Snyk Code Upload Results To Dashboard like Monitor

Question

I'm trying to run Snyk on bitbucket pipeline. I'm running the pipes for composer and npm and things are working but I also want to run it for static code analysis. None of the documentation shows how this is possible. I have tried installing snyk with NPM followed by running

snyk auth TOKEN
snyk code test
snyk monitor

but the static code analysis doesn't showup on the Snyk dashboard. Looking for commands or documentation to run static code analysis through the bitbucket pipline.

Answer 1

Once you have done the auth using

snyk auth $TOKEN

Run below to run the snyk scan and publish the result to your snyk dashboard. It will create a project if it does not exists already :

snyk code monitor --all-projects --org=$ORG_ID --report

This will create a monitor/snyk scan report on Snyk dashboard for which you can later choose the automated frequency of the snyk scan.

If you just want to run the snyk scan but dont want to publish on the snyk dashboard , use below :

snyk code test --all-projects --org=$ORG_ID --report

And in case if you want json output of the scan results, just add "--json"

Ref : Snyk Cli Help Doc

Answer 2

Unfortunately, the monitor command which creates a project in your Snyk account to be continuously monitored is not yet available for Snyk Code (SAST).

The good news is it will be soon available as this is currently in closed beta, with some of our customers choosen as Beta Tester testing its capabilities.

The command will look like this snyk code test --report and will allow you to create a project (meaning sending the report) in your Snyk Organisation.

We will update you as soon as the command is available.

Answer 3

According to their own documentation this is the config:

...
- pipe: snyk/snyk-scan:0.4.6
  variables:
    SNYK_TOKEN: "token"
    LANGUAGE: "composer"
    DONT_BREAK_BUILD: "True"
    DEBUG: "True"