Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions scan-fix-and-prevent/README.md
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# Overview

You can use Snyk to scan and secure your codebase and cloud infrastructure configurations, taking advantage of the Snyk capabilities in Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Infrastructure as Code (IaC) analysis.
You can use Snyk to scan and secure your codebase and cloud infrastructure configurations, using the Snyk capabilities in Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), Software Composition Analysis (SCA), and Infrastructure as Code (IaC) analysis.

## Select scanning methods

Snyk supports scanning methods that correspond to Snyk products. Choose the right scanning method for the job you want to do, to find and fix issues not only early in the Software Development Life Cycle, but also after your web application or API is live.
Snyk supports scanning methods that correspond to Snyk products. Choose the right scanning method for the job you want to do, to find and fix issues not only early in the software development lifecycle, but also after your web application or API is live.

* [Snyk Open Source](scan-with-snyk/snyk-open-source/): scan your open-source libraries for vulnerabilities and license issues.\
For more information, see [Open Source Security Explained](https://snyk.io/series/open-source-security/).
Expand All @@ -28,7 +28,7 @@ Scans may be limited on your account, depending on your[ Pricing Plan](https://a

## The scanning process

Snyk takes a developer-first approach to secure your development work by integrating directly into your IDEs, workflows, and automation pipelines to add security expertise to your toolkit. This approach allows you to:
Snyk takes a developer-first approach to secure your development work by integrating directly into your IDEs, workflows, and automation pipelines to add security expertise to your toolkit. With this approach, you can:

* Use Snyk to focus on early enablement, not later enforcement.
* Run scans while working on a Project, before you commit any code. This minimizes rework by finding issues that require changes early on.
Expand Down
70 changes: 34 additions & 36 deletions scan-fix-and-prevent/manage-assets/assets-inventory-components.md

Large diffs are not rendered by default.

10 changes: 5 additions & 5 deletions scan-fix-and-prevent/manage-assets/assets-inventory-filters.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ Quick filters are predefined filters that you can apply to assets. Available qui
* **Assets with Repository freshness** **`ACTIVE` and `COVERAGE GAP`**: displays only the assets from active repositories and with a coverage gap for the selected Snyk products.
* **Assets with Asset Class `A` and `COVERAGE GAP`**: displays only Class A assets that have a coverage gap for the selected Snyk products.

You can change or add additional filters by clicking **Advanced Filters**.
To change or add filters, click **Advanced Filters**.

## Advanced filters

Expand All @@ -23,7 +23,7 @@ When you select advanced filters, you can specify one or more sets of criteria:
* **Condition:** depends on the asset selected (such as `contains` or `does not contain` for `asset name`).
* **Value:** depends on the **Property** and **Condition**.

You can add as many filters as needed by clicking **Add Filter**.
To add as many filters as needed, click **Add Filter**.

{% hint style="info" %}
If you are using Snyk Essentials for the first time, Snyk recommends starting with the **Coverage** filter to determine where Snyk is already implemented.
Expand Down Expand Up @@ -86,7 +86,7 @@ You can filter unenriched repositories directly from the banner by selecting the

#### Unenriched assets with Group SCM integration

If you use a Group-level integration, the banner shows assets not discovered through that integration. Although the integration is in place, some assets are not being pulled in. Possible reasons for unrenriched assets:
If you use a Group-level integration, the banner shows assets not discovered through that integration. Although the integration is in place, some assets are not being pulled in. Possible reasons for unenriched assets:

* Organization-level integration has broader permissions than the Group-level integration.
* A repository previously tested by Snyk was deleted in the SCM before the Group-level integration was set up.
Expand All @@ -96,7 +96,7 @@ If you use a Group-level integration, the banner shows assets not discovered thr

## Troubleshooting

### The assets are not discovered by Group or Organization-level integrations.
### The assets are not discovered by Group or Organization-level integrations

The assets are not discovered by Group or Organization-level integrations, but are discovered only through Snyk targets (for example, CLI Projects or old deleted repositories).

Expand Down Expand Up @@ -128,4 +128,4 @@ If your profile includes the Organization, check the token permissions and ensur

For GitLab and BitBucket, ensure that the Group-level tokens have access and the right permissions for the Organization.

If the source of the asset is another vendor, ensure the repository URLs match in order to avoid creating duplicate assets.
If the source of the asset is another vendor, ensure the repository URLs match to avoid creating duplicate assets.
28 changes: 14 additions & 14 deletions scan-fix-and-prevent/manage-assets/assets-inventory-layouts.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

Snyk defines an asset as a meaningful, real-world component in an application’s SDLC, where meaningful means either carries a risk or aggregates risk of other components (for example, repositories that contain packages), and real-world means that the concept exists outside of Snyk, for example, repository (which is a generally applicable term). In most cases, assets carry a risk or aggregate risk of other components, such as repositories that contain packages.

Snyk Essentials inventory tabs are organizing your repository assets in meaningful ways, enabling you to:
Snyk Essentials inventory tabs organize your repository assets in meaningful ways, letting you:

* Gain full repository asset visibility from your SCM tools, including details about configured teams and repository code committers.
* Track controls coverage for Snyk products.
Expand All @@ -15,7 +15,7 @@ Each line in the inventory represents an asset.

## Inventory tabs <a href="#inventory-layouts" id="inventory-layouts"></a>

To get better context and clarity over your asset inventory, Snyk Essentials allows flexible structuring with inventory tabs. Snyk Essentials includes five inventory tabs and groups assets by different contexts. You can find all inventory tabs under the Inventory menu option at the Group level:
To get better context and clarity over your asset inventory, Snyk Essentials lets you structure assets flexibly with inventory tabs. Snyk Essentials includes five inventory tabs and groups assets by different contexts. You can find all inventory tabs under the Inventory menu option at the Group level:

* **Overview:** Provides quick insights into discovered repositories, enabling AppSec teams to effectively operationalize their program using Snyk.
* **All Assets:** All the discovered assets are grouped by their type.
Expand All @@ -31,7 +31,7 @@ You can filter the information for all the inventory tabs and use any of the ava

The Overview tab in Snyk Inventory provides insights into the discovered repositories, highlighting key features and characteristics such as the total number of discovered repositories and the distribution of tested and not tested repositories, the number of dormant repositories or coverage details based on the asset policies.

Provides quick insights into discovered repositories, enabling AppSec teams to effectively operationalize their program using Snyk. This helps reduce coverage gaps, organize and leverage asset context, and ensure compliance with coverage policies.
Provides quick insights into discovered repositories, enabling AppSec teams to effectively operationalize their program using Snyk. This helps reduce coverage gaps, organize and use asset context, and ensure compliance with coverage policies.

#### Repositories tested

Expand All @@ -43,7 +43,7 @@ Use this widget to get a clear overview of all discovered repositories and see h

Follow the next steps to remediate the coverage gaps:

1. Click "Coverage gap" to see all affected repositories.
1. Click **Coverage gap** to see all affected repositories.
2. Determine the reasons for the policy non-compliance.
3. Remediate and bring repositories into compliance.
4. Set up an asset policy.
Expand All @@ -54,17 +54,17 @@ Use this widget to see all dormant repositories with critical and high-risk issu

#### Languages with most issues

Use this widget to identify the programming languages that often present issues within your codebase. If you hover over any of the listed languages, you can see and access the Snyk Learn training focused on setting up, integrating, and customizing the selected language.
Use this widget to identify the programming languages that often present issues in your codebase. If you hover over any of the listed languages, you can see and access the Snyk Learn training focused on setting up, integrating, and customizing the selected language.

#### Class A repositories with most high and critical issues

Use this widget to see a maximum of top ten high-risk Class A repositories with the biggest impact on the business (class A). This tool helps your development team identify and prioritize remediation efforts with asset context. By addressing high-risk areas promptly, you improve the stability and security of your Project, ultimately enhancing software quality.
Use this widget to see a maximum of the top 10 high-risk Class A repositories with the biggest impact on the business. This tool helps your development team identify and prioritize remediation efforts with asset context. By addressing high-risk areas promptly, you improve the stability and security of your Project, ultimately enhancing software quality.

