let Snyk authorize a pull from your OCI registry: ``` snyk config set oci-registry-username= @@ -20,13 +20,13 @@ This sets the following Snyk environment variables: * `SNYK_CFG_OCI_REGISTRY_USERNAME` * `SNYK_CFG_OCI_REGISTRY_PASSWORD` -After you have completed this configuration, you can run a Snyk IaC scan. The CLI will pull the bundle pushed to the configured container registry in the background. +After you have completed this configuration, you can run a Snyk IaC scan. The CLI pulls the bundle pushed to the configured container registry in the background. ``` snyk iac test ``` -The resulting configuration scan issues will include issues from both the default Snyk rules and your custom rules. See also [Understanding the IaC CLI test results](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-iac/understand-the-iac-cli-test-results). +The resulting configuration scan issues include issues from both the default Snyk rules and your custom rules. See also [Understanding the IaC CLI test results](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-iac/understand-the-iac-cli-test-results). {% hint style="info" %} Only one method for defining the bundle's path should be defined at any given time. Make sure to disable the custom rules settings using the Snyk settings page or the [Snyk API](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/iacsettings). Alternatively, clear any previously stored settings using [`snyk config unset`](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/commands/config#unset-less-than-key-greater-than). @@ -34,10 +34,10 @@ Only one method for defining the bundle's path should be defined at any given ti ## Snyk settings and remote custom rules bundle -Snyk recommends you use the Snyk settings page to configure custom rules settings. This is a simple way to update the custom rules bundle's URL and tag whenever these are modified. +Snyk recommends you use the Snyk settings page to configure custom rules settings. This is a way to update the custom rules bundle URL and tag whenever these are modified. {% hint style="info" %} -Tags are helpful for versioning your custom rules bundles. Configuring your updated bundle can be easily accomplished by setting the new version tag. +Tags are helpful for versioning your custom rules bundles. To configure your updated bundle, set the new version tag. {% endhint %} You can configure these remote bundles on both the Organization and Group levels. Configuring a remote bundle for a Group applies the remote bundle to all the Organizations in the Group. @@ -62,13 +62,13 @@ You can configure remote custom rules bundles on the Group level by navigating t
Registry URL and tag configured

Registry URL and tag configured

-Your remote bundle of custom rules is now configured and will be used when testing IaC files. +Your remote bundle of custom rules is now configured and is used when testing IaC files. You can override remote bundle configurations for a Group using Snyk Settings. -By default, configuring a remote bundle for a Group applies the remote bundle to all the Organizations in the Group. Thus if the Group configurations are updated, these changes apply to all of its Organizations. +By default, configuring a remote bundle for a Group applies the remote bundle to all the Organizations in the Group. So if the Group configurations are updated, these changes apply to all of its Organizations. -However, an Organization can still override the Group configurations and define its own bundle and tag. These will not change when the Group updates its configurations. +However, an Organization can still override the Group configurations and define its own bundle and tag. These do not change when the Group updates its configurations. To override the Group configurations, go to the Organization's `Rules` section in the Infrastructure as Code Settings. @@ -80,15 +80,15 @@ To override the Group configurations, go to the Organization's `Rules` section i
Organization rules configuration updated

Organization rules configuration updated

-* Now, configurations on the Group level will not override these customized settings for your Organization. +* Now, configurations on the Group level do not override these customized settings for your Organization. You can restore the inheritance of Group configurations at any time by using the **Reset to group default** button. ## Snyk API and remote custom rules bundle -If manually updating the settings through the Snyk Settings page is too time-consuming, you can use the Snyk API, which allows you to send any variation of the custom rules settings using an API call. +If manually updating the settings through the Snyk Settings page is too time-consuming, you can use the Snyk API, which lets you send any variation of the custom rules settings using an API call. -* For example, in order to configure the custom rules bundle at the Group level, use the endpoint [Update the Infrastructure as Code settings for a group](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/iacsettings#groups-group_id-settings-iac) by providing the following body: +* For example, to configure the custom rules bundle at the Group level, use the endpoint [Update the Infrastructure as Code settings for a group](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/iacsettings#groups-group_id-settings-iac) by providing the following body: ``` { diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/README.md index 6751e3a796bd..05bb7b7cefd2 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/README.md @@ -1,6 +1,6 @@ # Writing rules using the SDK -To get you started with the SDK, you will learn how to: +To get you started with the SDK, you learn how to: 1. [Parse a fixture file](parsing-an-input-file.md), to help you understand how to write a rule. 2. [​Write a rule with the SDK](writing-a-rule.md) using Rego. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/bundling-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/bundling-rules.md index 0d3060b73f66..3a0b5a15c6c8 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/bundling-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/bundling-rules.md @@ -20,7 +20,7 @@ Finally, you can check the contents of the bundle without extracting it by runni tar -tf bundle.tar.gz ``` -The output will be all the files included in the bundle: +The output is all the files included in the bundle: ``` /data.json diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/examples-of-iac-custom-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/examples-of-iac-custom-rules.md index d5f692860929..1a743e10da74 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/examples-of-iac-custom-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/examples-of-iac-custom-rules.md @@ -6,7 +6,7 @@ You can find a full example of this guide in [this OPA Playground](https://play.openpolicyagent.org/p/SCYndBjWxh) and the [snyk/custom-rules-example](https://github.com/snyk/custom-rules-example) repository. {% endhint %} -Assume you have generated a new rule, `CUSTOM-RULE-1` using the SDK , that is, `snyk-iac-rules template --rule CUSTOM-RULE-1` and have a very simple fixture file containing a Terraform resource: +Assume you have generated a new rule, `CUSTOM-RULE-1` using the SDK, that is, `snyk-iac-rules template --rule CUSTOM-RULE-1` and have a fixture file containing a Terraform resource: {% code title="rules/CUSTOM-RULE-1/fixtures/denied.tf" %} ``` @@ -22,8 +22,8 @@ resource "aws_redshift_cluster" "denied" { Now, modify the generated Rego to enforce resources tagged with an owner: 1. Create a variable `[name]` to enumerate across all of the `aws_redshift_cluster` resources. This variable can be named anything you like, for example, `i`, `j`, `name`, and so on. -2. Store this into the resource variable by assigning the value to it with a walrus operator `:=`; e.g. `resource := input.resource.aws_redshift_cluster[name]` -3. Check whether the owner tag exists for each resource; to do that, check if the path `resource.tags.owner` is defined. If it is undefined, it will evaluate as undefined. So, use the `NOT` keyword in front of it, which will evaluate to `TRUE`; for example,`not resource.tags.owner` +2. Store this into the resource variable by assigning the value to it with a walrus operator `:=`. For example, `resource := input.resource.aws_redshift_cluster[name]` +3. Check whether the owner tag exists for each resource. To do that, check if the path `resource.tags.owner` is defined. If it is undefined, it evaluates as undefined. So, use the `NOT` keyword in front of it, which evaluates to `TRUE`. For example,`not resource.tags.owner` The modified Rego is: @@ -50,7 +50,7 @@ deny[msg] { {% endcode %} {% hint style="info" %} -To understand how the Rego code evaluates the Terraform file provided earlier, have a look at how the SDK is able to [parse a fixture file](parsing-an-input-file.md) into JSON. +To understand how the Rego code evaluates the Terraform file provided earlier, have a look at how the SDK can [parse a fixture file](parsing-an-input-file.md) into JSON. {% endhint %} {% hint style="info" %} @@ -240,7 +240,7 @@ deny[msg] { ``` {% endcode %} -This will successfully return all the rules that deny. +This successfully returns all the rules that deny. {% hint style="info" %} Snyk recommends always validating that your rule is correct by [updating and running the unit tests](testing-a-rule.md). @@ -446,7 +446,7 @@ You can also iterate over many resources by adding them to an array of resources ] ``` -One way to leverage this is to implement denylist rules. +One way to use this is to implement denylist rules. For example, you may want to ensure that if someone defines a Kubernetes ConfigMap, then they cannot use it to store sensitive information such as passwords, secret keys, and access tokens. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/parsing-an-input-file.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/parsing-an-input-file.md index 00af017ec12e..1a916ab98cde 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/parsing-an-input-file.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/parsing-an-input-file.md @@ -1,6 +1,6 @@ # Parsing an input file -It can be difficult to understand the internal representation of your input files as you write your Rego code. As you will see when you learn [how to write a rule](writing-a-rule.md), the input value is a JSON-like object, but the input files could also be YAML, Terraform, or [Terraform Plan JSON Output](https://www.terraform.io/docs/internals/json-format.html). To help you understand how these are translated into JSON, Snyk provides a `parse` command. +It can be difficult to understand the internal representation of your input files as you write your Rego code. As you see when you learn [how to write a rule](writing-a-rule.md), the input value is a JSON-like object, but the input files could also be YAML, Terraform, or [Terraform Plan JSON Output](https://www.terraform.io/docs/internals/json-format.html). To help you understand how these are translated into JSON, Snyk provides a `parse` command. You will need an IaC file to use as an input file. This input file can also be used when [testing the rules](testing-a-rule.md), which parses your files into JSON by default. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/pushing-a-bundle.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/pushing-a-bundle.md index cd8cdd81f7ed..9096dea83bc7 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/pushing-a-bundle.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/pushing-a-bundle.md @@ -1,6 +1,6 @@ # Pushing a bundle -Optionally, once you have generated your custom rules bundle, you can distribute it automatically to one of our supported OCI registries by using the `push` command: +Optionally, after you have generated your custom rules bundle, you can distribute it automatically to one of our supported OCI registries by using the `push` command: ``` snyk-iac-rules push -r docker.io/example/test bundle.tar.gz @@ -10,7 +10,7 @@ snyk-iac-rules push -r docker.io/example/test bundle.tar.gz Make sure to log into your container registry first, for example, by using Docker run `docker login` before running the `snyk-iac-rules push` command. {% endhint %} -Snyk uses the OCI registries that support the [OCI artifact specification](https://github.com/opencontainers/artifacts) and leverage [ORAS](https://github.com/deislabs/oras) to achieve that. Currently supported registries include +Snyk uses the OCI registries that support the [OCI artifact specification](https://github.com/opencontainers/artifacts) and use [ORAS](https://github.com/deislabs/oras) to achieve that. Supported registries include * [Google Container Registry](https://cloud.google.com/container-registry) * [DockerHub](https://hub.docker.com) @@ -24,7 +24,7 @@ Snyk uses the OCI registries that support the [OCI artifact specification](https Snyk does not support insecure registries. The only protocol Snyk supports is HTTPS. {% endhint %} -After you have run the command, your custom rules bundle will be pushed to your OCI registry using the `latest` tag. +After you have run the command, Snyk pushes your custom rules bundle to your OCI registry using the `latest` tag. You can also provide your own tag if you want to version the bundle: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/testing-a-rule.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/testing-a-rule.md index 7fe52c75ea02..2c4a4a909ba5 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/testing-a-rule.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/testing-a-rule.md @@ -43,7 +43,7 @@ resource "aws_redshift_cluster" "allowed" { ``` {% endcode %} -In the `want_msgs` field of the test case, you should add the msg fields of the resources that you expect your deny rule will evaluate and return, for example,`["input.resource.aws_redshift_cluster[denied].tags"]`. +In the `want_msgs` field of the test case, add the msg fields of the resources that you expect your deny rule to evaluate and return, for example,`["input.resource.aws_redshift_cluster[denied].tags"]`. {% hint style="info" %} The `want_msgs` field should be an array containing hardcoded values corresponding to the computed `msg` field in the appropriate Rego rule. @@ -79,20 +79,20 @@ To run all tests, run the following command: snyk-iac-rules test ``` -If your tests pass successfully, you will see an output like the following, assuming you have three different rules in your `rules/` folder: +If your tests pass successfully, you see an output like the following, assuming you have three different rules in your `rules/` folder: ``` PASS: 3/3 ``` -However, if any of them fail, you will see an output like this: +However, if any of them fail, you see an output like this: ``` data.rules.test_MY_RULE: FAIL (1.12234ms) FAIL: 2/3 ``` -If you have more than one rule in your `rule/`, folder you can target a specific test by running the following command: +If you have more than one rule in your `rule/` folder, you can target a specific test by running the following command: ``` snyk-iac-rules test --run test_MY_RULE diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/writing-a-rule.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/writing-a-rule.md index f568c54eaa21..b15a1d04cabc 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/writing-a-rule.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/current-iac-custom-rules/writing-rules-using-the-sdk/writing-a-rule.md @@ -75,9 +75,9 @@ You must follow this format of the **msg** property to ensure the output is disp The attributes are: * **publicId:** a naming convention unique to your team, such as COMPANY-001. This should not contain/start with “SNYK-” to differentiate it from the internal Snyk rules. -* **title:** a short title that should summarise the issue. +* **title:** a short title that summarizes the issue. * **severity:** this can be one of low/medium/high/critical. -* **msg:** Snyk recommends changing only the resource name and property, for example,`input.aws_s3_bucket[%s].tags` to match your example. The function `sprintf` is provided by Rego and enables Snyk to provide a dynamic error message explaining exactly where the issue was found. +* **msg:** Snyk recommends changing only the resource name and property, for example,`input.aws_s3_bucket[%s].tags` to match your example. Rego provides the `sprintf` function, which lets Snyk provide a dynamic error message explaining exactly where the issue was found. The following attributes are optional but can be used to enhance the scan results in the Snyk CLI: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/configure-cloud-providers/configure-aws-provider.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/configure-cloud-providers/configure-aws-provider.md index 2167a079181c..8bfbe6a8f29e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/configure-cloud-providers/configure-aws-provider.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/configure-cloud-providers/configure-aws-provider.md @@ -199,7 +199,7 @@ When the stack is deployed, attach the following policy to your IAM user. This a } ``` -There is no automatic way to update the CloudFormation template from the Snyk side because you launched this template from your AWS account. Therefore you must update the template yourself to use the most recent Snyk role. +There is no automatic way to update the CloudFormation template from the Snyk side because you launched this template from your AWS account. So you must update the template yourself to use the most recent Snyk role. ### Update the CloudFormation template using the AWS console @@ -207,7 +207,7 @@ There is no automatic way to update the CloudFormation template from the Snyk si * In the stack details pane, choose **Update**. * Select **Replace current template** and specify the Snyk **Amazon S3 URL** `https://driftctl-cfn-templates.s3.eu-west-3.amazonaws.com/driftctl-role.yml`; click **Next.** * On the **Specify stack details** and the **Configure stack options** pages, click **Next**. -* In the **Change set preview** section, check that AWS CloudFormation will make the changes. +* In the **Change set preview** section, check that AWS CloudFormation makes the changes. * Because the Snyk template contains one IAM resource, select **I acknowledge that this template may create IAM resources**. * To finish, click **Update stack**. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/filter-rules.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/filter-rules.md index b16ba25b5f3a..7dfb4d92abed 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/filter-rules.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/filter-rules.md @@ -2,7 +2,7 @@ You can use filter rules to describe resources and ignore resources. You can use both inclusion and exclusion logic. -Filter rules allow you to build a complex include and exclude expression to include and exclude a set of resources in your workflow. This capability is powered by the expression language [JMESPath](https://jmespath.org). +Filter rules let you build a complex include and exclude expression to include and exclude a set of resources in your workflow. The expression language [JMESPath](https://jmespath.org) powers this capability. Filters are applied on a normalized `struct` that contains the following fields: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/get-started-with-snyk-iac-describe-on-aws.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/get-started-with-snyk-iac-describe-on-aws.md index 648920c886af..df9a7cc1390c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/get-started-with-snyk-iac-describe-on-aws.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/get-started-with-snyk-iac-describe-on-aws.md @@ -2,9 +2,9 @@ ## Step 1: Configure AWS authentication for your environment -The [`snyk iac describe`](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/commands/iac-describe) command requires authentication to your cloud provider in order to run properly. It requires only the lowest read-only access rights possible. You can use use the built-in AWS `ReadOnlyAccess` IAM policy for an IAM user as the default to get started. +The [`snyk iac describe`](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/commands/iac-describe) command requires authentication to your cloud provider to run properly. It requires only the lowest read-only access rights possible. You can use the built-in AWS `ReadOnlyAccess` IAM policy for an IAM user as the default to get started. -`snyk iac describe` can reuse standard authentication methods for AWS, such as the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION` [environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list). When those are set, the Snyk CLI will automatically pick them up to authenticate on AWS. +`snyk iac describe` can reuse standard authentication methods for AWS, such as the `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION` [environment variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html#envvars-list). When those are set, the Snyk CLI automatically picks them up to authenticate on AWS. Alternatively, you can configure the [AWS profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) in `~/.aws/credentials` and use the `AWS_PROFILE` environment variable. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/iac-sources-usage.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/iac-sources-usage.md index c708399338a6..ef6a7cdcc657 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/iac-sources-usage.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/iac-sources-usage.md @@ -1,4 +1,4 @@ -# IAC sources usage +# IaC sources usage ## **Supported IaC sources** diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/ignore-unmanaged-resources.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/ignore-unmanaged-resources.md index 8bc26ea952a1..72a19f784373 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/ignore-unmanaged-resources.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/detect-manually-created-resources/ignore-unmanaged-resources.md @@ -37,7 +37,7 @@ exclude: ``` {% endcode %} -The `.snyk` policy file also supports the negation of rules. This allows you to ignore everything except certain types. In this example, only S3 buckets will not be ignored: +The `.snyk` policy file also supports the negation of rules. This lets you ignore everything except certain types. In this example, only S3 buckets are not ignored: {% code title=".snyk" %} ```yaml @@ -91,7 +91,7 @@ You can use the means to ignore resources explained on this page in combination For details, run `snyk iac update-exclude-policy --help` . -This command helps to generate a `.snyk` policy file, adding all the detected drifts to it in order to ignore them all. +This command helps to generate a `.snyk` policy file, adding all the detected drifts to it to ignore them all. For example, to ignore all the unmanaged resources at once, run the following command: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/README.md index 95e9b3e8c355..83dad824ee51 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/README.md @@ -16,7 +16,7 @@ To start using cloud scans you must have the following: Navigate to your **Organization** **Settings** > **Cloud environments**. -To add a cloud environment, select the **Add environment** drop-down and select the cloud provider. Follow the steps in [AWS Integration: Web UI](../cloud-platform-integrations/aws-integration/aws-integration-web-ui/), [Google Cloud Integration: Web UI](../cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/), or [Azure Integration: Web UI](../cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/) to create the environment. +To add a cloud environment, select the **Add environment** dropdown and select the cloud provider. Follow the steps in [AWS Integration: Web UI](../cloud-platform-integrations/aws-integration/aws-integration-web-ui/), [Google Cloud Integration: Web UI](../cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/), or [Azure Integration: Web UI](../cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/) to create the environment. You can also add an environment using the Snyk API: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/README.md index 8468376f2bbb..105e82b60110 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/README.md @@ -1,6 +1,6 @@ # Manage cloud environments -This section provides information on how to work with Snyk environments. Environments are used onboard cloud provider accounts, and contain resources for cloud accounts and IaC+ SCM repositories, CLI test report, and Terraform Cloud/Enterprise run task report. +This section provides information on how to work with Snyk environments. Environments onboard cloud provider accounts and contain resources for cloud accounts and IaC+ SCM repositories, CLI test reports, and Terraform Cloud/Enterprise run task reports. * [View, add, and remove environments](view-add-and-remove-environments.md) * [Find an environment ID](find-an-environment-id.md) diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/remove-a-cloud-environment.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/remove-a-cloud-environment.md index b5a705da858f..cfeeee3b7505 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/remove-a-cloud-environment.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/remove-a-cloud-environment.md @@ -20,18 +20,18 @@ There is no output if the command is successful. ## Remove the Snyk AWS IAM role -Removing an environment does not remove the Snyk Identity and Access Management (IAM) role. To fully remove Snyk's access to your Amazon Web Services (AWS) account, delete the IAM role using the same infrastructure as code tool that created it: +Removing an environment does not remove the Snyk Identity and Access Management (IAM) role. To fully remove the access Snyk has to your Amazon Web Services (AWS) account, delete the IAM role using the same infrastructure as code tool that created it: * **Terraform:** delete the role using the [terraform destroy](https://www.terraform.io/cli/commands/destroy) command. * **CloudFormation:** delete the CloudFormation stack using the [AWS Management Console](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-delete-stack.html) or the AWS CLI [delete-stack command](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudformation/delete-stack.html). ## Remove the Google service account -Removing an environment does not remove the Google service account. To fully remove Snyk's access to your Google project, delete the Google service account using the [Google Cloud console](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-delete-console) or [CLI](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-delete-gcloud). +Removing an environment does not remove the Google service account. To fully remove the access Snyk has to your Google project, delete the Google service account using the [Google Cloud console](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-delete-console) or [CLI](https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-delete-gcloud). ## Remove the Azure app registration, federated identity credential, and service principal -Removing an environment does not remove the Azure app registration, federated identity credential, or service principal. To fully remove Snyk's access to your Azure subscription, delete the infrastructure according to the method you used to create it: +Removing an environment does not remove the Azure app registration, federated identity credential, or service principal. To fully remove the access Snyk has to your Azure subscription, delete the infrastructure according to the method you used to create it: * **Terraform:** use the [terraform destroy](https://www.terraform.io/cli/commands/destroy) command. * **Azure CLI Bash script:** first, delete the Reader role assignment for the app registration (see docs: [Azure CLI](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-remove#azure-cli) or [Azure Portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-remove#azure-portal)), then delete the Azure app registration (see docs: [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-delete) or [Azure Portal](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-remove-app#remove-an-application-authored-by-you-or-your-organization)). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/scan-a-cloud-environment.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/scan-a-cloud-environment.md index e307f7aec99b..db8118279928 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/scan-a-cloud-environment.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/scan-a-cloud-environment.md @@ -29,11 +29,11 @@ curl -X POST \ }" -Because `jq -r '.data[0].id` returns the ID of the first environment shown in the Snyk API [List environments](https://apidocs.snyk.io/#get-/orgs/-org_id-/cloud/environments) output, this technique is especially useful if your Organization has a single environment. You can also change the `0` to another number to scan a different environment; for example, `jq -r '.data[1].id` will return the ID of the second environment in the output. +Because `jq -r '.data[0].id` returns the ID of the first environment shown in the Snyk API [List environments](https://apidocs.snyk.io/#get-/orgs/-org_id-/cloud/environments) output, this technique is especially useful if your Organization has a single environment. You can also change the `0` to another number to scan a different environment. For example, `jq -r '.data[1].id` returns the ID of the second environment in the output. ## Without `jq` -If you so not have [jq](https://stedolan.github.io/jq/download/) installed, you can send a request to the Snyk API to return all your environment IDs, look for the ID of the environment you want to scan, and send another request to manually trigger the scan. +If you do not have [jq](https://stedolan.github.io/jq/download/) installed, you can send a request to the Snyk API to return all your environment IDs, look for the ID of the environment you want to scan, and send another request to manually trigger the scan. ### Find the environment ID diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/update-a-cloud-environment.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/update-a-cloud-environment.md index b917b96b1afb..3cba65eb3779 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/update-a-cloud-environment.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/update-a-cloud-environment.md @@ -82,7 +82,7 @@ curl -X PATCH \ #### Google -`data.attributes.options.service_account_email` is required. You can choose to specify the Project ID explicitly with a `data.attributes.options.project_id` field, but it cannot be different from the current ProjectProject ID. +`data.attributes.options.service_account_email` is required. You can choose to specify the Project ID explicitly with a `data.attributes.options.project_id` field, but it cannot be different from the current Project ID. ``` curl -X PATCH \ diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/view-add-and-remove-environments.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/view-add-and-remove-environments.md index c71fe989f52a..7eaf5e0223a4 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/view-add-and-remove-environments.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-environments/view-add-and-remove-environments.md @@ -13,7 +13,7 @@ The cloud environments table displays the following information for each environ ## Add a cloud environment -To add a cloud environment, select the **Add environment** drop-down and select the cloud provider. Follow the steps in [AWS Integration: Web UI](../../cloud-platform-integrations/aws-integration/aws-integration-web-ui/), [Google Cloud Integration: Web UI](../../cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/), or [Azure Integration: Web UI](../../cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/) to create the environment. +To add a cloud environment, select the **Add environment** dropdown and select the cloud provider. Follow the steps in [AWS Integration: Web UI](../../cloud-platform-integrations/aws-integration/aws-integration-web-ui/), [Google Cloud Integration: Web UI](../../cloud-platform-integrations/google-cloud-integration/google-cloud-integration-web-ui/), or [Azure Integration: Web UI](../../cloud-platform-integrations/azure-integration-for-cloud-configurations/azure-integration-web-ui/) to create the environment.
diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-issues/ignoring-cloud-issues.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-issues/ignoring-cloud-issues.md index 3190dd3ce22d..f4dcc77d80b2 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-issues/ignoring-cloud-issues.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-issues/ignoring-cloud-issues.md @@ -12,16 +12,16 @@ Ignores are applied at the Organization level. ## Ignoring an issue -To ignore an issue via the Snyk Web UI: +To ignore an issue using the Snyk Web UI: 1. Navigate to your Organization's Cloud tab. 2. Select the issue you want to ignore. -3. Select the **Ignore** button.\ +3. Select **Ignore**.\ -
The Ignore button in a cloud issue in the Snyk Web UI

The Ignore button in a coud issue in the Snyk Web UI

+
The Ignore button in a cloud issue in the Snyk Web UI

The Ignore button in a cloud issue in the Snyk Web UI

4. Add a comment about why this issue is ignored. -5. From the **Ignore for** drop-down menu, set how long the issue should be ignored. You can permanently ignore an issue by selecting **Does not expire**, or you can ignore the issue for 14, 30, 60, or 90 days, or a custom time period.\ +5. From the **Ignore for** dropdown menu, set how long to ignore the issue. You can permanently ignore an issue by selecting **Does not expire**, or you can ignore the issue for 14, 30, 60, or 90 days, or a custom time period.\
Setting ignore details for a cloud issue in the Snyk Web UI

Setting ignore details for a cloud issue in the Snyk Web UI

@@ -47,10 +47,10 @@ After an issue is ignored, you can unignore it or edit the ignore. ## Unignoring an issue -To unignore an issue via the Snyk Web UI: +To unignore an issue using the Snyk Web UI: 1. Select the ignored issue from your Organization's Cloud tab. -2. Select the **Unignore** button. +2. Select **Unignore**. 3. The message "Issue successfully unignored and will be applied on next scan" appears.\ In addition, the unignore pending state is shown in the issue panel: The ignore applied to this issue has been deleted and will be removed on the next scan.\ ![Unignore pending state in the issue panel](<../../../../.gitbook/assets/image (98).png>) @@ -60,10 +60,10 @@ To unignore an issue via the Snyk Web UI: ## Editing an ignore -To edit an ignore via the Snyk Web UI: +To edit an ignore using the Snyk Web UI: 1. Select the ignored issue from your Organization's Cloud tab. -2. In the side panel, select the **Edit ignore** button. +2. In the side panel, select **Edit ignore**. 3. Edit the comment, the ignore expiration date, or both. 4. Select **Confirm**.\ The message "Ignore successfully edited and will be applied on next scan" appears. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-issues/view-cloud-issues-in-the-snyk-web-ui.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-issues/view-cloud-issues-in-the-snyk-web-ui.md index 082cbcec79ca..bbb87a720834 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-issues/view-cloud-issues-in-the-snyk-web-ui.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/manage-cloud-issues/view-cloud-issues-in-the-snyk-web-ui.md @@ -12,7 +12,7 @@ By default, Snyk displays open issues across all cloud environments in an Organi Issues are grouped by rule by default. -If you have grouped them by resource instead, you can group them by rule again by selecting the **Group by Resource** drop-down menu next to the search bar and selecting **Rule**: +If you have grouped them by resource instead, you can group them by rule again by selecting the **Group by Resource** dropdown menu next to the search bar and selecting **Rule**:

Group by rule

@@ -46,7 +46,7 @@ By default, when you expand a rule you see all the resources with an open issue ## Group issues by resource -If issues are currently grouped by rule, you can group them by resource instead by selecting the **Group by Rule** drop-down menu next to the search bar and selecting **Resource**: +If issues are currently grouped by rule, you can group them by resource instead by selecting the **Group by Rule** dropdown menu next to the search bar and selecting **Resource**:

Group by resource

@@ -117,7 +117,7 @@ Select the **Resource** tab to view the scanned resource's attributes: To filter which cloud issues are shown: -1. Select the **Filter** drop-down menu. The name of the menu shows how many filters are selected, for example, "1 Filter". +1. Select the **Filter** dropdown menu. The name of the menu shows how many filters are selected, for example, "1 Filter". 2. Select the parameter you want to filter by, for example "Severity". 3. Check the box for the values you want to show, for example "High". @@ -129,7 +129,7 @@ You can also filter issues by compliance control, resource type, environment nam ## Search issues -As you select filters from the **Filters** drop-down menu, the search bar is populated with key-value pairs. +As you select filters from the **Filters** dropdown menu, the search bar is populated with key-value pairs. To search cloud issues by key-value pair: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/view-cloud-resources.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/view-cloud-resources.md index c2d7f0a5b261..6ff0935e66ce 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/view-cloud-resources.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-cloud-scans/view-cloud-resources.md @@ -1,6 +1,6 @@ # View cloud resources -You can view all attributes for cloud resources in an Organization. This allows you to inventory all of your resources across cloud provider accounts or see the recorded state of any resource during the most recent scan. +You can view all attributes for cloud resources in an Organization. This lets you inventory all of your resources across cloud provider accounts or see the recorded state of any resource during the most recent scan. ## View all resources @@ -99,7 +99,7 @@ The following table lists some key attributes from the API response: ## Filter resource list -Query parameters allow you to filter the list of resources. +Query parameters let you filter the list of resources. For example, to return resources from a single environment, add `environment_id=YOUR-ENVIRONMENT-ID` to the URL: @@ -109,7 +109,7 @@ curl -X GET \ -H 'Authorization: token YOUR-API-TOKEN' ``` -Some parameters allow you to specify multiple values. To return resources in Amazon Web Services (AWS) regions `us-east-1` or `us-east-2`, add `location=us-east-1,us-east-2` to the URL: +Some parameters let you specify multiple values. To return resources in Amazon Web Services (AWS) regions `us-east-1` or `us-east-2`, add `location=us-east-1,us-east-2` to the URL: ``` curl -X GET \ @@ -117,7 +117,7 @@ curl -X GET \ -H 'Authorization: token YOUR-API-TOKEN' ``` -You can combine query parameters by using the `&` symbol. To return only 5 AWS S3 buckets, add `resource_type=aws_s3_bucket&limit=5` to the URL: +You can combine query parameters by using the `&` symbol. To return only five AWS S3 buckets, add `resource_type=aws_s3_bucket&limit=5` to the URL: ``` curl -X GET \ diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-current-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-current-iac.md index 1c902bbbe96c..bb82b820a3aa 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-current-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/getting-started-with-current-iac.md @@ -2,7 +2,7 @@ You can use Snyk IaC (Infrastructure as Code) in the Snyk Web UI to find, view, and fix issues in configuration files. You can also use Snyk IaC in the Snyk CLI. For details, see [Snyk CLI for Infrastructure as Code](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-iac). -On this page, you will find steps to find, view, and fix issues in configuration files for the supported environments: [Terraform](scan-your-iac-source-code/scan-terraform-files/), [AWS CloudFormation](scan-your-iac-source-code/scan-cloudformation-files/), [Kubernetes](scan-your-iac-source-code/scan-kubernetes-configuration-files/), including Helm, and [Azure Resource Manager (ARM)](scan-your-iac-source-code/scan-arm-configuration-files.md). These steps are specific to the current IaC. +On this page, you find steps to find, view, and fix issues in configuration files for the supported environments: [Terraform](scan-your-iac-source-code/scan-terraform-files/), [AWS CloudFormation](scan-your-iac-source-code/scan-cloudformation-files/), [Kubernetes](scan-your-iac-source-code/scan-kubernetes-configuration-files/), including Helm, and [Azure Resource Manager (ARM)](scan-your-iac-source-code/scan-arm-configuration-files.md). These steps are specific to the current IaC. ## **Prerequisites for Snyk IaC** @@ -24,7 +24,7 @@ You must use the Snyk CLI to scan ARM configuration files. See [Scan ARM configu ## Import IaC Projects -You will start by importing [Projects](../../snyk-platform-administration/snyk-projects/) you want to scan with Snyk. In these steps, you choose repositories for Snyk to test and re-test: +Start by importing the [Projects](../../snyk-platform-administration/snyk-projects/) you want to scan with Snyk. In these steps, you choose repositories for Snyk to test and re-test: 1. Log in to Snyk and on your dashboard, select **Projects** from the navigation. 2. On the Projects page, from the **Add projects** dropdown, select the SCM where the repositories and projects that you want to scan are; for example, select GitHub. @@ -36,7 +36,7 @@ You will start by importing [Projects](../../snyk-platform-administration/snyk-p The import completes and the Projects page displays the Snyk Project imported. {% hint style="info" %} -After you have imported an IaC Project, Snyk re-tests your Project once a week by default. You can de-activate recurring tests on the **Settings** tab of the Projects page; Set **Test & Automated Pull Request Frequency** to **Test never**. +After you have imported an IaC Project, Snyk re-tests your Project once a week by default. You can deactivate recurring tests on the **Settings** tab of the Projects page. Set **Test & Automated Pull Request Frequency** to **Test never**. {% endhint %} ## View configuration file issues in IaC @@ -103,7 +103,7 @@ Terraform Cloud and Helm do not show a code snippet, only the path details. Ther ### Example showing the code preview is not available -If Snyk can not identify the exact line of the vulnerable path in the file, Snyk does not show a code snippet, only a message and the path details. If possible, Snyk shows the **Full details** button so you can see a preview of the full code. +If Snyk cannot identify the exact line of the vulnerable path in the file, Snyk does not show a code snippet, only a message and the path details. If possible, Snyk shows the **Full details** button so you can see a preview of the full code.
Issue card without code snippet

Issue card without code snippet

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-arm-configuration-files.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-arm-configuration-files.md index 922fe7b41eba..be7bfc352b8b 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-arm-configuration-files.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-arm-configuration-files.md @@ -1,7 +1,7 @@ # Scan ARM configuration files -Snyk IaC currently supports scanning ARM configurations with the CLI only. +Snyk IaC supports scanning ARM configurations with the CLI only. -For the CLI, users can share their ARM scan results with the platform and present them in the UI by using the [Share CLI results feature](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-iac/share-cli-results-with-the-snyk-web-ui). +For the CLI, you can share your ARM scan results with the platform and present them in the UI by using the [Share CLI results feature](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-iac/share-cli-results-with-the-snyk-web-ui). For more information, see [Test your ARM files with the CLI tool](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-iac/test-your-iac-files/arm-files). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/README.md index aac46cd23802..b25e6b0b7938 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/README.md @@ -1,6 +1,6 @@ # Scan CloudFormation files -The following information is provided to help you scan CloudFormation files: +Use the following information to scan CloudFormation files: * [Configure your integration to find security issues in your CloudFormation files](configure-your-integration-to-find-security-issues-in-your-cloudformation-files-current-iac.md) * [Scan and fix security issues in your CloudFormation files](scan-and-fix-security-issues-in-your-cloudformation-files-current-iac.md) diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/configure-your-integration-to-find-security-issues-in-your-cloudformation-files-current-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/configure-your-integration-to-find-security-issues-in-your-cloudformation-files-current-iac.md index 9cdb5c1a0aa2..5b760002e968 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/configure-your-integration-to-find-security-issues-in-your-cloudformation-files-current-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/configure-your-integration-to-find-security-issues-in-your-cloudformation-files-current-iac.md @@ -1,6 +1,6 @@ # Configure your integration to find security issues in your CloudFormation files -Snyk tests and monitors CloudFormation files from source code repositories. It gives advice on how to better secure cloud environments by catching misconfigurations before they are pushed to production, along with assistance on how best to fix them. +Snyk tests and monitors CloudFormation files from source code repositories. It gives advice on how to better secure cloud environments by catching misconfigurations before you push them to production, along with assistance on how best to fix them. ## Supported Git repositories and CloudFormation file formats @@ -13,7 +13,7 @@ Scanning CloudFormation provides security feedback on everything that is statica ### Prerequisites for scanning CloudFormation files * You must be an administrator for the Organization you are configuring in Snyk. -* Ensure you have already integrated your Git repository, For details, see [Git repository (SCM) integrations](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/organization-level-integrations). +* Ensure you have already integrated your Git repository. For details, see [Git repository (SCM) integrations](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/organization-level-integrations). ### Configure Snyk to scan CloudFormation files diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/scan-and-fix-security-issues-in-your-cloudformation-files-current-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/scan-and-fix-security-issues-in-your-cloudformation-files-current-iac.md index 2c0fb9332790..a708ce315426 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/scan-and-fix-security-issues-in-your-cloudformation-files-current-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-cloudformation-files/scan-and-fix-security-issues-in-your-cloudformation-files-current-iac.md @@ -1,6 +1,6 @@ # Scan and fix security issues in your CloudFormation files -Snyk scans CloudFormation code for misconfigurations and security issues. After configuration files are scanned, Snyk reports on any misconfigurations based on the settings that administrators implement and makes recommendations for fixes accordingly. +Snyk scans CloudFormation code for misconfigurations and security issues. After scanning configuration files, Snyk reports on any misconfigurations based on the settings that administrators implement and makes recommendations for fixes accordingly. ## **Prerequisites for scanning and fixing issues in CloudFormation files** @@ -10,13 +10,13 @@ Snyk scans CloudFormation code for misconfigurations and security issues. After ## Scan and fix configuration files * Log in to the account and navigate to the relevant Group and Organization. -* If you imported your repositories for testing before the infrastructure as code feature was enabled by your administrator, from the Add project screen, re-import that repository in order to detect the CloudFormation code: +* If you imported your repositories for testing before your administrator enabled the infrastructure as code feature, from the Add project screen, re-import that repository to detect the CloudFormation code:
Add project screen

Add project screen

Every time a repository is scanned, every CloudFormation file is imported as a separate Project, grouped together per repository, similar to the example shown. -If you re-imported the repository in order to import the CloudFormation files, then Snyk imports and re-tests the already imported application manifest files, displaying the test time as "now". +If you re-imported the repository to import the CloudFormation files, then Snyk imports and re-tests the already imported application manifest files, displaying the test time as "now".
List of CloudFormation Projects

List of CloudFormation Projects

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/configure-integration-to-find-security-issues-in-kubernetes-configuration-files-current-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/configure-integration-to-find-security-issues-in-kubernetes-configuration-files-current-iac.md index 407322709e60..20e95aa95d02 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/configure-integration-to-find-security-issues-in-kubernetes-configuration-files-current-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/configure-integration-to-find-security-issues-in-kubernetes-configuration-files-current-iac.md @@ -1,10 +1,10 @@ # Configure integration to find security issues in Kubernetes configuration files -Snyk tests and monitors Kubernetes configurations stored in your source code repositories and provides information, tips, and tricks to better [secure a Kubernetes environment](https://snyk.io/learn/kubernetes-security/). This helps to catch misconfigurations before they are pushed to production, as well as provide fixes for vulnerabilities. +Snyk tests and monitors Kubernetes configurations stored in your source code repositories and provides information, tips, and tricks to better [secure a Kubernetes environment](https://snyk.io/learn/kubernetes-security/). This helps to catch misconfigurations before you push them to production, as well as provide fixes for vulnerabilities. ## Supported Git repositories and Kubernetes file formats -Snyk scans your Kubernetes configuration files in JSON and YAML format when they are imported from your integrated Git repository. +Snyk scans your Kubernetes configuration files in JSON and YAML format when you import them from your integrated Git repository. ## Configure Snyk to scan Kubernetes configuration files diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/scan-and-fix-security-issues-in-helm-charts-current-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/scan-and-fix-security-issues-in-helm-charts-current-iac.md index aeaa7a6e9272..4d4b44754028 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/scan-and-fix-security-issues-in-helm-charts-current-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/scan-and-fix-security-issues-in-helm-charts-current-iac.md @@ -1,6 +1,6 @@ # Scan and fix security issues in Helm Charts -In addition to scanning Kubernetes configuration files for misconfigurations and security issues, Snyk has support for templating Helm charts and scanning the resultant manifests. This templating functionality is only available when you import repositories using the Snyk UI. See the following sections for prerequisites and guidance on how to scan templated Helm charts using the Snyk CLI. After Helm charts are scanned, Snyk creates Projects for each template and dependency template, generates reports on any misconfigurations, and makes recommendations for fixing them. +In addition to scanning Kubernetes configuration files for misconfigurations and security issues, Snyk has support for templating Helm charts and scanning the resultant manifests. This templating functionality is only available when you import repositories using the Snyk UI. See the following sections for prerequisites and guidance on how to scan templated Helm charts using the Snyk CLI. After scanning Helm charts, Snyk creates Projects for each template and dependency template, generates reports on any misconfigurations, and makes recommendations for fixing them. ## Prerequisites for scanning and fixing issues in Helm Charts @@ -14,14 +14,14 @@ In addition to scanning Kubernetes configuration files for misconfigurations and ## Scan and fix your Helm Charts * Log in to your account and navigate to the relevant Group and Organization that you want to manage. -* If you imported your repositories for testing before configuration file detection was enabled by your administrator, you must re-import that repository in order to import the Helm chart: +* If you imported your repositories for testing before your administrator enabled configuration file detection, you must re-import that repository to import the Helm chart: Every time a repository is scanned, Snyk creates a Project for each template in your Helm Chart, grouped together by repository. -If you re-imported the repository in order to import the configuration files, then Snyk imports and tests the configuration files and also re-tests the already imported application manifest files, displaying the test time as "now". +If you re-imported the repository to import the configuration files, then Snyk imports and tests the configuration files and also re-tests the already imported application manifest files, displaying the test time as "now". * Click the Project link you are interested in to view the scan results and to correct your configuration files accordingly.\ - Projects that were created from external dependencies will also be scanned, and issues will be shown. + Snyk also scans Projects created from external dependencies and shows their issues.
Helm Charts Project detail

Helm Charts Project detail

@@ -38,7 +38,7 @@ helm template . --output-dir out snyk iac test out/ ``` -You can pass standard Helm values flags (for example, `--set`, `--value`, or both) to `helm template` in order to test a non-default configuration. +You can pass standard Helm values flags (for example, `--set`, `--value`, or both) to `helm template` to test a non-default configuration. You can script this process and run it in a CLI pipeline or helm-template files into a repository that can be imported into Snyk as Projects. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/scan-and-fix-security-issues-in-kubernetes-configuration-files-current-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/scan-and-fix-security-issues-in-kubernetes-configuration-files-current-iac.md index 530b68906242..5199f50287bc 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/scan-and-fix-security-issues-in-kubernetes-configuration-files-current-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-kubernetes-configuration-files/scan-and-fix-security-issues-in-kubernetes-configuration-files-current-iac.md @@ -1,6 +1,6 @@ # Scan and fix security issues in Kubernetes configuration files -Snyk Infrastructure as Code scans your manifest files for security vulnerabilities and scans your Kubernetes configuration files for misconfigurations and security issues as well. After configuration files are scanned, Snyk reports on any misconfigurations based on the settings your administrator has implemented and makes recommendations for fixing accordingly. +Snyk Infrastructure as Code scans your manifest files for security vulnerabilities and scans your Kubernetes configuration files for misconfigurations and security issues as well. After scanning configuration files, Snyk reports on any misconfigurations based on the settings your administrator implemented and makes recommendations for fixing accordingly. ## Prerequisites for scanning and fixing issues in Kubernetes files @@ -15,11 +15,11 @@ Snyk Infrastructure as Code supports: ## Scan and fix your Kubernetes configuration files * Log in to your account and navigate to the relevant Group and Organization that you want to manage. -* If you imported your repositories for testing before cloud configuration file detection was enabled by your administrator, re-import that repository to import the relevant JSON or YAML configuration files. +* If you imported your repositories for testing before your administrator enabled cloud configuration file detection, re-import that repository to import the relevant JSON or YAML configuration files. Every time a repository is scanned, every supported manifest file and every supported configuration file is imported as a separate Project, grouped together per repository. -When you re-import the repository in order to import the cloud configuration files, Snyk imports and tests the configuration files and re-tests the already imported application manifest files, displaying the test time as "now". +When you re-import the repository to import the cloud configuration files, Snyk imports and tests the configuration files and re-tests the already imported application manifest files, displaying the test time as "now". * Click the link for the Project of interest to you to view the scan results and to correct your configuration files accordingly: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-serverless-files.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-serverless-files.md index 1536acd573ce..d58a2b4521e2 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-serverless-files.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-serverless-files.md @@ -2,6 +2,6 @@ Snyk IaC supports the scanning of Serverless configuration files only through the CLI. -Users can share their Serverless scan results with the platform and present them in the UI by using the [Share CLI results feature](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-iac/share-cli-results-with-the-snyk-web-ui). +You can share your Serverless scan results with the platform and present them in the UI by using the [Share CLI results feature](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-iac/share-cli-results-with-the-snyk-web-ui). For more information, see [Test your Serverless files with Snyk CLI](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-cli-for-iac/test-your-iac-files/serverless-files). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/README.md index 075b6965e8aa..ac88eebbe134 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/README.md @@ -1,8 +1,8 @@ # Scan Terraform files -The following information is provided to help you scan Terraform files: +Use the following information to scan Terraform files: * [Configure your integration to find security issues in your Terraform files](configure-your-integration-to-find-security-issues-in-your-terraform-files-current-iac.md) * [Scan and fix security issues in Terraform files](scan-and-fix-security-issues-in-terraform-files-current-iac.md) -* [Terraform variables suport](terraform-variables-support-current-iac.md) +* [Terraform variables support](terraform-variables-support-current-iac.md) * [Terraform AWS Provider support](terraform-aws-provider-support.md) diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/configure-your-integration-to-find-security-issues-in-your-terraform-files-current-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/configure-your-integration-to-find-security-issues-in-your-terraform-files-current-iac.md index 3d6ba12cad8f..cc9b770c9160 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/configure-your-integration-to-find-security-issues-in-your-terraform-files-current-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/configure-your-integration-to-find-security-issues-in-your-terraform-files-current-iac.md @@ -1,6 +1,6 @@ # Configure your integration to find security issues in your Terraform files -Snyk tests and monitors your Terraform files from your source code repositories, guiding you with advice on how you can better secure your cloud environment--catching misconfigurations before you push to production and helping you to fix them. +Snyk tests and monitors your Terraform files from your source code repositories, guiding you with advice on how you can better secure your cloud environment — catching misconfigurations before you push to production and helping you to fix them. ## Supported Git repositories and Terraform file formats @@ -8,7 +8,7 @@ Snyk scans Terraform (`.tf`) files when they are imported from an integrated Git Scanning Terraform files gives you security feedback on everything that is statically configured in the module. To benefit from recurring and scheduled testing, follow best practices and import custom modules directly from an SCM. -See the Snyk blog post about the ability to interpolate variables: [Snyk IaC public beta introduces Terraform plan analysis](https://snyk.io/blog/snyk-iac-public-beta-introduces-terraform-plan-analysis/). This allows scanning of the Terraform Plan output with the CLI, enabling scanning of the entire Terraform deployment to include the output of the modules used to create the deployment. +See the Snyk blog post about the ability to interpolate variables: [Snyk IaC public beta introduces Terraform plan analysis](https://snyk.io/blog/snyk-iac-public-beta-introduces-terraform-plan-analysis/). This lets you scan the Terraform Plan output with the CLI, enabling scanning of the entire Terraform deployment to include the output of the modules used to create the deployment. ## Configure Snyk to scan your Terraform configuration files diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/scan-and-fix-security-issues-in-terraform-files-current-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/scan-and-fix-security-issues-in-terraform-files-current-iac.md index 7ca9fc7ba588..c6a940340455 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/scan-and-fix-security-issues-in-terraform-files-current-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/scan-and-fix-security-issues-in-terraform-files-current-iac.md @@ -11,13 +11,13 @@ Snyk scans your Terraform code for misconfigurations and security issues as well ## Scan and fix your Terraform configuration files * Log in to your account and navigate to the relevant Group and Organization that you want to manage. -* If you imported your repositories for testing before the infrastructure as code feature was enabled by your administrator, from the **Add project** screen, re-import that repository in order to detect the Terraform code: +* If you imported your repositories for testing before your administrator enabled the infrastructure as code feature, from the **Add project** screen, re-import that repository to detect the Terraform code:
Add project screen

Add project screen

Every time a repository is scanned, every Terraform file is imported as a separate Project, grouped together per repository, similar to the example shown. -If you re-imported the repository in order to import the Terraform files, then Snyk imports and re-tests the already imported application manifest files, displaying the test time as "now". +If you re-imported the repository to import the Terraform files, then Snyk imports and re-tests the already imported application manifest files, displaying the test time as "now".
List of Terraform Projects

List of Terraform Projects

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/terraform-aws-provider-support.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/terraform-aws-provider-support.md index 822c3309c0f1..d2eadc1a92fb 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/terraform-aws-provider-support.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/terraform-aws-provider-support.md @@ -14,7 +14,7 @@ From the Terraform documentation: "To help distribute the management of S3 bucke To migrate to Terraform v4.0.0, you must refactor and re-import your S3 service definitions. Depending on how you choose to do this, it may limit your coverage of security findings. -See the [Terraform V4 upgrade guide from Hashicorp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade) for more details +See the [Terraform V4 upgrade guide from Hashicorp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/guides/version-4-upgrade) for more details. ## Example of Terraform AWS Provider support @@ -29,7 +29,7 @@ resource "aws_s3_bucket" "example" { ``` {% endcode %} -The definition of the S3 bucket is in one resource block. If you scanned this file using `snyk iac test s3.tf` you would get a security finding for the permissive ACL settings. +The definition of the S3 bucket is in one resource block. If you scan this file using `snyk iac test s3.tf`, you get a security finding for the permissive ACL settings. With v4.0.0 of the Provider, certain S3 bucket properties are now defined in their own resources. Continuing the previous example, the ACL property has moved to its own resource, so the refactored Terraform looks like this. @@ -46,7 +46,7 @@ resource "aws_s3_bucket_acl" "example" { ``` {% endcode %} -If you scan this file using `snyk iac test s3.tf` you will get the same results as before for the permissive ACL settings. +If you scan this file using `snyk iac test s3.tf`, you get the same results as before for the permissive ACL settings. ## Limitations of support for Terraform AWS Provider @@ -69,7 +69,7 @@ resource "aws_s3_bucket_acl" "example" { ``` {% endcode %} -If you scan these files, you will either not receive a security issue or receive a false positive for the permissive ACL. This is because Snyk cannot currently link the two resources together. +If you scan these files, you either do not receive a security issue or receive a false positive for the permissive ACL. This is because Snyk cannot link the two resources together. Snyk is working on adding support for this additional use case to the product. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/terraform-variables-support-current-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/terraform-variables-support-current-iac.md index 87b819df9cd7..eece7b7b0274 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/terraform-variables-support-current-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/scan-your-iac-source-code/scan-terraform-files/terraform-variables-support-current-iac.md @@ -1,15 +1,15 @@ # Terraform variables support -Support for Terraform (TF) variables is currently available only in the CLI. Snyk supports: +Support for Terraform (TF) variables is available only in the CLI. Snyk supports: * [Input Variables](https://www.terraform.io/language/values/variables) * [Local Values](https://www.terraform.io/language/values/locals) -At this time Snyk does not support [Output Values](https://www.terraform.io/language/values/outputs). +Snyk does not support [Output Values](https://www.terraform.io/language/values/outputs). The CLI scans all directories and handles each directory that includes supported TF files as its own module. Each module that includes variables is dereferenced appropriately. -Supported TF file formats are `.tf`, `.tfvars`, `.auto.tfvars`. Snyk does not support variables that were set and defined using environment variables or the `--var` CLI option. +Supported TF file formats are `.tf`, `.tfvars`, `.auto.tfvars`. Snyk does not support variables that you set and define using environment variables or the `--var` CLI option. The scan handles [variable definition precedence](https://www.terraform.io/language/values/variables#variable-definition-precedence) in the same way that TF handles the precedence. @@ -47,7 +47,7 @@ The following functions are supported: In the example that follows, we see that we configured a new resource, and we are using a variable named `remote_user_addr` to set its `cidr_blocks` value. -The variable is defined inside the `variables.tf` file with a default value, but the value is being overridden inside the `terraform.tfvars` file. +The `variables.tf` file defines the variable with a default value, but the `terraform.tfvars` file overrides the value. At the end, the value is set to `0.0.0.0/0`, and this causes the CLI to raise an issue. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/snyk-iac-integrations/jira-integration-for-iac.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/snyk-iac-integrations/jira-integration-for-iac.md index c0bf766f2920..7072f4314e8d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/snyk-iac-integrations/jira-integration-for-iac.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/snyk-iac-integrations/jira-integration-for-iac.md @@ -1,8 +1,8 @@ # Jira integration for Snyk IaC -Snyk Infrastructure as Code allows users to raise Jira issues for misconfigurations found in their IaC resources. +Snyk Infrastructure as Code lets you raise Jira issues for misconfigurations found in your IaC resources. -This integration is available via the Snyk Web UI only; API support is not provided. +This integration is available through the Snyk Web UI only. Snyk does not provide API support. To learn more about setting up and using the integration, see [Jira integration](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/jira-and-slack-integrations/jira-integration). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/snyk-iac-integrations/snyk-iac-with-broker-for-self-hosted-git.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/snyk-iac-integrations/snyk-iac-with-broker-for-self-hosted-git.md index 42a5ba0e5a06..c8f48dc8d3de 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/snyk-iac-integrations/snyk-iac-with-broker-for-self-hosted-git.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/snyk-iac-integrations/snyk-iac-with-broker-for-self-hosted-git.md @@ -1,7 +1,7 @@ # Snyk IaC with Broker for self-hosted Git -Snyk Broker enables you to connect your local Git server to Snyk if the Git server is not internet-reachable. +Snyk Broker lets you connect your local Git server to Snyk if the Git server is not internet-reachable. -By default, Snyk Broker allows only information for Snyk Open Source and Docker files to go through. If you also want to analyze Infrastructure as Code files, such as `.tf` or `.yaml`, you must configure the Broker to do so. +By default, Snyk Broker allows only information for Snyk Open Source and Docker files to pass through. If you also want to analyze Infrastructure as Code files, such as `.tf` or `.yaml`, you must configure the Broker to do so. For details, see [Snyk Broker - Infrastructure as Code detection](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/snyk-broker/classic-broker/snyk-broker-infrastructure-as-code-detection). For more information about Snyk Broker, see the [Broker](https://app.gitbook.com/s/IgtgtomLQ2TUgSKOMSAm/snyk-broker/snyk-broker) docs. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/view-snyk-iac-issue-reports.md b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/view-snyk-iac-issue-reports.md index d8478263d70a..d1985edc348d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-iac/view-snyk-iac-issue-reports.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-iac/view-snyk-iac-issue-reports.md @@ -8,4 +8,4 @@ You can also use this filter on the **Issues** page to view your IaC issues acro ## API access to IaC issues -You can set the **product\_name** filter for the [Export](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/export) API to `Snyk IaC` to retrieve a list of IaC issues on your Org or Group. +You can set the **product\_name** filter for the [Export](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/export) API to `Snyk IaC` to retrieve a list of IaC issues on your Organization or Group. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/README.md index ff9d48efa1be..e3e505bd7e44 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/README.md @@ -4,11 +4,11 @@ To start scanning, see [Scan open-source libraries and licenses](scan-open-source-libraries-and-licenses/). {% endhint %} -Snyk Open Source is a developer-first software composition analysis (SCA) solution. Snyk Open Source allows you to find and fix vulnerabilities in the open-source libraries used by your applications. You can also find and address licensing issues in or caused by these open-source libraries. +Snyk Open Source is a developer-first software composition analysis (SCA) solution. Snyk Open Source lets you find and fix vulnerabilities in the open-source libraries used by your applications. You can also find and address licensing issues in or caused by these open-source libraries. Developers worldwide use open-source code because it enables fast development. The vast majority of the code making up modern applications is open source. This growing reliance exposes organizations to security vulnerabilities and license issues. -Sometimes, these issues are rooted deep in the code. Open-source packages often reference other packages, and many vulnerabilities are found in these indirect dependencies. Developers may not realize which packages are being called. By using Snyk Open Source, you can reduce the risks introduced by open-source components. Snyk Open Source can help you find, prioritize, and fix security vulnerabilities and license risks in open-source dependencies throughout the SDLC. +Sometimes, these issues are rooted deep in the code. Open-source packages often reference other packages, and many vulnerabilities are found in these indirect dependencies. Developers may not realize which packages are being called. By using Snyk Open Source, you can reduce the risks that open-source components introduce. Snyk Open Source can help you find, prioritize, and fix security vulnerabilities and license risks in open-source dependencies throughout the SDLC. Snyk Open Source is available in many common languages and platforms. See [Supported languages and package managers](https://app.gitbook.com/s/L7HyJj9FsK1W4pNt8Gzl/supported-languages/supported-languages-package-managers-and-frameworks). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/README.md index 4b8c4b1519a6..aee05615513e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/README.md @@ -4,8 +4,8 @@ The documentation in this section explains how to fix vulnerabilities and licens To apply fixes, you can use different methods, including manual application in the Snyk Web UI and automatic pull requests opened by Snyk. See [Fix your vulnerabilities](fix-your-vulnerabilities.md) for more details. -For information about fixability, see [Vulnerability fix types](vulnerability-fix-types.md). For details, see [Upgrade package versions to fix vulnerabilities](upgrade-package-versions-to-fix-vulnerabilities.md) and [Snyk patches to fix vulnerabilities](snyk-patches-to-fix-vulnerabilities.md) for details. +For information about fixability, see [Vulnerability fix types](vulnerability-fix-types.md). For details, see [Upgrade package versions to fix vulnerabilities](upgrade-package-versions-to-fix-vulnerabilities.md) and [Snyk patches to fix vulnerabilities](snyk-patches-to-fix-vulnerabilities.md). To help you decide which issues to fix, see [Prioritizing and managing issues](../../../manage-risk/prioritize-issues-for-fixing/). -Fixing vulnerabilities relies on the [Snyk Vulnerability Database](snyk-vulnerability-database.md). You may see [differences in Open Source vulnerability counts across environments](differences-in-open-source-vulnerability-counts-across-environments.md). Information about [troubleshooting](troubleshoot-fixing-vulnerabilities-with-snyk-open-source.md) when you are fixing vulnerabilities is provided. +Fixing vulnerabilities relies on the [Snyk Vulnerability Database](snyk-vulnerability-database.md). You may see [differences in Open Source vulnerability counts across environments](differences-in-open-source-vulnerability-counts-across-environments.md). For help when you are fixing vulnerabilities, see [troubleshooting](troubleshoot-fixing-vulnerabilities-with-snyk-open-source.md). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/artifactory-gatekeeper-plugin.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/artifactory-gatekeeper-plugin.md index bb91ee669210..7795ef4cb4c4 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/artifactory-gatekeeper-plugin.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/artifactory-gatekeeper-plugin.md @@ -12,12 +12,12 @@ After the plugin is installed, it runs in the background and can do the followin * Add vulnerability and license issue counts from Snyk as properties in an artifact * Block developers from downloading packages with vulnerability and license issues according to a configured threshold -By scanning artifacts as part of your workflow and then displaying those test results directly from the Artifactory UI, the Snyk Artifactory Gatekeeper Plugin enables you to track and identify issues that are risks to your application security more quickly and to avoid using those artifacts in your Projects. +By scanning artifacts as part of your workflow and then displaying those test results directly from the Artifactory UI, the Snyk Artifactory Gatekeeper Plugin lets you track and identify issues that are risks to your application security more quickly and avoid using those artifacts in your Projects. {% hint style="info" %} This page refers to the Artifactory Plugin, an independent piece of software that is installed on the Artifactory machine and serves as a gatekeeper, blocking vulnerable packages from being downloaded from the Artifactory instance. -This plugin is separate from the [Artifactory Registry for Maven](../package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-maven.md), a Snyk integration that allows configuring SCM scans to use custom package registries. +This plugin is separate from the [Artifactory Registry for Maven](../package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-maven.md), a Snyk integration that lets you configure SCM scans to use custom package registries. {% endhint %} ## Package managers supported by the Artifactory Plugin @@ -40,7 +40,7 @@ This plugin is separate from the [Artifactory Registry for Maven](../package-rep Artifactory transmits the package name and version to the test endpoint at the Snyk API instance. In the header, the authorization token is transmitted. -If the Artifactory installation is configured to use a proxy, Snyk will automatically use it too. Potentially, there could be an issue if the proxy is an authenticated or Kerberos proxy, but a standard, unauthenticated, forwarding proxy should work if the Artifactory installation and its underlying JVM are configured correctly with a proxy. +If the Artifactory installation is configured to use a proxy, Snyk uses it too. Potentially, there could be an issue if the proxy is an authenticated or Kerberos proxy, but a standard, unauthenticated, forwarding proxy should work if the Artifactory installation and its underlying JVM are configured correctly with a proxy. Snyk calls [`https://api.snyk.io/v1/test`](https://api.snyk.io/v1/test) for the right packager manager with the right name and version. @@ -80,7 +80,7 @@ To view details about the download status, open the **System Logs**. If a scan finds issues, based on your configuration, the download request can be blocked with an HTTP status code "403 Forbidden". -You can find the results of a scan under the artifact properties, where you can decide to ignore the issues and allow downloads. To find the artifact, use the Artifactory search bar or navigate the **t**ree view. +You can find the results of a scan under the artifact properties, where you can decide to ignore the issues and allow downloads. To find the artifact, use the Artifactory search bar or navigate the tree view.
Results of a scan

