How to Install Snyk and Integrate It Into Jenkins CI
Modern CI/CD pipelines require security at every stage. Integrating Snyk into Jenkins CI helps detect vulnerabilities early and enforce DevSecOps practices efficiently.
In this guide, you’ll learn how to:
- Install Snyk on Jenkins
- Authenticate Snyk using Jenkins credentials
- Scan your source code and dependencies automatically
- Fail builds based on severity thresholds
1. Install Snyk CLI on Jenkins Server
Your Jenkins controller or agent must have the Snyk CLI installed to run scans.
# Download the Snyk CLI for Linux
sudo curl -L -o snyk-linux https://static.snyk.io/cli/latest/snyk-linux
# Download the snyk-to-html Linux binary from the official GitHub releases
sudo curl -L -o snyk-to-html-linux https://github.com/snyk/snyk-to-html/releases/latest/download/snyk-to-html-linux
chmod +x snyk-linuxchmod +x snyk-to-html-linux
sudo mkdir /opt/snyk
sudo mv snyk-linux /opt/snyk
sudo mv snyk-to-html-linux /opt/snyk
Verify:
/opt/snyk/snyk-linux --version /opt/snyk/snyk-to-html-linux --help
2. Get Your Snyk API Token
- Log in at https://snyk.io
- Go to Account Settings
- Copy your personal Snyk API token
3. Add Snyk Token to Jenkins Credentials
- Go to Manage Jenkins → Credentials
- Choose Global credentials
- Click Add Credentials
- Choose: Secret text
- Paste your Snyk API token
- Set ID to:
snyk-token
4. Integrate Snyk Into Freestyle Jobs
Install Plugin
- Manage Jenkins → Manage Plugins → Available
- Search: Snyk Security
- Install
Add Scan Step
- Edit your Freestyle job
- Add build step → Invoke Snyk Security
- Select:
- Snyk installation →
snyk - Token credential →
snyk-token
- Snyk installation →
Optional flags:
--severity-threshold=medium
--all-projects
5. Jenkins Pipeline (Jenkinsfile) Integration
Here is a ready-to-use Jenkinsfile:
pipeline {
agent any
environment {
SNYK_TOKEN = credentials('snyk-token')
}
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Authenticate Snyk') {
steps {
sh 'snyk auth $SNYK_TOKEN'
}
}
stage('Snyk Dependency Scan') {
steps {
sh 'snyk test --severity-threshold=medium'
}
}
stage('Snyk Code Scan') {
steps {
sh 'snyk code test --severity-threshold=medium || true'
}
}
stage('Build App') {
steps {
sh './mvnw clean package || mvn clean package'
}
}
}
}
6. Fail Builds on Vulnerabilities
Fail on high severity:
snyk code test --severity-threshold=high
Fail on critical dependency issues:
snyk test --severity-threshold=critical
RUN YOUR BUILD AND YOU WILL SEE THE REPORT OF ALL VULNERABILITIES > BUILD SHOULD SUCCEED IF THERE ARE NO VULNERABILITIES
✅ Below is a Vulnerable POM.xml
This version includes:
🔥 Critical known vulnerabilities:
-
Log4j 1.x (CVE-2019-17571)
-
Spring Framework 4.x RCE (CVE-2016-1000027)
-
Jackson Databind insecure version (CVE-2017-17485, CVE-2019-12384)
Every one of these is easily detected by Snyk. UPDATE YOUR POM.XML IN YOUR PROJECT WITH THE ONE BELOW.
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.mkyong</groupId>
<artifactId>Facebook</artifactId>
<packaging>war</packaging>
<version>1.2.${v}-SNAPSHOT</version>
<name>MyWebApp Maven Webapp</name>
<dependencies>
<!-- ❌ Critical vulnerability (Log4Shell family) -->
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
</dependency>
<!-- ❌ Known RCE in older Spring Framework -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>4.3.0.RELEASE</version>
</dependency>
<!-- ❌ Jackson Databind insecure version (multiple CVEs) -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.8.4</version>
</dependency>
<!-- Old JUnit already present — keep it -->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>3.8.1</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<finalName>MyWebApp</finalName>
</build>
</project>
Conclusion
Integrating Snyk into Jenkins CI provides automated security scanning, early vulnerability detection, and real DevSecOps pipeline enforcement. The free tier also makes it excellent for DevOps coaching and hands-on labs.
No comments:
Post a Comment