### All Assets

The **All Assets** tab under the Inventory menu provides a central view of all your assets, offering a comprehensive overview of your security posture. You can access a list of your assets and customize the view to meet your needs. Select the columns that you want to be visible, use filters to refine the information, and export the details to share them with others.

This unified view allows you to efficiently monitor assets and prioritize remediation for stronger application security.
This unified view lets you efficiently monitor assets and prioritize remediation for stronger application security.

### Asset Hierarchy

Expand All @@ -73,17 +73,17 @@ Assets are sorted by issue counts, and where applicable, package assets are list

The **Asset Hierarchy** is visible only when no filters are applied, allowing you to see a clear, unfiltered view of your assets and their relationships.

This layout helps in understanding the relationship between different assets and their associated issues, providing a comprehensive view of the asset landscape within your Organization.
This layout helps in understanding the relationship between different assets and their associated issues, providing a comprehensive view of the asset landscape in your Organization.

### Teams

The **Teams** tab in Snyk **Inventory** organizes assets from SCM repositories by team. Assets are grouped here according to the teams assigned to them within the SCM organizations.
The **Teams** tab in Snyk **Inventory** organizes assets from SCM repositories by team. Assets are grouped here according to the teams assigned to them in the SCM organizations.

Only SCM organizations that have teams and repositories assigned to a team will appear in this layout. This helps in visualizing and managing repository assets according to team structures, making it easier to track and prioritize security efforts based on team responsibilities.
Only SCM organizations that have teams and repositories assigned to a team appear in this layout. This helps in visualizing and managing repository assets according to team structures, making it easier to track and prioritize security efforts based on team responsibilities.

### Technology

The **Technology** tab in Snyk **Inventory** groups SCM repository assets by the technology they use, such as programming languages and frameworks. This categorization is detected and tagged by Snyk Essentials, allowing you to easily identify and manage assets based on the used technologies.
The **Technology** tab in Snyk **Inventory** groups SCM repository assets by the technology they use, such as programming languages and frameworks. Snyk Essentials detects and tags this categorization, letting you identify and manage assets based on the used technologies.

This feature helps in understanding the technological landscape of your repositories and can be useful for prioritizing security efforts and managing risks associated with different technologies.

Expand All @@ -96,7 +96,7 @@ Assets in the inventory are presented with key attributes in the following colum
* **Asset** - The name of the repository asset, scanned artifact, and the Git remote URL, if available. Scanned artifacts are missing Git remote URLs.
* **Issue** - The number of issue counts on open assets aggregated across all relevant tools of the same severity of the asset itself and its child assets or packages. The severity level is classified into **C** (critical), **H** (high), **M** (medium), and **L** (low).
* **Controls** - A report detailing all products detected by the Snyk Essentials on a specific repository asset and all products that should be but are not covered by Snyk Essentials.
* **Tags** - You will be able to add a unique key-value tag to provide a more powerful and granular context for your assets. This attribute lets you attach specific, unique metadata to your assets, which enables precise filtering, robust policy creation, and alignment with your internal systems.
* **Tags** - Add a unique key-value tag to provide a more powerful and granular context for your assets. This attribute lets you attach specific, unique metadata to your assets, which enables precise filtering, robust policy creation, and alignment with your internal systems.
* **Labels** - Snyk Essentials automatically labels repository assets with information about the used technologies (Python, Terraform, and so on) in the repository, and repository latest updates. You can also use policies to label repository assets.
* **Developers** - Includes the SCM profile details for code committers to the repository asset.
* **Class** - Reflects the business criticality of the asset from A (most critical) to D (least critical), as defined by the user in the Policies view. You can manually change the class or automatically change it by applying a policy. You can lock the value you have manually set for a Class to prevent policies from overriding it.
Expand All @@ -109,7 +109,7 @@ Assets in the inventory are presented with key attributes in the following colum
* **Actions** - Provides a workflow to set up an SCM integration, enriching the asset context with information such as labels, developers, and repository freshness. This use case is available when a Group-level integration is not configured.

{% hint style="info" %}
The Clusters column is hidden by default. To enable it, click Columns, select Clusters from the dropdown list, then click Apply to save the changes.
The Clusters column is hidden by default. To enable it, click **Columns**, select **Clusters** from the dropdown list, then click **Apply** to save the changes.
{% endhint %}

### **Asset Sources, Types, and Scanned Artifacts**
Expand Down Expand Up @@ -138,4 +138,4 @@ You can see the scanned artifacts in the Inventory Type view. The scanned artifa

Packages are defined as software or libraries that are managed by package management systems.

Package assets are created when you scan the dependencies of a Project through package management systems or by using the Snyk CLI. This enables Snyk Essentials to identify and analyze the security vulnerabilities of the packages used within a Project, offering insights into possible risk exposures and providing recommendations for mitigation.
Snyk creates package assets when you scan the dependencies of a Project through package management systems or by using the Snyk CLI. This lets Snyk Essentials identify and analyze the security vulnerabilities of the packages used in a Project, offering insights into possible risk exposures and providing recommendations for mitigation.
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ Repository monitoring configuration provides the following capabilities:
* Centralized asset monitoring: view monitoring status for all products, identify health status, and see required actions (such as enabling Snyk Code or resolving SCM integration issues) in one view.
* Bulk import: import repositories directly from the Group **Inventory** page into specific Snyk Organizations.
* On-demand retesting: trigger a retest for specific repositories directly from **Inventory**.
* Actionable error resolution: clear guidance ia available when testing fails due to integration issues or entitlements. After the underlying issue is resolved, testing resumes automatically.
* Actionable error resolution: clear guidance is available when testing fails due to integration issues or entitlements. After you resolve the underlying issue, testing resumes automatically.

## Configure settings for repository monitoring

Expand Down Expand Up @@ -58,7 +58,7 @@ It is not possible to manage these settings at Organization level for assets tra
* **Testing exclusions (optional)**: manage file exclusions for Snyk Open Source and Snyk Container Projects. Exclusions apply at the asset level. You cannot exclude specific files for the same repository in different Snyk Organizations.

{% hint style="info" %}
For Snyk Code, you can manage exclusions using the `.snyk` files, in order to maintain developer-first workflows.
For Snyk Code, you can manage exclusions using the `.snyk` files to maintain developer-first workflows.
{% endhint %}

Click **Continue**.
Expand Down
2 changes: 1 addition & 1 deletion scan-fix-and-prevent/manage-assets/manage-assets.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,6 @@ Through this interconnected framework, Snyk ensures robust asset protection and

### Assets Enrichments by SCM Integration <a href="#assets-enrichments-by-scm-integration" id="assets-enrichments-by-scm-integration"></a>

The table below outlines the asset enrichments provided by each SCM Integration. It highlights which capabilities are available today that are not available due to the SCM provider.
The following table outlines the asset enrichments provided by each SCM Integration. It highlights which capabilities are available today that are not available due to the SCM provider.

<table data-full-width="false"><thead><tr><th width="144.1553955078125">Capability</th><th width="103.8853759765625">GitHub</th><th width="96.415771484375">GitLab</th><th width="110.57470703125">BitBucket Cloud</th><th width="112.80908203125">BitBucket Server</th><th width="99.44970703125">Azure DevOps</th></tr></thead><tbody><tr><td>Org/Workspace</td><td>✅​</td><td>✅​</td><td>✅​</td><td>✅​</td><td>✅​</td></tr><tr><td>SCM Projects</td><td>❌</td><td>❌</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td>Contributors</td><td>✅</td><td>❌</td><td>❌</td><td>✅</td><td>✅</td></tr><tr><td>Teams</td><td>✅</td><td>✅</td><td>❌</td><td>✅</td><td>✅</td></tr><tr><td>Languages (tags)</td><td>✅</td><td>✅</td><td>✅ When manually set up</td><td>❌</td><td>✅</td></tr><tr><td>Tags</td><td>✅ GitHub topics / GitHub custom properties</td><td>✅ GitLab topics</td><td>❌</td><td>❌</td><td>❌</td></tr><tr><td>Visibility</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr><tr><td>Archive Repos</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td><td>✅</td></tr></tbody></table>
Loading