How to do Snyk code test in Jenkins pipeline?

Question

I am helping our DevOps team integrate Snyk into the Jenkins pipelines for SAST. By default, it seems like this Snyk plugin is doing snyk test (which does open-source dependency scans) and appends the additional arguments provided with it. I identified this behavior by checking the console log where the actual command ran was displayed. We actually want it to do the source code scan snyk code.

The command I observed in the console log is this: <jenkins tools installation path>/snyk-linux test --json --severity-threshold=high --file=<path>/package.json; The snyk-linux test part seems to be predefined.

Can someone please help me regarding this?

Answer 1

Running Snyk CLI directly is indeed the only way at the moment.

However, if any code vulnerabilities are detected, the CLI command seems to be failing the build, with a non-zero exit code most certainly.

The Snyk vendor should support this in a future version of the Snyk Jenkins Plugin.

Another alternative, is the Snyk Maven Plugin but only for Maven projects and IMHO it is not as elegant as the Jenkins Plugin.

Answer 2

As you have correctly observed, the Snyk Security Jenkins plugin only offers access to the Snyk CLI snyk test command and nothing else.

Currently, the only way to do this is to talk with the Snyk CLI directly.

pipeline {
    agent any
    
    environment {
        SNYK_HOME = tool name: 'Snyk'
    }

    stages {
        
        stage('Snyk Code') {
            steps {
                sh "${SNYK_HOME}/snyk-linux code test"
            }
        }
    }
}

Of course, you also need to expose the token in an environment variable.