Integrate Effective Vulnerability Exposure with Snyk
Integration with Snyk Overview
Snyk.io vulnerability management workflow can consume runtime EVE information to filter and prioritize detected vulnerabilities, following a similar approach to the one described in Risk Spotlight Integrations.
To integrate Sysdig EVE information with Snyk vulnerability management workflows:
- Have an account and working license to use both products: Snyk, Sysdig Secure
- Instrument the target runtime nodes using both products: Snyk, Sysdig Secure
- Have your Sysdig commercial contact explicitly enable Sysdig EVE for your Sysdig account. In particular, your account needs the feature flags for:
- Image Profiling
- Scanning v2 EVE
- Scanning v2 EVE integration
Both Snyk and Sysdig instrumentation must be in place. Choose the installation path below that corresponds to the components already installed on your infrastructure.
Installation Instructions
Snyk Installed, Sysdig Not Installed
Note the namespace you are currently using to run the Snyk instrumentation. Default:
snyk-monitor. You will need it to copy the secret in the last step.Use the sysdig-deploy helm chart to install the Sysdig agent bundle. Provide the mandatory parameters and enable the
eveandeveConnectorparameters.Example:
helm install --namespace sysdig-agent sysdig-agent \ ....other parameters... --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \ --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \ --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \ sysdig/sysdig-deployMake sure the Sysdig agent images, RuntimeScanner, and EveConnector pods are running and healthy:
kubectl -n sysdig-agent get poNAME READY STATUS RESTARTS AGE sysdig-agent-8rmkt 1/1 Running 0 24s sysdig-agent-eveconnector-api-74767bbf54-lw97g 1/1 Running 0 23s sysdig-agent-hprw7 1/1 Running 0 24s sysdig-agent-jrx2q 1/1 Running 0 24s sysdig-agent-node-analyzer-5hltb 4/4 Running 0 24s sysdig-agent-node-analyzer-b5ftm 4/4 Running 0 24s sysdig-agent-node-analyzer-cd8rc 4/4 Running 0 24sCopy the Sysdig Secret into the Snyk namespace.
Data can take up to an hour to initialize and start sending the initial profiles, then you should be able to leverage EVE data using Snyk vulnerability management workflows.
Sysdig Installed without EVE, Snyk Not Installed
If you already installed the Sysdig agent using the helm chart without enabling eve and the eveConnector parameters, do the following:
Install Snyk instrumentation following its documentation.
Upgrade the sysdig-deploy helm chart with the required eve settings:
helm upgrade sysdig-agent \ --namespace sysdig-agent \ --reuse-values \ --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \ --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \ --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \ sysdig/sysdig-deploy
No Sysdig, No Snyk
- Install the Sysdig agent bundle using the official helm chart, and including the steps and parameters from the first installation scenario.
- Install Snyk instrumentation following its documentation.
- Copy the Sysdig Secret into the Snyk namespace.
Copy the Sysdig Secret
Once both Sysdig and Snyk instrumentation are deployed and healthy, you need to copy the secret that was automatically generated in the Sysdig namespace to the Snyk namespace:
Assuming the default namespace names for Sysdig (sysdig-agent) and Snyk (snyk-monitor), replace with your specific values:
kubectl get secret -n sysdig-agent sysdig-eve-secret -o json | jq '{ "apiVersion": .apiVersion, "kind": .kind, "type": .type, "metadata": { "name": .metadata.name }, "data": .data }' | kubectl apply -n snyk-monitor -f -
Check Integration in Snyk UI
Check to confirm that runtime vulnerabilities are detected and prioritized in the Snyk UI:
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.