Results of a scan

@@ -96,7 +96,7 @@ For a full list of properties, [view the properties file on GitHub](https://gith These are the properties set by the plugin on scanned artifacts. Artifact access is allowed or forbidden depending on the values of these properties. -
PropertyDescription
snyk.test.timestampDate and time when the artifact wast last scanned by Snyk.
snyk.issue.urlThis is the URL to the Snyk database and explanation of the vulnerability, including specific details about vulnerable versions, available upgrades, and Snyk patches.
snyk.issue.vulnerabilitiesRegardless of the thresholds configured, this row displays vulnerability summary scan results.
snyk.issue.vulnerabilities.forceDownloadWhen true, allows downloads for this artifact even when there are vulnerabilities.
snyk.issue.vulnerabilities.forceDownload.infoUse this field to provide additional information about why the forceDownload is enabled.
snyk.issue.licensesRegardless of the thresholds configured, this row displays license summary scan results.
snyk.issue.licenses.forceDownloadWhen true, allows downloads for this artifact even when there are license issues.
snyk.issue.licenses.forceDownload.infoUse this field to provide additional information about why the forceDownload is enabled.
+
PropertyDescription
snyk.test.timestampDate and time when Snyk last scanned the artifact.
snyk.issue.urlThis is the URL to the Snyk database and explanation of the vulnerability, including specific details about vulnerable versions, available upgrades, and Snyk patches.
snyk.issue.vulnerabilitiesRegardless of the thresholds configured, this row displays vulnerability summary scan results.
snyk.issue.vulnerabilities.forceDownloadWhen true, allows downloads for this artifact even when there are vulnerabilities.
snyk.issue.vulnerabilities.forceDownload.infoUse this field to provide additional information about why the forceDownload is enabled.
snyk.issue.licensesRegardless of the thresholds configured, this row displays license summary scan results.
snyk.issue.licenses.forceDownloadWhen true, allows downloads for this artifact even when there are license issues.
snyk.issue.licenses.forceDownload.infoUse this field to provide additional information about why the forceDownload is enabled.
## Troubleshooting for the Artifactory Gatekeeper Plugin diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/differences-in-open-source-vulnerability-counts-across-environments.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/differences-in-open-source-vulnerability-counts-across-environments.md index 1d4a89a8f13a..d7edccb63537 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/differences-in-open-source-vulnerability-counts-across-environments.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/differences-in-open-source-vulnerability-counts-across-environments.md @@ -8,7 +8,7 @@ There are also other possible causes of variation in vulnerabilities reported. T ## Scanning a local repository using the CLI -When you scan a local repository using the CLI, `snyk test` builds a dependency graph based on the source files in your build environment. When you run a test with the CLI using `snyk test` or make a snapshot for ongoing testing using `snyk monitor`, Snyk looks at the dependencies as detected by the build tool (for example, Maven, npm, and so on) in order to see exactly what your Project relies on. Private dependencies and the specifics of your build environment are all available to the build tool and so to Snyk as well. +When you scan a local repository using the CLI, `snyk test` builds a dependency graph based on the source files in your build environment. When you run a test with the CLI using `snyk test` or make a snapshot for ongoing testing using `snyk monitor`, Snyk looks at the dependencies as detected by the build tool (for example, Maven, npm, and so on) to see exactly what your Project relies on. Private dependencies and the specifics of your build environment are all available to the build tool and so to Snyk as well. ## Scanning a remote repository using the Web UI @@ -40,7 +40,7 @@ Dependency overrides and mapping using code can sometimes cause the CLI to repor For Go Modules Projects imported using a Git integration, dependencies are resolved at the module level rather than the package level, as Snyk does not have full access to the Project source code. -This means you may see more issues reported for Projects tested in the Git repository because Snyk reports all vulnerabilities for each module rather than for the package(s) referenced in the source code. +This means you may see more issues reported for Projects tested in the Git repository because Snyk reports all vulnerabilities for each module rather than for the packages referenced in the source code. ## Differences when dev dependencies are being ignored @@ -55,7 +55,7 @@ Snyk has more vulnerabilities in its database and may include them sooner than o When comparing results between tools, consider the following: -* Is what is being scanned the same? For example, were the projects built on different machines at different times without a lockfile that ensures similar dependencies? +* Is what is being scanned the same? For example, were the Projects built on different machines at different times without a lockfile that ensures similar dependencies? * Are there "ignore" rules configured in one tool but not in the other? * Does one tool evaluate developer dependencies while the other does not? Snyk does not evaluate developer dependencies by default to reduce noise not seen in production. * Does the vendor "scrape databases" _or_ does it curate and review issues and their severities like Snyk does? @@ -79,8 +79,8 @@ That is, ignores are not showing because you created them in the Project importe If you want the ignores to be effective in the CLI, create the Project from the CLI and apply the ignores in the CLI as follows: -1. Go to the root of your Project and run `snyk monitor`. -2. Go to the Snyk Web UI; there is a new Project that has the name of the Project in the `package.json` file with the CLI icon. +1. Navigate to the root of your Project and run `snyk monitor`. +2. Navigate to the Snyk Web UI. A new Project appears with the name of the Project in the `package.json` file and the CLI icon. 3. Use the `snyk ignore` command to ignore the issue in the new Project. You can also set ignores in the Web UI for a Project created with the CLI. 4. Run `snyk test` and `snyk monitor` and see if this solution ignores the issues you intend to ignore. Wait a minute or two to allow some caches to expire. Then look at the Projects screen to see if what you intended is ignored. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/fix-your-vulnerabilities.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/fix-your-vulnerabilities.md index fc88e8d67a53..3e31b908202c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/fix-your-vulnerabilities.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/fix-your-vulnerabilities.md @@ -1,6 +1,6 @@ # Fix your vulnerabilities -Snyk helps you to fix vulnerabilities by upgrading the direct dependencies to a more secure version or by patching the vulnerability. After Snyk scans your Projects, the scan results allow you to resolve issues in your code with the help of clear suggestions and explanations. +Snyk helps you to fix vulnerabilities by upgrading the direct dependencies to a more secure version or by patching the vulnerability. After Snyk scans your Projects, the scan results let you resolve issues in your code with the help of clear suggestions and explanations. Using Snyk Open Source, you can do the following: @@ -17,7 +17,7 @@ For Snyk Open Source, on the **Issues** tab, the results are displayed as follow * Different versions are listed and can be expanded to show the full list of vulnerabilities remediated in that specific version. * All vulnerabilities contain contextual information to help you prioritize the issues and start fixing them. -

Example of issues diplayed on the Issues tab for a Project

+

Example of issues displayed on the Issues tab for a Project

## View fix advice @@ -25,7 +25,7 @@ The **Fixes** tab also appears on the Project details page. On this page, Snyk o * An upgrade to the original package. * Pinning a package, installing a package as a top-level dependency; that is, a specific version of an indirect dependency. This avoids having a direct dependency pull in a vulnerable version. -* A Snyk precision patch to fix the issue. If an upgrade to fix any of the vulnerabilities in the package is not currently available, Snyk offers patches to fix the issues +* A Snyk precision patch to fix the issue. If no upgrade is available to fix the vulnerabilities in the package, Snyk offers patches to fix the issues. The summary area groups advice by package, and is displayed based on the best available fix. Advice in these summary lists includes these details for each package: @@ -36,8 +36,8 @@ The summary area groups advice by package, and is displayed based on the best av You can also find additional advice and details further down on the Project details page: -* From the **Issues**, tab, a full description per vulnerability -* From the **Dependencies** tab, the entire tree of your Project dependencies, enabling you to clearly visualize affected paths +* From the **Issues** tab, a full description per vulnerability +* From the **Dependencies** tab, the entire tree of your Project dependencies, so you can clearly visualize affected paths ## Fixing vulnerabilities based on scan results using Snyk CLI diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-patches-to-fix-vulnerabilities.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-patches-to-fix-vulnerabilities.md index c79e3c347f95..b998156991a3 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-patches-to-fix-vulnerabilities.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-patches-to-fix-vulnerabilities.md @@ -4,10 +4,10 @@ Sometimes there is no direct upgrade that can address the vulnerability, or an upgrade is not possible due to functional reasons, for example, the upgrade is a major breaking change. -In such cases, Snyk can help you [protect your code with patches](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-protect-package). This option will make minimal modifications to your locally installed`node_modules` files to fix the vulnerability. It will also update the policy to patch this issue when you use [@snyk/protect](https://github.com/snyk/cli/tree/master/packages/snyk-protect). +In such cases, Snyk can help you [protect your code with patches](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/scan-and-maintain-projects-using-the-cli/snyk-protect-package). This option makes minimal modifications to your locally installed`node_modules` files to fix the vulnerability. It also updates the policy to patch this issue when you use [@snyk/protect](https://github.com/snyk/cli/tree/master/packages/snyk-protect). {% hint style="info" %} -Patching is currently supported for Node.js Projects only. +Patching is supported for Node.js Projects only. {% endhint %} Patches are applicable in the following scenarios: @@ -40,7 +40,7 @@ After the patch is created by a Snyk Security Engineer, it is reviewed by two ot All patches are available for download and review by the community, and Snyk welcomes any feedback. -For unmaintained packages, Snyk will create a patch and open a pull request to the Project for the patch to be merged. +For unmaintained packages, Snyk creates a patch and opens a pull request to the Project for the patch to be merged. ## How patches work when you are using the Snyk CLI diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-vulnerability-database.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-vulnerability-database.md index 9a97c039d0b9..4a1b90c44dca 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-vulnerability-database.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/snyk-vulnerability-database.md @@ -73,7 +73,7 @@ The package health score is calculated based on four main categories: Popularity


Overview of package health score

-Each category contributes to the overall score, enabling developers to evaluate various aspects of an open-source package. +Each category contributes to the overall score, so developers can evaluate various aspects of an open-source package. #### Popularity @@ -89,7 +89,7 @@ This category helps you gain insights into the health of an open-source dependen #### Security -This category helps you quickly assess the security posture of an Open Source Project and its past versions. By connecting your Project with Snyk enables you to receive fixed and automations that enable security at scale and speed. +This category helps you quickly assess the security posture of an Open Source Project and its past versions. Connecting your Project with Snyk lets you receive fixes and automations that enable security at scale and speed.

Security category

@@ -101,7 +101,7 @@ This category helps you understand whether the community is thriving around an o ## Incorporating the Vulnerability Database into your systems -Incorporating information into your own systems is useful for customers who already have their own security products. You can benefit from Snyk’s expertise and accumulated knowledge with access to this database. This gives your development teams access to trusted intelligence, allowing them to rapidly secure open source and container code. +Incorporating information into your own systems is useful for customers who already have their own security products. You can benefit from Snyk’s expertise and accumulated knowledge with access to this database. This gives your development teams access to trusted intelligence, so they can rapidly secure open source and container code. The Snyk Vulnerability Database includes two feeds: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/troubleshoot-fixing-vulnerabilities-with-snyk-open-source.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/troubleshoot-fixing-vulnerabilities-with-snyk-open-source.md index f93a1396100f..e1028359a67d 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/troubleshoot-fixing-vulnerabilities-with-snyk-open-source.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/troubleshoot-fixing-vulnerabilities-with-snyk-open-source.md @@ -4,13 +4,13 @@ When you find a vulnerability, you have the opportunity to report that vulnerabi ## Unable to open a pull request or merge request for issues found by Snyk -When you import a Project, either through integration or by using the CLI, both CLI and SCM projects receive fix advice, while SCM projects additionally offer the option to open a Fix PR. +When you import a Project, either through integration or by using the CLI, both CLI and SCM Projects receive fix advice, while SCM Projects additionally offer the option to open a Fix PR. Snyk does not open PRs for transitive dependencies. For more information, see [Fixing transitive dependencies](vulnerability-fix-types.md#fixing-transitive-dependencies). ## Languages supported for Fix and Backlog Pull Requests or Merge Requests -Snyk can generate Fix Pull Requests (Fix PRs) or Merge Requests (MRs) for dependencies that may have a patch or an upgrade that will fix a vulnerability. +Snyk can generate Fix Pull Requests (Fix PRs) or Merge Requests (MRs) for dependencies that may have a patch or an upgrade that fixes a vulnerability. Snyk supports creating Fix PRs or MRs for the following languages: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/upgrade-package-versions-to-fix-vulnerabilities.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/upgrade-package-versions-to-fix-vulnerabilities.md index 6f5c3baf0154..ea75cc8bed47 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/upgrade-package-versions-to-fix-vulnerabilities.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/upgrade-package-versions-to-fix-vulnerabilities.md @@ -1,8 +1,8 @@ # Upgrade package versions to fix vulnerabilities -Snyk will always recommend the smallest upgrade of a dependency to resolve a vulnerability. +Snyk always recommends the smallest upgrade of a dependency to resolve a vulnerability. -To resolve a vulnerability in a transitive dependency, Snyk will calculate the dependency tree for your Project and determine the minimum upgrade to the direct dependency that will result in a vulnerability-free version of the indirect dependency. +To resolve a vulnerability in a transitive dependency, Snyk calculates the dependency tree for your Project and determines the minimum upgrade to the direct dependency that results in a vulnerability-free version of the indirect dependency. Some fixes may require a major upgrade of a dependency. In this situation, if Snyk suspects a major change that would cause breakage, the Fix PR screen indicates this. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/vulnerability-fix-types.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/vulnerability-fix-types.md index f434eb1d32d2..d37303498c7c 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/vulnerability-fix-types.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/manage-vulnerabilities/vulnerability-fix-types.md @@ -8,8 +8,8 @@ The list of issues does not show any vulnerabilities that have been fixed. These The sidebar on the list of issues has groups of filters. The ones referring to vulnerabilities are: -* The **Computed Fixability** filters allow you to see the vulnerabilities based on their remediation paths. -* The "**Fixed in" Available** filters allow you to see if the found vulnerabilities have a version in which they were fixed. +* The **Computed Fixability** filters let you see the vulnerabilities based on their remediation paths. +* The "**Fixed in" Available** filters let you see if the found vulnerabilities have a version in which they were fixed. ## Computed Fixability filters @@ -20,8 +20,6 @@ The Computed Fixability filters include the following values: * **No supported fix**: The issue has no upgradable paths, or Snyk does not support Fix PRs for this Project type. {% hint style="info" %} -For Projects imported using the CLI, or ecosystems for which Snyk Fix PRs are not supported, issues will - Snyk displays issues with **No Supported Fix** for Projects imported using the CLI or ecosystems that do not support Snyk fix PRs. If a fix is available, you can manually update the dependencies. Depending on the package manager and dependency path, you can pin or override the dependency. @@ -78,7 +76,7 @@ A direct dependency is fixable if a fixed, that is, secure, version of the packa

Example of a transitive dependency

-Under **Detailed paths,** a mention is displayed that no remediation path is available. However, the issue card shows that the vulnerability is **Fixed in** the more recent version. Snyk does not have the ability to reach the level where the vulnerability exists in this specific Project, but the vulnerability does not match the definition of No supported fix. +Under **Detailed paths,** a mention is displayed that no remediation path is available. However, the issue card shows that the vulnerability is **Fixed in** the more recent version. Snyk cannot reach the level where the vulnerability exists in this specific Project, but the vulnerability does not match the definition of No supported fix. ### Fixing transitive dependencies @@ -88,7 +86,7 @@ You cannot automatically fix transitive dependencies or open a Fix PR (see [Fix To fix a transitive dependency like the one in this example, follow the link to the [Snyk Vulnerability Database](snyk-vulnerability-database.md): -
Link to Snyk Vulnerability Database for a transitive dependency

LInk to Snyk Vulnerability Database for a transitive dependency

+
Link to Snyk Vulnerability Database for a transitive dependency

Link to Snyk Vulnerability Database for a transitive dependency

From the Snyk Vulnerability Database, you can see remediation advice for more fix information: diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-maven.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-maven.md index 1449dfe74732..deddb67167af 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-maven.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-maven.md @@ -20,7 +20,7 @@ If authentication is required for access to your custom registry, you must confi After the integration is set up, you can configure Maven settings by navigating to **Settings** > **Languages** > **Java**. -You can choose whether to use Artifactory as a mirror or as an additional repository where your artifacts will reside. These settings will be very similar to what you have in `~/.m2/settings.xml`. +You can choose whether to use Artifactory as a mirror or as an additional repository where your artifacts reside. These settings are very similar to what you have in `~/.m2/settings.xml`. ## Mirrors @@ -40,7 +40,7 @@ For example, if the URL is `http://artifactory.company.io/artifactory/libs-relea ## Additional repositories -Alternatively, you can configure repositories that will be used as additional locations to check for artifacts. +Alternatively, you can configure repositories to use as additional locations to check for artifacts. Repositories are configured in the same way as [Mirrors](artifactory-registry-for-maven.md#mirrors), but do not require **Mirror Of**. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-npm.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-npm.md index c60a646b3555..0eed31333ba8 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-npm.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-registry-for-npm.md @@ -15,7 +15,7 @@ You can add configuration to tell Snyk where your private Artifactory Node.js pa ## JavaScript language settings 1. Navigate to **Settings** > **Languages** > **JavaScript** and either the npm or Yarn settings, depending on your Project type. -2. If you have not previously connected to Artifactory, you will be asked to configure an integration first; see [Artifactory Package Repository connection setup](./). +2. If you have not previously connected to Artifactory, Snyk asks you to configure an integration first; see [Artifactory Package Repository connection setup](./). 3. Select **Add registry configuration**. 1. Select **Artifactory** as the Package source. 2. If you want to configure this registry as the default registry url, leave the scope blank. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-repository-manager-for-nuget.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-repository-manager-for-nuget.md index d4b58e310ffd..467b61f5af01 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-repository-manager-for-nuget.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/artifactory-package-repository-connection-setup/artifactory-repository-manager-for-nuget.md @@ -17,7 +17,7 @@ Configure the URL where your private Artifactory Package Repositories host NuGet To do this: -1. In the Snyk web UI, navigate to **Settings** > **Languages** > **.NET** > **Brokered package registries**. +1. In the Snyk Web UI, navigate to **Settings** > **Languages** > **.NET** > **Brokered package registries**. If you use a brokered connection and have not configured the Universal Broker, follow the Universal Broker instructions to set it up. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-maven.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-maven.md index 4d7ba7f14e26..cb117dbc1844 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-maven.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-maven.md @@ -18,13 +18,13 @@ The following explains how to set up custom Maven package registries If authentication is required to access your Nexus registry, you must first configure the Nexus Repository Manager integration. See [Nexus Repository Manager setup](./). -You can choose to use Nexus as a mirror or as an additional repository where your artifacts will reside. +You can choose to use Nexus as a mirror or as an additional repository where your artifacts reside. These settings are very similar to what you have in `~/.m2/settings.xml`.

Set up for Mirrors

-Choose a value for the Type, either **Direct** or, if you are using using authentication, **Integration**. +Choose a value for the Type, either **Direct** or, if you are using authentication, **Integration**. If you are using **Direct,** you must complete the **URL**, **Repository Name** and what it is a **Mirror Of**. @@ -50,6 +50,6 @@ If the URL is `http://nexus.company.io/nexus/content/repositories/releases`, Rep {% endtab %} {% endtabs %} -Alternatively, you can configure repositories will be used as additional locations to check for artifacts. +Alternatively, you can configure repositories to use as additional locations to check for artifacts. Repositories are configured in the same way as Mirrors, but do not require **Mirror Of**. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-npm-1.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-npm-1.md index 1945078402f7..b225701e1777 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-npm-1.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-npm-1.md @@ -19,7 +19,7 @@ Configure the URL where your private Nexus Repository Manager hosts NuGet packag To do this: -1. In the Snyk web UI, navigate to **Settings** > **Languages** > **.NET** > **Brokered package registries**. +1. In the Snyk Web UI, navigate to **Settings** > **Languages** > **.NET** > **Brokered package registries**. If you use a brokered connection and have not configured the Universal Broker, follow the Universal Broker instructions to set it up. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-npm.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-npm.md index 1bd25fda6e71..daf4759f22ca 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-npm.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/nexus-repository-manager-connection-setup/nexus-repository-manager-for-npm.md @@ -17,11 +17,11 @@ This is the same information you would normally add in your `.yarnrc` or `.npmrc ## JavaScript language settings -Go to **Settings** > **Languages** > **JavaScript** and either the npm or Yarn settings, depending on your Project type. +Navigate to **Settings** > **Languages** > **JavaScript** and either the npm or Yarn settings, depending on your Project type. -If you have not previously connected to Nexus Repository Manager you will be asked to configure an integration first; see [Nexus Repository Manager connection setup](./). +If you have not previously connected to Nexus Repository Manager, Snyk asks you to configure an integration first; see [Nexus Repository Manager connection setup](./). -Follow the steps on the tabs below, according to your version of Nexus. +Follow the steps on the tab for your version of Nexus.

Configure Nexus registry

diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/npm-teams-and-npm-enterprise-integration.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/npm-teams-and-npm-enterprise-integration.md index 8ed8c2f0f27d..cfa72c6349b0 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/npm-teams-and-npm-enterprise-integration.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/npm-teams-and-npm-enterprise-integration.md @@ -11,16 +11,16 @@ Snyk can use custom npm Teams and npm Enterprise repositories with npm and Yarn This enables Snyk to resolve all direct and transitive dependencies of packages hosted on the custom registry and calculate a more complete, accurate dependency graph and related vulnerabilities. -After configuration, Snyk will also use this information to access private dependencies when creating Pull/Merge Requests, by allowing npm and yarn to reach those dependencies in order to regenerate the lockfile. +After configuration, Snyk also uses this information to access private dependencies when creating Pull/Merge Requests, by allowing npm and Yarn to reach those dependencies to regenerate the lockfile. -You can add configuration to tell Snyk where your private npm Teams and npm Enterprise Node.js packages are hosted and under what scope.. +You can add configuration to tell Snyk where your private npm Teams and npm Enterprise Node.js packages are hosted and under what scope. This is the same information you would normally add in your `.yarnrc` or `.npmrc` ## JavaScript language settings 1. Navigate to **Settings** > **Languages** > **JavaScript** and either the npm or Yarn settings, depending on your Project type. Yarn is shown in the screenshot. -2. If you have not previously connected to npm Teams or npm Enterprise, you will be asked to configure an integration first. See [npm Teams and npm Enterprise registry settings](npm-teams-and-npm-enterprise-integration.md#npm-teams-and-npm-enterprise-registry-settings). +2. If you have not previously connected to npm Teams or npm Enterprise, Snyk asks you to configure an integration first. See [npm Teams and npm Enterprise registry settings](npm-teams-and-npm-enterprise-integration.md#npm-teams-and-npm-enterprise-registry-settings). 3. After you have set up the integration, select **Add registry configuration.** 1. Select **npm** as the **Package source**. 2. If you want to configure this registry as the default registry url, leave the scope blank. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/private-gem-sources-for-ruby-configuration.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/private-gem-sources-for-ruby-configuration.md index 19433731239b..0ec356e029b7 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/private-gem-sources-for-ruby-configuration.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/package-repository-integrations/private-gem-sources-for-ruby-configuration.md @@ -9,7 +9,7 @@ This guide is relevant for Snyk UI integrations only. The CLI supports Ruby Proj You can add a configuration to tell Snyk where your private gems are hosted. This is the same information you would normally add as a Bundler environment variable. -After you have added this configuration, Snyk uses the information to access private dependencies when creating Pull/Merge Requests, by allowing Bundler to reach those dependencies in order to regenerate the lockfile. +After you have added this configuration, Snyk uses the information to access private dependencies when creating Pull/Merge Requests, by allowing Bundler to reach those dependencies to regenerate the lockfile. ## Configuration of private gem sources for Ruby diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/README.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/README.md index 6b95858ce1ab..7633e0c5328e 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/README.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/README.md @@ -35,6 +35,6 @@ To fix vulnerabilities: 5. Snyk acts on the PR and displays a results screen. 6. Optionally, select the **Files changed** tab to see details of the changes made. -
.Files changed tab in GitHub after triggering Fix PR for an open source project

