This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Integrate Effective Vulnerability Exposure with Snyk

    Integration with Snyk Overview

    Snyk.io vulnerability management workflow can consume runtime EVE information to filter and prioritize detected vulnerabilities, following a similar approach to the one described in Risk Spotlight Integrations.

    To integrate Sysdig EVE information with Snyk vulnerability management workflows:

    • Have an account and working license to use both products: Snyk, Sysdig Secure
    • Instrument the target runtime nodes using both products: Snyk, Sysdig Secure
    • Have your Sysdig commercial contact explicitly enable Sysdig EVE for your Sysdig account. In particular, your account needs the feature flags for:
      • Image Profiling
      • Scanning v2 EVE
      • Scanning v2 EVE integration

    Both Snyk and Sysdig instrumentation must be in place. Choose the installation path below that corresponds to the components already installed on your infrastructure.

    Installation Instructions

    Snyk Installed, Sysdig Not Installed

    1. Note the namespace you are currently using to run the Snyk instrumentation. Default: snyk-monitor. You will need it to copy the secret in the last step.

    2. Use the sysdig-deploy helm chart to install the Sysdig agent bundle. Provide the mandatory parameters and enable the eve and eveConnector parameters.

      Example:

       helm install --namespace sysdig-agent sysdig-agent \
       ....other parameters...
        --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
        --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \
        --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
        sysdig/sysdig-deploy
      
    3. Make sure the Sysdig agent images, RuntimeScanner, and EveConnector pods are running and healthy:

      kubectl -n sysdig-agent get po

      NAME                                             READY   STATUS    RESTARTS   AGE
      sysdig-agent-8rmkt                               1/1     Running   0          24s
      sysdig-agent-eveconnector-api-74767bbf54-lw97g   1/1     Running   0          23s
      sysdig-agent-hprw7                               1/1     Running   0          24s
      sysdig-agent-jrx2q                               1/1     Running   0          24s
      sysdig-agent-node-analyzer-5hltb                 4/4     Running   0          24s
      sysdig-agent-node-analyzer-b5ftm                 4/4     Running   0          24s
      sysdig-agent-node-analyzer-cd8rc                 4/4     Running   0          24s
      
    4. Copy the Sysdig Secret into the Snyk namespace.

      Data can take up to an hour to initialize and start sending the initial profiles, then you should be able to leverage EVE data using Snyk vulnerability management workflows.

    Sysdig Installed without EVE, Snyk Not Installed

    If you already installed the Sysdig agent using the helm chart without enabling eve and the eveConnector parameters, do the following:

    1. Install Snyk instrumentation following its documentation.

    2. Upgrade the sysdig-deploy helm chart with the required eve settings:

      helm upgrade sysdig-agent \
        --namespace sysdig-agent \
        --reuse-values \
        --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
        --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \
        --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
        sysdig/sysdig-deploy
      

    No Sysdig, No Snyk

    1. Install the Sysdig agent bundle using the official helm chart, and including the steps and parameters from the first installation scenario.
    2. Install Snyk instrumentation following its documentation.
    3. Copy the Sysdig Secret into the Snyk namespace.

    Copy the Sysdig Secret

    Once both Sysdig and Snyk instrumentation are deployed and healthy, you need to copy the secret that was automatically generated in the Sysdig namespace to the Snyk namespace:

    Assuming the default namespace names for Sysdig (sysdig-agent) and Snyk (snyk-monitor), replace with your specific values:

    kubectl get secret -n sysdig-agent sysdig-eve-secret -o json | jq '{ "apiVersion": .apiVersion, "kind": .kind, "type": .type, "metadata": { "name": .metadata.name }, "data": .data }' | kubectl apply -n snyk-monitor -f -
    

    Check Integration in Snyk UI

    Check to confirm that runtime vulnerabilities are detected and prioritized in the Snyk UI: