SCM Integration
Snyk has integrations to pull from SCM sources to perform continuous monitoring on frequent basis. By default this would be nightly for app code and weekly for infrastructure code. Snyk is enabled to search for new repos and automatically added to the org for scanning. An Org Admin is also manually add or remove repos.
Which repositories should be included?¶
Anything that has been deployed should be added to minmimize vulnerabilities. Anything that is no longer used should be removed to minimize licensing risks.
Inactive repos should be removed from Snyk. In SCM, repos should add a -deprecated
suffix, or removed / achived.
Snyk and SCM in sync. At this time, SCM repos and Snyk targets are not automatically in sync. Org admins will need to manually remove and add to the Snyk. In the future, sync will be enabled with certain regular expressions to exclude repos (ex:
-deprecated
repos would not be added).
Checkpoint¶
- Check to see which repositories should be added to SCM integration
- Validate the frequency to scan repositories (recommended is daily)
- Are there any current limitations with SCM integration to consider?