Files changed tab in GitHub after triggering Fix PR for an open source project

+
Files changed tab in GitHub after triggering Fix PR for an open source project

Files changed tab in GitHub after triggering Fix PR for an open source project

For more details, see [Fix your vulnerabilities](../manage-vulnerabilities/fix-your-vulnerabilities.md). diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/open-source-license-compliance.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/open-source-license-compliance.md index db4e5483a9bd..c934c5402def 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/open-source-license-compliance.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/open-source-license-compliance.md @@ -6,12 +6,12 @@ Every time you test your code in the Snyk web UI, the Snyk CLI, or using PR Chec ### Default license policy -To enable customers to get started with license compliance faster, Snyk created a default license policy. The default policy is a baseline that tries to meet the requirements of multiple types of applications, SaaS, distributed, and so on. It may be used as a starting point to calibrate additional license policies. The default policy does not endorse or criticize any license. +To help customers get started with license compliance faster, Snyk created a default license policy. The default policy is a baseline that tries to meet the requirements of multiple types of applications, SaaS, distributed, and so on. You can use it as a starting point to calibrate additional license policies. The default policy does not endorse or criticize any license. By default, Snyk determines the severity of a license issue in the following way: -* High severity - licenses that definitely present issues for commercial software -* Medium severity - licenses with clauses that may be of concern and should be reviewed. +* High severity - licenses that present issues for commercial software +* Medium severity - licenses with clauses that you should review For more information, visit [License policies](../../../manage-risk/policies/license-policies/) and [Open Source Licenses: Types and Comparison](https://snyk.io/learn/open-source-licenses/). @@ -31,7 +31,7 @@ You can view an inventory of all of your licenses across all your Projects. For Different customers may have different needs and tolerance levels for different license types. Snyk encourages you to ensure you have made the needed changes or created new policies that fit your company's specific requirements. -New licenses added by Snyk default to a severity of **None** and do not inherit the **Unknown** license severity. Unless you explicitly configure a severity for the newly supported license, it will not appear in Snyk test results. +New licenses added by Snyk default to a severity of **None** and do not inherit the **Unknown** license severity. Unless you explicitly configure a severity for the newly supported license, it does not appear in Snyk test results. If you notice a license with the wrong license type assigned to it, contact Snyk support. diff --git a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/snyk-license-compliance-management.md b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/snyk-license-compliance-management.md index 776e61bd62fe..81e8199babf5 100644 --- a/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/snyk-license-compliance-management.md +++ b/scan-fix-and-prevent/scan-with-snyk/snyk-open-source/scan-open-source-libraries-and-licenses/snyk-license-compliance-management.md @@ -31,11 +31,11 @@ You can create and edit multiple license policies for Organizations. For details ## View compliance issues -Snyk’s [Git-based integrations ](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/organization-level-integrations)support license scanning as part of the regular workflow. During scanning, license issues appear as a filterable list in the **Issues** tab. +The [Git-based integrations ](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/integrations/scm-integrations/organization-level-integrations)in Snyk support license scanning as part of the regular workflow. During scanning, license issues appear as a filterable list in the **Issues** tab.

Issues overview with the "License issues" filter applied

-The example below shows a high-severity issue under the GPL-2.0 license, with accompanying instructions as defined in the license's policies. +The following example shows a high-severity issue under the GPL-2.0 license, with accompanying instructions as defined in the license's policies. You can also view license issues using the Snyk CLI tool after running `snyk test`: @@ -57,8 +57,8 @@ Click the tree icon to view a full dependency tree. This shows the dependency th ## Resolve license issues -You can now take action to resolve the license issues identified during the scan, to help you build and deploy your application without outstanding licensing issues. +You can take action to resolve the license issues identified during the scan, to help you build and deploy your application without outstanding licensing issues. The actions you take depend on the license conditions and on your policies. For example, if a license violation has surfaced, this issue can be mitigated by either approaching your legal team or by replacing the dependency that added the violation. -Alternatively, you may want to ignore the issue. For details, see [ignore issues](../../../manage-risk/prioritize-issues-for-fixing/ignore-issues/). +Alternatively, you can ignore the issue. For details, see [ignore issues](../../../manage-risk/prioritize-issues-for-fixing/ignore-issues/). diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/README.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/README.md index 740d46d78b37..33fd877541db 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/README.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/README.md @@ -1,11 +1,11 @@ # Snyk Projects -Snyk Project information appears in the **Projects** listing, which you can display from the menu on the Snyk dashboard. The filters you can add depend on the **Group by** option you choose from the pulldown on the right. To filter by Origin or source, use an Integrations filter. +Snyk Project information appears in the **Projects** listing, which you can display from the menu on the Snyk dashboard. The filters you can add depend on the **Group by** option you choose from the dropdown. To filter by Origin or source, use an Integrations filter. Progress and error information on the state of your repository and container registry image imports are shown in the [Import Log](import-log.md). {% hint style="info" %} -After filters have been applied to the Project listing page, you can bookmark the URL and share it with other users in the Organization. This allows all users to see the same view of the page. +After filters have been applied to the Project listing page, you can bookmark the URL and share it with other users in the Organization. This lets all users see the same view of the page. {% endhint %} Snyk Projects concepts include the following: @@ -20,7 +20,7 @@ Snyk Projects concepts include the following: Projects are held in a Target. A Target represents an external resource Snyk has scanned: a code repository, a Kubernetes workload, or another scannable resource external to Snyk. -Snyk creates a Target when you request to import a Project or scan using the CLI. If the import fails or finds nothing, the Target will be empty. +Snyk creates a Target when you request to import a Project or scan using the CLI. If the import fails or finds nothing, the Target is empty. When you select **Group by target**, Snyk Targets appear in the **Projects** listing. You can also find Targets using the endpoints [Get targets by org ID](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/targets#orgs-org_id-targets) and [List all Projects for an Org with the given Org ID](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/projects#orgs-org_id-projects). @@ -34,7 +34,7 @@ The grouping option controls whether the filtering attributes are applied at the Snyk provides both pagination to improve the page loading time for Projects page requests and filtering, which is particularly helpful if you have hundreds of thousands of Projects to scan. -Use **Sort by** (pull down on the far right) to sort the **Projects** listing by severity, by how recently the Projects were imported, or in alphabetical order. +Use **Sort by** (the dropdown) to sort the **Projects** listing by severity, by how recently the Projects were imported, or in alphabetical order.
Sorting attributes available when grouping by Target

Sorting attributes available when grouping by Target

@@ -109,7 +109,7 @@ To perform an action at bulk on your Projects, first select the Projects and the Click **Delete** to remove Projects from the **Projects** listing page and the Target-level aggregates. -Click **Deactivate** to remove webhooks and prevent tests from occurring. Deactivating a Project will: +Click **Deactivate** to remove webhooks and prevent tests from occurring. Deactivating a Project does the following: * Stop showing the Project results in reporting. * Keep showing the findings of the last scan in the **Projects** listing page, including the Target-level aggregates on the **Group by Target** view. diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/automatically-created-project-collections.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/automatically-created-project-collections.md index 2f03f67c308b..fb87341100ae 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/automatically-created-project-collections.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/automatically-created-project-collections.md @@ -8,9 +8,9 @@ Automated Collections are in Early Access and available only with Enterprise pla See also [Limitations of Automated Collections](automatically-created-project-collections.md#limitations-of-automated-collections). You can enable Automated Collections in your Organization settings. -Scanning a repository through an SCM integration and rescanning it using the Snyk CLI creates duplicate Targets within the Snyk Web UI with duplicate Projects and issues. These may not be exact duplicates. +Scanning a repository through an SCM integration and rescanning it using the Snyk CLI creates duplicate Targets in the Snyk Web UI with duplicate Projects and issues. These may not be exact duplicates. -With the option to create Project collections automatically, Projects from these duplicate Targets will be detected and grouped automatically into a new collection. This helps identify duplicates and allows filtering and reporting on the issues of your preferred code-scanning method. +With the option to create Project collections automatically, Snyk detects Projects from these duplicate Targets and groups them automatically into a new collection. This helps identify duplicates and lets you filter and report on the issues of your preferred code-scanning method. {% hint style="info" %} Automated Collections takes up to an hour to create or delete a collection. @@ -26,24 +26,24 @@ Automated Collections can be turned on under the **Organization settings** by us
Managing Automated Collections under Organization Settings

Managing Automated Collections under Organization Settings

-After Automated Collections are enabled, all the Organization's Projects will be analyzed, and Projects with the same repository URL will be grouped automatically into a collection. All subsequent Project imports will also update the list of automatically created collections; there is no need to refresh the list manually. +After you enable Automated Collections, Snyk analyzes all the Organization's Projects and groups Projects with the same repository URL automatically into a collection. All subsequent Project imports also update the list of automatically created collections. There is no need to refresh the list manually. ## Turn off Automated Collections -Turning off Automated Collections will remove all the automatically created collections without impacting any of the grouped Projects. Only the automated collections are deleted, not their contents. +Turning off Automated Collections removes all the automatically created collections without impacting any of the grouped Projects. Only the automated collections are deleted, not their contents. ## Automatically versus manually created Project collections An automatically created collection has the same filtering and reporting options as a manually created collection: -* You can filter an automatically created collection to see only the result of your preferred scanning method, thus hiding duplicates. +* You can filter an automatically created collection to see only the result of your preferred scanning method, hiding duplicates. * You can create reports from an automatically created collection and track issues from just one of the scanning methods and ignore the rest. Automatically created collections have no management options available: -* You cannot rename an automated collection; its name will reflect the repository URL of the matched Projects. +* You cannot rename an automated collection. Its name reflects the repository URL of the matched Projects. * You cannot add new Projects to an automated collection. Its content updates itself when new Projects with the same repo URL are imported. -* You cannot delete an automatically created collection. You can turn off the Automated Collections feature, which will remove all automatically created collections. +* You cannot delete an automatically created collection. You can turn off the Automated Collections feature, which removes all automatically created collections. ## Limitations of Automated Collections diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/import-log.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/import-log.md index 0080915f7654..60c677ce7528 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/import-log.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/import-log.md @@ -1,6 +1,6 @@ # Import log -The Import log feature provides a history of all the Git repositories and container registry images imported into an Organization through an Integration, allowing all manual and automated changes to be reviewed and any errors troubleshooted. This log makes it easier to see if any errors have occurred and how to resolve them. +The Import log feature provides a history of all the Git repositories and container registry images imported into an Organization through an Integration, letting you review all manual and automated changes and troubleshoot any errors. This log makes it easier to see if any errors have occurred and how to resolve them. ## View import log @@ -13,7 +13,7 @@ You must have the View Organization and View Project [permissions](https://app.g ## Import log timeline -The Import Log timeline will go back as far as the **most recent** applicable condition of: +The Import Log timeline goes back as far as the **most recent** applicable condition of: * January 25th 2023. * The date the Organization was created. @@ -24,13 +24,13 @@ For example, if the Organization was created before January 25th, 2023, Snyk can The Import Log shows all imported targets listed in reverse chronological order, with the most recent import at the top of the page. Each import can be expanded using the dropdown, listing all the imported Projects created in Snyk at the time of import. -Targets that are in the process of being imported will have a loading icon stating **Importing target**. +Targets that are in the process of being imported have a loading icon stating **Importing target**. -Selecting **View Project** will take you to the Issues tab for that specific Project. +Selecting **View Project** takes you to the Issues tab for that specific Project. ## Import log error messages -If an error occurs on import, a warning icon will display on the repository name. Expanding this will show the Project the error is related to, with the error detail under the **Status** column. +If an error occurs on import, a warning icon displays on the repository name. Expanding this shows the Project the error is related to, with the error detail under the **Status** column. The error messages that can be displayed are: diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/issue-card-information.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/issue-card-information.md index 2563e2554e1f..78c4b36a2968 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/issue-card-information.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/issue-card-information.md @@ -21,7 +21,7 @@ The dependency card provides a [Header section](issue-card-information.md#header * [Severity level](../../manage-risk/prioritize-issues-for-fixing/severity-levels.md): for example, **High**. For dependencies with multiple severity levels, the severity shown in the header is the maximum of all listed issues under that dependency. * Dependency name: for example, **jsonwebtoken** or **libxmljs2**. -* **Score**: [Risk Score](../../manage-risk/prioritize-issues-for-fixing/risk-score.md) or [Priority score](../../manage-risk/prioritize-issues-for-fixing/priority-score.md): 0 to 1,000. For dependencies with multiple scores, the score shown in the header is the maximum of all listed issues under that dependency. This will show as Priority score unless you are opted-in to the Early Access for Risk score. +* **Score**: [Risk Score](../../manage-risk/prioritize-issues-for-fixing/risk-score.md) or [Priority score](../../manage-risk/prioritize-issues-for-fixing/priority-score.md): 0 to 1,000. For dependencies with multiple scores, the score shown in the header is the maximum of all listed issues under that dependency. This shows as Priority score unless you are opted in to the Early Access for Risk score. * Tabs separating out the fixable issues, issues with no supported fix, and vulnerable dependencies. ### Expanded vulnerability section @@ -32,7 +32,7 @@ The dependency card provides a [Header section](issue-card-information.md#header * Type: **VULNERABILITY** or LICENSE ISSUE * Links to [CWE](https://cwe.mitre.org/index.html) (Common Weakness Enumeration), [CVSS](https://www.first.org/cvss/calculator/3.1) (Common Vulnerability Scoring System), and [Snyk Vulnerability Database](https://snyk.io/vuln) information for the issue. You can use these links to view more information about the CWE, CVE, and CVSS scores or navigate to the Snyk Vulnerability Database information for a specific vulnerability from its issue card. * [**Exploit maturity**](../../manage-risk/prioritize-issues-for-fixing/view-exploits.md): for example, **Mature** or **Proof Of Concept**, which indicates how well known the implementation of this exploit is. -* The exploit's **reachability**, for example, **Reachable**. This indicates whether a path from your first party code to the vulnerable code element exists, For information and an example, see [Reachable vulnerabilities](../../manage-risk/prioritize-issues-for-fixing/reachability-analysis.md). +* The exploit's **reachability**, for example, **Reachable**. This indicates whether a path from your first-party code to the vulnerable code element exists. For information and an example, see [Reachable vulnerabilities](../../manage-risk/prioritize-issues-for-fixing/reachability-analysis.md). * **Fixed in:** The file the vulnerability is fixed in * **Social Trends**: Snyk occasionally shows a [Trending](../../manage-risk/prioritize-issues-for-fixing/vulnerabilities-with-social-trends.md) banner for issues that are being actively discussed on X (formerly known as Twitter). diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/maximum-number-of-projects-in-an-organization.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/maximum-number-of-projects-in-an-organization.md index 2b4e203b1fed..2908de15412c 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/maximum-number-of-projects-in-an-organization.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/maximum-number-of-projects-in-an-organization.md @@ -12,7 +12,7 @@ When you reach the limit for your pricing plan, Snyk stops importing Projects in ## **Notification of reaching the limit** -You will know you have reached the limit when you see the following warnings. +You know you have reached the limit when you see the following warnings. In the Snyk Web UI, this warning banner appears: diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-attributes.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-attributes.md index 987c93e97fd9..d841b298a3c4 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-attributes.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-attributes.md @@ -1,6 +1,6 @@ # Project attributes -Project attributes are static and non-configurable fields that allow you to apply attribute values to a Project by selecting from a predefined list of values. After you have applied attributes, you can remove them from a Project as needed. +Project attributes are static and non-configurable fields that let you apply attribute values to a Project by selecting from a predefined list of values. After you have applied attributes, you can remove them from a Project as needed. Use attributes to group, prioritize, and filter Projects. Use attributes such as lifecycle stage, business criticality, and environment to prioritize issues at a granular level. After you apply attributes to Snyk [policies](../../manage-risk/policies/), you can assign policies to Projects that have those attributes applied. @@ -14,7 +14,7 @@ The available Project attributes are summarized in the following table. | Attribute | Attribute options | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | -|

