ASH Snyk Code Plugin
This plugin integrates Snyk Code CLI tool with the Automated Security Helper (ASH) to provide comprehensive static application security testing (SAST) for source code vulnerabilities.
Overview
The Snyk Code plugin enables ASH to leverage Snyk's powerful static analysis capabilities for:
- Static Application Security Testing (SAST): Identifies security vulnerabilities in source code
- Real-time Analysis: Fast scanning with minimal false positives
- Multi-language Support: Supports JavaScript, TypeScript, Python, Java, C#, PHP, Go, Ruby, Scala, Swift, and mor. See a full list here
- Developer-friendly Results: Provides actionable remediation guidance with code examples
Prerequisites
Install Snyk CLI
The plugin requires Snyk CLI to be installed and available in your system PATH.
npm (Recommended):
Homebrew (macOS):
Manual Installation:
# Download and install latest release
curl -Lo snyk https://github.com/snyk/cli/releases/latest/download/snyk-linux
chmod +x snyk
sudo mv snyk /usr/local/bin/
Other platforms: See Snyk CLI Installation Guide
Authentication
Snyk Code requires authentication to access the scanning service:
Option 1: Environment Variable
Option 2: CLI Authentication
Option 3: Configuration File
The plugin will automatically check for credentials at ~/.config/configstore/snyk.json
Verify Installation
Quick Start
Basic Configuration
Snyk code plugin is not included by default with ASH since it requires authentication.
Include Snyk plugin module in your .ash/.ash.yaml configuration file
Add to your .ash/.ash.yaml:
Run Snyk Code Scan
# Scan current directory
uv run ash --scanners snyk-code
# Scan specific directory
uv run ash --scanners snyk-code /path/to/project
Run Snyk Code Scan without an ASH configuration file
If you want to run Snyk code scan without saving a configuration file for ASH, use the following command to enable the plugin
# Scan current directory only with snyk-code
uv run ash --scanners snyk-code --config-overrides "ash_plugin_modules+=[\"automated_security_helper.plugin_modules.ash_snyk_plugins\"]"
# SCan current directory with all available scanners (including snyk-code)
uv run ash --config-overrides "ash_plugin_modules+=[\"automated_security_helper.plugin_modules.ash_snyk_plugins\"]"
Configuration Options
Severity Filtering
Configure the minimum severity level for reported vulnerabilities:
scanners:
snyk-code:
enabled: true
severity_threshold: "HIGH" # Options: LOW, MEDIUM, HIGH, CRITICAL
Advanced Options
scanners:
snyk-code:
enabled: true
severity_threshold: "MEDIUM"
options:
# Additional scanner-specific options can be added here
Usage Examples
High Severity Issues Only
All Severity Levels
Combined with Other Scanners
CI/CD Integration
Output Integration
Snyk Code results are integrated into ASH's unified reporting system:
- SARIF Format: Machine-readable results for CI/CD integration
- HTML Reports: Visual security dashboard with remediation guidance
- JSON/CSV: Structured data for analysis and tracking
- Markdown: Human-readable summaries for pull requests
Performance Considerations
- First Run: May require initial authentication and setup
- Network Dependency: Requires internet connection for cloud-based analysis
- Large Codebases: Scanning time scales with codebase size
- Rate Limits: Snyk may apply rate limits based on your subscription tier
Troubleshooting
Common Issues
Snyk CLI not found:
Authentication errors:
# Check authentication status
snyk auth
# Set token via environment variable
export SNYK_TOKEN=your-token-here
Network connectivity issues:
Empty directory warnings: The plugin will skip scanning if the target directory is empty or doesn't exist, logging an appropriate warning message.
Debug Mode
Enable verbose logging to troubleshoot issues:
Offline Mode
Note: Snyk Code requires internet connectivity and will be automatically disabled in offline mode:
Integration Examples
Pre-commit Hook
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: ash-snyk-code
name: ASH Snyk Code Security Scan
entry: uv run ash --scanners snyk-code --mode precommit
language: system
pass_filenames: false
GitHub Actions
# .github/workflows/security.yml
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Snyk CLI
run: npm install -g snyk
- name: Run ASH with Snyk Code
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
run: |
uv run ash --scanners snyk-code --output-format sarif
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: .ash/ash_output/reports/ash.sarif
GitLab CI
# .gitlab-ci.yml
snyk-security-scan:
stage: test
image: node:18
before_script:
- npm install -g snyk
script:
- uv run ash --scanners snyk-code
variables:
SNYK_TOKEN: $SNYK_TOKEN
artifacts:
reports:
sast: .ash/ash_output/reports/ash.sarif
Supported Languages
Snyk Code supports static analysis for:
- JavaScript/TypeScript: Node.js, React, Angular, Vue.js
- Python: Django, Flask, FastAPI
- Java: Spring, Maven, Gradle projects
- C#/.NET: .NET Framework, .NET Core
- PHP: Laravel, Symfony, WordPress
- Go: Standard library and popular frameworks
- Ruby: Rails, Sinatra
- Scala: Play Framework, Akka
- Swift: iOS/macOS applications
Full list of supported languages is available at the Snyk Website
Documentation
For comprehensive documentation and advanced configuration options, see: - ASH Community Plugins Documentation - Snyk CLI Documentation - Snyk Code Documentation
Support
- ASH Issues: GitHub Issues
- Snyk Issues: Snyk Support
- Community: ASH Discussions