@snyk/backstage-plugin-soundcheck-backend-module-snyk

Snyk Backend Module for Soundcheck

Integrating Snyk with Soundcheck enhances Snyk projects oversight by pulling in targeted insights like issue counts and product coverage directly into Backstage.

The purpose of the Snyk integration plugin is to provide Snyk-specific fact collection (like issues count).

The Snyk integration plugin supports the extraction of the following facts:

• issues_count - The issues count found in the Snyk projects of an entity (Critical, High, Medium, Low).
• product_coverage - The Snyk products used in the entity (Snyk Code, Snyk Container, Snyk Open Source, Snyk IaC). More specifically the package managers of the projects associated with the entity.

Install

Add the SnykFactCollector to Soundcheck

The Snyk integration for Soundcheck is not installed by default. It must be manually installed and configured for the Snyk Fact Collector to work.

Install the @snyk/backstage-plugin-soundcheck-backend-module-snyk package for Snyk data collection:

Install Snyk Module

yarn workspace backend add @snyk/backstage-plugin-soundcheck-backend-module-snyk

The new backend system has been available in alpha since the v1.11.0 (released in Feb 2023). It has been default since v1.27.0 (released in May 2024).

The Snyk Soundcheck module supports both, the new and current Backend system, but we highly encourage you to utilize the new backend system.

New Backend System

If you are using the New Backend System, you can just add the following:

# packages/backend/src/index.ts

const backend = createBackend();

backend.add(import('@spotify/backstage-plugin-soundcheck-backend'));
+backend.add(import('@snyk/backstage-plugin-soundcheck-backend-module-snyk'));

backend.start();

Legacy Backend

Add the Snyk Fact Collector in packages/backend/src/plugins/soundcheck.ts.

import { SoundcheckBuilder } from '@spotify/backstage-plugin-soundcheck-backend';
import { Router } from 'express';
import { PluginEnvironment } from '../types';
+ import { SnykFactCollector } from '@snyk/backstage-plugin-soundcheck-backend-module-snyk';

  export default async function createPlugin(
  env: PluginEnvironment,
  ): Promise<Router> {
  return SoundcheckBuilder.create({ ...env })
+     .addFactCollectors(
+       SnykFactCollector.create(env.config, env.logger),
+     )
      .build();
  }

Configure plugin

If you're unfamiliar with Soundcheck, please visit the official Soundcheck documentation first.

Add collector configuration

Assuming you have the recommended setup from the documentation, add the example Fact collector to your collectors.yaml file in the root of your Backstage repository and fill in all your Snyk Fact Collectors.

# collectors.yaml

snyk:
  # Host of the API to use on the calls.
  # For Snyk Enterprise customers with regional contracts change this to api.eu.snyk.io (for EU) or api.au.snyk.io (for AUS) (see https://docs.snyk.io/working-with-snyk/regional-hosting-and-data-residency)
  host: api.snyk.io
  # A Snyk API token (a service account with Viewer permission at your group level is preferred)
  token: ${SNYK_TOKEN}
  collects:
    - type: issues_count
    - type: product_coverage

Collect Snyk issue counts

Exposing the severity levels (Critical, High, Medium, or Low) from Snyk, will help you understand the risk associated with your entities within your scorecard.

# checks.yaml

- id: no_critical_snyk_issues
  rule:
    factRef: snyk:default/issues_count
    path: $.critical # critical, high, medium or low
    operator: equal
    value: 0
  passedMessage: No critical vulnerabilities
  failedMessage: Snyk found **{{ fact.data.critical }} critical** vulnerabilities which exceeds the tolerance for this level.

Collect Product coverage facts

Knowing which Snyk product is performing checks on the given entity is a valuable information to increase security coverage.

# checks.yaml

- id: dependencies_are_scanned_by_snyk
  rule:
    factRef: snyk:default/product_coverage
    path: $.products
    operator: contains
    value: 'snyk-open-source' # snyk-code, snyk-container, snyk-iac or snyk-open-source
  failedMessage: Dependencies are not scanned by Snyk. Please enabled Snyk Open Source to increase your coverage.

Link Backstage and Snyk entities

If you're using the Snyk Backstage plugin, you can skip this step since you probably annotated all relevant catalog entities already.

Proper annotations ensure efficient linkages between Backstage entities and Snyk data. These annotations allow our plugin to identify and manage your projects within the Snyk effectively.

Critical integration Note:

• At least one organization ID (either snyk.io/org-id or snyk.io/org-ids) is required for the plugin to function correctly.
• Specify at least one target or project ID (snyk.io/target-id, snyk.io/targets, or snyk.io/project-ids) for the plugin to manage your Snyk resources effectively.

Setting Up Organization IDs

• snyk.io/org-id (required): This is your Snyk organization's unique identifier. You can find the ID in the Organization Settings in the Snyk dashboard.

• snyk.io/org-ids: For entities spanning multiple Snyk organizations, list their IDs here, separated by commas. This broadens the search to include targets or projects across the specified organizations.

Specifying Targets and Projects

After setting your organization(s), specify the targets or projects to manage:

• snyk.io/target-id: Defines a single target by its name or ID. Using the ID is preferred to reduce API calls, making the process faster. Use the targets API endpoint to get the Target IDs.

• snyk.io/targets: For multiple targets, use this annotation. List targets by name or ID, separated by commas. Like with snyk.io/target-id, using IDs is more efficient.

• snyk.io/project-ids: Specify one or more project IDs related to your Backstage entity. If your entity is associated with multiple projects, list the IDs separated by commas. You can find the ID in the Project Settings in the Snyk dashboard.

• snyk.io/exclude-project-ids: Use this to exclude certain projects by ID from the plugin's operations, ensuring they are not managed or analyzed by Snyk through this integration.

Example Configuration

metadata:
  annotations:
    snyk.io/org-id: '689ce7f9-7943-4a71-b704-2ba575f01089' # The Snyk organization ID (UUID)
    snyk.io/targets: '2542e052-f7dc-11ee-a951-0242ac120002,snyk/snyk-goof' # The Snyk target’s IDs (UUID) or display name
    snyk.io/project-ids: '32c99fc2-f7dc-11ee-a951-0242ac120002,38ee92fe-f7dc-11ee-a951-0242ac120002' # The Snyk project’s IDs (UUID)

License

© 2024 Snyk Limited and its affiliates. All rights reserved. This is proprietary source code of Snyk Limited and its affiliates.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.