Business criticality
Note that When Risk Score is enabled, the Business Criticality attribute automatically affects the score according to the highest attribute level. Learn more in the Risk Score docs.

|
  • Critical
  • High
  • Medium
  • Low
| +|

Business criticality
Note that when Risk Score is enabled, the Business Criticality attribute automatically affects the score according to the highest attribute level. Learn more in the Risk Score docs.

|
  • Critical
  • High
  • Medium
  • Low
| | Environment |
  • Frontend
  • Backend
  • Internal
  • External
  • Mobile
  • SaaS
  • On-Prem
  • Hosted
  • Distributed
| | Lifecycle stage |
  • Production
  • Development
  • Sandbox
| diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/README.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/README.md index 61e54fd9aefd..b71f9e5f300c 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/README.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/README.md @@ -2,7 +2,7 @@ {% hint style="info" %} **Feature availability**\ -This feature is available only with Enterprise Plans. For more information, see [plans and pricing](https://snyk.io/plans/). +This feature is available only with Enterprise plans. For more information, see [plans and pricing](https://snyk.io/plans/). {% endhint %} There are two ways to group your Projects: **Project views** and **Project collections**. diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/project-collections.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/project-collections.md index ade19cc62589..c680603cebd2 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/project-collections.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/project-collections.md @@ -1,6 +1,6 @@ # Project collections -On this page you will find information about how to create and use Project collections: +This page describes how to create and use Project collections: * [Select all filtered Projects that are visible to create a Project collection](project-collections.md#select-all-filtered-projects-that-are-visible-to-create-a-project-collection) * [Add Projects to an existing Project collection using filters](project-collections.md#add-projects-to-an-existing-project-collection-using-filters) @@ -10,7 +10,7 @@ On this page you will find information about how to create and use Project colle * [View your Project collections on the collection listing page](project-collections.md#view-your-project-collections-on-the-collection-listing-page) {% hint style="info" %} -If you move a Project between Organizations, the Project will also be removed from any Project collections it is part of. +If you move a Project between Organizations, Snyk also removes the Project from any Project collections it is part of. {% endhint %} ## Select all filtered Projects that are visible to create a Project collection @@ -58,7 +58,7 @@ If you move a Project between Organizations, the Project will also be removed fr 2. You can perform the following actions: 1. Activate selected Projects. 2. Deactivate selected Projects. - 3. Add the selected Projects to a collection. In this case, the action will add the selected Projects to another collection that you have created. + 3. Add the selected Projects to a collection. In this case, the action adds the selected Projects to another collection that you have created. 4. Remove selected Projects from a collection. 5. Delete selected Projects. diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/project-views.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/project-views.md index 0f25372a41c4..0948ea195d4a 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/project-views.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-collections-groupings/project-views.md @@ -1,6 +1,6 @@ # Project views -On this page you will find information about how to create and use Project views: +This page describes how to create and use Project views: * [Create and configure a Project view](project-views.md#create-and-configure-a-project-view) * [View reports on your Projects](project-views.md#view-reports-on-your-projects) @@ -11,8 +11,8 @@ A Project view is visible to all users in the same Organization they were create ## Create and configure a Project view -1. On the right side of the Project listing page, beneath the **View import log** button, select **Group by none** from the drop-down list. -2. Click the drop-down next to the FILTERS drop-down, and click **Create new view**. If you already have filters selected, click **Save changes** next to the drop-down and follow the next step. +1. On the right side of the Project listing page, beneath the **View import log** button, select **Group by none** from the dropdown list. +2. Click the dropdown next to the FILTERS dropdown, and click **Create new view**. If you already have filters selected, click **Save changes** next to the dropdown and follow the next step.
Create a Project view

Create a Project view

@@ -22,17 +22,17 @@ A Project view is visible to all users in the same Organization they were create Your new view is created and automatically selected. Click the icon next to your Project view to duplicate, rename, or delete it. -4. In the filters drop-down, select the criteria to organize your view. +4. In the filters dropdown, select the criteria to organize your view.
Apply filters

Apply filters

-5. After applying all the filters you want, click **Save changes** next to the drop-down. Your Project view will be updated. +5. After applying all the filters you want, click **Save changes** next to the dropdown. Snyk updates your Project view. 6. If you want to configure a Project view, select different filters and click **Save changes** again. You can also discard any changes to a Project view before you save them to return it to its most recent saved state. ## View reports on your Projects -1. From the Project view drop-down, select the Project view for which you would like to view the report. -2. Next to the FILTERS drop-down, click **See report for these projects**. +1. From the Project view dropdown, select the Project view for which you would like to view the report. +2. Next to the FILTERS dropdown, click **See report for these projects**.
View report on your Project view

View report on your Project view

@@ -41,5 +41,5 @@ The Reports page loads and displays a report of the Projects in your Project vie
Automatically scoped report for your Project view

Automatically scoped report for your Project view

{% hint style="info" %} -The scan results you see on the Project listing page will be reflected in the reporting page roughly one (1) hour after the scan is complete. +The scan results you see on the Project listing page appear on the reporting page roughly one hour after the scan is complete. {% endhint %} diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-tags.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-tags.md index 0abedbd01076..a714c01d904c 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-tags.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/project-tags.md @@ -13,7 +13,7 @@ Project tags are available only with Enterprise plans. For more information, see Group and Organization admins can perform the actions explained on this page. Collaborators can perform the actions if they are in an Organization that is part of the Group. {% endhint %} -The Project tags feature allows you to add custom metadata to Snyk Projects. You can create and delete tags, apply tags to and remove tags from Projects, and filter Projects using tags. +The Project tags feature lets you add custom metadata to Snyk Projects. You can create and delete tags, apply tags to and remove tags from Projects, and filter Projects using tags. You can perform these actions in the Snyk Web UI, as shown on this page. @@ -22,7 +22,7 @@ You can also perform these actions using the API endpoints [Add a tag to a Proje You can set values for a tag applied to a Project and clear the Project tags using the Snyk CLI option `--project-tags`. See the [CLI commands and options summary](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-cli/snyk-cli/cli-commands-and-options-summary) for the commands that support this option. {% hint style="info" %} -If a Project tag is no longer assigned to a Project, the tag will no longer exist. +If a Project tag is no longer assigned to a Project, the tag no longer exists. {% endhint %} ### Tag conditions @@ -45,7 +45,7 @@ To create a new tag for a Snyk Project: 2. Add the new key and click **Enter**. 3. Add a new value and click **Enter**. -You have created a new tag. When a new tag is created, it is automatically applied to the Project it was created in. The tag can also be used for any other Project in the Group. +You have created a new tag. Snyk automatically applies a new tag to the Project it was created in. The tag can also be used for any other Project in the Group. You can apply multiple Project tag values to the same Project tag key. @@ -55,12 +55,12 @@ After you create a tag, it can be applied to other Projects in the Snyk Group. To delete a Project tag from the Group, use the API endpoint [Delete a tag from a Group](https://app.gitbook.com/s/IEEjSXQQu36y0vmFV8zf/snyk-api/reference/groups-v1#group-groupid-tags). -This endpoint has the option in the Body to specify `"force": false` or `"force": true`_._ If you specify `"force": true`, the tag will be removed from any Projects to which it is applied, and it will then be deleted. If you specify `"force": false` and the tag is still applied to any Projects, error 403 “the tag has entities” occurs. Otherwise, tag deletion should succeed. +This endpoint has the option in the Body to specify `"force": false` or `"force": true`_._ If you specify `"force": true`, Snyk removes the tag from any Projects to which it is applied and then deletes it. If you specify `"force": false` and the tag is still applied to any Projects, error 403 “the tag has entities” occurs. Otherwise, tag deletion succeeds. {% hint style="info" %} A tag will only exist if it has been created and applied to one or more Projects. If a tag is -removed from all Projects, it will no longer exist. +removed from all Projects, it no longer exists. {% endhint %} ## **How to apply and remove tags** @@ -72,7 +72,7 @@ If a tag exists in your Group, you can apply it to any Snyk Project. 3. You can either select a value from the list of recently used values or type out the key value you want to apply to the Project. 4. After you select the value, the tag is applied to your Project. 5. To remove a tag from a Project, click the **x** for the tag.\ - If you remove a tag and it has not been assigned to any other Project, the tag will no longer exist. + If you remove a tag and it has not been assigned to any other Project, the tag no longer exists. ## How to filter the Projects listing by tags diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-and-edit-project-settings.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-and-edit-project-settings.md index 19d48e68b41b..b444130e0c4f 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-and-edit-project-settings.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-and-edit-project-settings.md @@ -17,8 +17,8 @@ To deactivate a Project, select **Deactivate project** on the Project settings p * Remove the webhook from the SCM repository. * Disable pull request tests for new vulnerabilities. * Disable a Fix pull request from being opened for newly disclosed vulnerabilities. -* Disable recurring tests; email alerts about newly disclosed vulnerabilities will be turned off. -* Remove any vulnerabilities in the Project from reporting and dashboard views +* Disable recurring tests and turn off email alerts about newly disclosed vulnerabilities. +* Remove any vulnerabilities in the Project from reporting and dashboard views. To delete a Project, select **Delete project** on the Project settings page. By deleting a Project, you do the following: diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-project-history.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-project-history.md index f0630fdd4d94..96335f5a4d32 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-project-history.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-project-history.md @@ -1,7 +1,7 @@ # View Project history -Select the **History** tab on the Project details page to view the Project history, which shows results of previous scans. Under normal circumstances, Snyk retains at least two snapshots: a historic snapshot and a current snapshot of the latest scan. More entries may be shown when the found issues between scans have not changed, but the entries in the list point to the same snapshot. If numerous scans are executed within 24 hours, all of the scans are displayed, distinct issues or not, after which they are purged from the list. +Select the **History** tab on the Project details page to view the Project history, which shows results of previous scans. Under normal circumstances, Snyk retains at least two snapshots: a historic snapshot and a current snapshot of the latest scan. Snyk may show more entries when the found issues between scans have not changed, but the entries in the list point to the same snapshot. If numerous scans run in 24 hours, Snyk displays all of the scans, distinct issues or not, then purges them from the list.
Project details page History tab

Project details page History tab

-Click on an entry to view a snapshot of the Project details page for that period. +Click an entry to view a snapshot of the Project details page for that period. diff --git a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-project-issues-fixes-and-dependencies.md b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-project-issues-fixes-and-dependencies.md index 0cae3ecf221b..71138b8e56b2 100644 --- a/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-project-issues-fixes-and-dependencies.md +++ b/scan-fix-and-prevent/snyk-platform-administration/snyk-projects/view-project-issues-fixes-and-dependencies.md @@ -12,7 +12,7 @@ The Project details page displays Issue cards on the **Issues** tab. The informa
Project details Issues tab and filters

Project details Issues tab and filters in environments with Fix advice available

-Use the filters in the panel to the left to narrow the search for issues. Select the checkboxes to filter issues by **Issue type**, **Severity**, **Fixability**, **Exploit Maturity**, and **Status**. You can also edit the **Priority Score** slider to change the range displayed; the default is 0 to 1000. +Use the filters in the **Filters** panel to narrow the search for issues. Select the checkboxes to filter issues by **Issue type**, **Severity**, **Fixability**, **Exploit Maturity**, and **Status**. You can also edit the **Priority Score** slider to change the range displayed. The default is 0 to 1,000. Issue details are shown on issue cards in the main area, sorted by priority score. See [Issue card information](issue-card-information.md) for more details. @@ -26,7 +26,7 @@ Scroll to a dependency and the listed issues to view details, including the max The Severity icon in front of the dependency title shows the maximum severity associated with the dependency. In this example, there are listed issues with medium or high severity, so the maximum severity for the dependency is high. -The score associated with the dependency title is the maximum of all listed issues under that dependency. This will show as either [Risk Score](../../manage-risk/prioritize-issues-for-fixing/risk-score.md) if you are opted-in to the Early Access feature, or [Priority Score](../../manage-risk/prioritize-issues-for-fixing/priority-score.md). +The score associated with the dependency title is the maximum of all listed issues under that dependency. This shows as either [Risk Score](../../manage-risk/prioritize-issues-for-fixing/risk-score.md) if you are opted in to the Early Access feature, or [Priority Score](../../manage-risk/prioritize-issues-for-fixing/priority-score.md).
View issue details

View dependency details