Pipeline

To get faster feedback and gating within delivery, teams should add Snyk to their pipelines. If teams are practicing rapid iterations and deployments, a single scan and gate will be sufficient. Otherwise scans can be added to branch builds and pre-promotion.

Following PE's documentation update link for adding Snyk scans to CircleCI, we will:

1. Create a Snyk token for your org to connect to CircleCI

2. Use the PE's app-analysis orb

3. Add the app-scan job in the appropriate workflows

---

By default, the orb will scan and gate. On the primary branch, the pipeline uses snyk monitor from the CLI which publishes results to Snyk.

Use the following app-analysis orb update link:

orbs:
  app-analysis: client/client-orb@4 [update link](liatrio-tag)

We recommend adding the scan job before publishing the artifact in dev, and before deploying to each higher environment. Use the following code snippet arguments update link to add the scanning job:

    jobs:
      - app-analysis/app-scan:
          name: Snyk scan
          <<: *circle-ci-context
          executor: java-agent / node-agent / etc
          additional-arguments: ###
          fail-on-sast-issues: true / false
          project-lifecycle: ###
          target-reference: ###
          slack-channel-id: ###

If your team uses short-lived branches instead of direct commits to main, then additional parameters may be needed to run scans on branches.

• monitor-on-build: determines whether to run snyk monitor and publish results to Snyk. This should be false on branches but true on main/dev, QA, and prod workflows.
• Like any other job with branch logic, use filter to determine which block to run in which workflow.

---

Checkpoint

• Add Snyk scans to your pipeline with the pe-app-analysis orb
• Add where appropriate (recommended: branch builds, before publishing artifact, before promoting to higher environments)
• If present, remove Veracode from the pipeline and open a PE support request update link to offboard