Integrate Effective Vulnerability Exposure with Snyk

Integration with Snyk Overview

Snyk.io vulnerability management workflow can consume runtime EVE information to filter and prioritize detected vulnerabilities, following a similar approach to the one described above.

To integrate Sysdig EVE information with Snyk vulnerability management workflows:

  • Have an account and working license to use both products: Snyk, Sysdig Secure
  • Instrument the target runtime nodes using both products: Snyk, Sysdig Secure
  • Have your Sysdig commercial contact explicitly enable Sysdig EVE for your Sysdig account. In particular, your account needs the feature flags for:
    • Image Profiling
    • Scanning v2 EVE
    • Scanning v2 EVE integration

Both Snyk and Sysdig instrumentation must be in place. Choose the installation path below that corresponds to the components already installed on your infrastructure.

Installation Instructions

Snyk Installed, Sysdig Not Installed

  1. Note the namespace you are currently using to run the Snyk instrumentation. Default: snyk-monitor. You will need it to copy the secret in the last step.

  2. Use the sysdig-deploy helm chart to install the Sysdig agent bundle. Provide the mandatory parameters and enable the eve and eveConnector parameters.

    Example:

     helm install --namespace sysdig-agent sysdig-agent \
     ....other parameters...
      --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
      --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \
      --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
      sysdig/sysdig-deploy
    
  3. Make sure the Sysdig agent images, RuntimeScanner, and EveConnector pods are running and healthy:

    kubectl -n sysdig-agent get po

    NAME                                             READY   STATUS    RESTARTS   AGE
    sysdig-agent-8rmkt                               1/1     Running   0          24s
    sysdig-agent-eveconnector-api-74767bbf54-lw97g   1/1     Running   0          23s
    sysdig-agent-hprw7                               1/1     Running   0          24s
    sysdig-agent-jrx2q                               1/1     Running   0          24s
    sysdig-agent-node-analyzer-5hltb                 4/4     Running   0          24s
    sysdig-agent-node-analyzer-b5ftm                 4/4     Running   0          24s
    sysdig-agent-node-analyzer-cd8rc                 4/4     Running   0          24s
    
  4. Copy the Sysdig Secret into the Snyk namespace.

    Data can take up to an hour to initialize and start sending the initial profiles, then you should be able to leverage EVE data using Snyk vulnerability management workflows.

Sysdig Installed without EVE, Snyk Not Installed

If you already installed the Sysdig agent using the helm chart without enabling eve and the eveConnector parameters, do the following:

  1. Install Snyk instrumentation following its documentation.

  2. Upgrade the sysdig-deploy helm chart with the required eve settings:

    helm upgrade sysdig-agent \
      --namespace sysdig-agent \
      --reuse-values \
      --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
      --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \
      --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
      sysdig/sysdig-deploy
    

No Sysdig, No Snyk

  1. Install the Sysdig agent bundle using the official helm chart, and including the steps and parameters from the first installation scenario.
  2. Install Snyk instrumentation following its documentation.
  3. Copy the Sysdig Secret into the Snyk namespace.

Copy the Sysdig Secret

Once both Sysdig and Snyk instrumentation are deployed and healthy, you need to copy the secret that was automatically generated in the Sysdig namespace to the Snyk namespace:

Assuming the default namespace names for Sysdig (sysdig-agent) and Snyk (snyk-monitor), replace with your specific values:

kubectl get secret -n sysdig-agent sysdig-eve-secret -o json | jq '{ "apiVersion": .apiVersion, "kind": .kind, "type": .type, "metadata": { "name": .metadata.name }, "data": .data }' | kubectl apply -n snyk-monitor -f -

Check Integration in Snyk UI

Check to confirm that runtime vulnerabilities are detected and prioritized in the Snyk UI: