Integrate Sysdig Risk Spotlight with Snyk

Snyk.io vulnerability management workflow can consume Runtime Insights information to filter and prioritize detected vulnerabilities, following a similar approach as Risk Spotlight Integrations.

To integrate Sysdig Risk Spotlight information with Snyk vulnerability management workflows:

  • Have an account and working license to use both products: Snyk, Sysdig Secure.
  • Instrument the target runtime nodes using both products: Snyk, Sysdig Secure.
  • Contact Sysdig Support to explicitly enable Risk Spotlight in the backend for your Sysdig account.

Both Snyk and Sysdig instrumentation must be in place. Choose the installation path below that corresponds to the components installed on your infrastructure.

Installation Instructions

Snyk Installed, Sysdig Not Installed

  1. Note the namespace you are currently using to run the Snyk instrumentation. Default: snyk-monitor. You will need it to copy the secret in the last step.

  2. Use the sysdig-deploy helm chart to install the Sysdig agent bundle. Provide the mandatory parameters and enable the eve and eveConnector parameters.

    Example:

     helm install --namespace sysdig-agent sysdig-agent \
 ....other parameters...
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
  sysdig/sysdig-deploy

  3. Make sure the Sysdig agent images, RuntimeScanner, and EveConnector pods are running and healthy:

    kubectl -n sysdig-agent get po

    NAME                                             READY   STATUS    RESTARTS   AGE
sysdig-agent-8rmkt                               1/1     Running   0          24s
sysdig-agent-eveconnector-api-74767bbf54-lw97g   1/1     Running   0          23s
sysdig-agent-hprw7                               1/1     Running   0          24s
sysdig-agent-jrx2q                               1/1     Running   0          24s
sysdig-agent-node-analyzer-5hltb                 4/4     Running   0          24s
sysdig-agent-node-analyzer-b5ftm                 4/4     Running   0          24s
sysdig-agent-node-analyzer-cd8rc                 4/4     Running   0          24s

  4. Copy the Sysdig Secret into the Snyk namespace.

    Data can take up to an hour to initialize and start sending the initial profiles, then you should be able to leverage EVE data using Snyk vulnerability management workflows.

Sysdig Installed without EVE, Snyk Not Installed

If you already installed the Sysdig agent using the helm chart without enabling eve and the eveConnector parameters, do the following:

  1. Install Snyk instrumentation following its documentation.

  2. Upgrade the sysdig-deploy helm chart with the required eve settings:

    helm upgrade sysdig-agent \
  --namespace sysdig-agent \
  --reuse-values \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.eveConnector.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
  sysdig/sysdig-deploy

No Sysdig, No Snyk

  1. Install the Sysdig agent bundle using the official helm chart, and including the steps and parameters from the first installation scenario.
  2. Install Snyk instrumentation following its documentation.
  3. Copy the Sysdig Secret into the Snyk namespace.

Copy the Sysdig Secret

After both Sysdig and Snyk instrumentation are deployed and healthy, you need to copy the secret that was automatically generated in the Sysdig namespace to the Snyk namespace:

Assuming the default namespace names for Sysdig (sysdig-agent) and Snyk (snyk-monitor), replace with your specific values:

kubectl get secret -n sysdig-agent sysdig-eve-secret -o json | jq '{ "apiVersion": .apiVersion, "kind": .kind, "type": .type, "metadata": { "name": .metadata.name }, "data": .data }' | kubectl apply -n snyk-monitor -f -

Check Integration in Snyk UI

Check to confirm that runtime vulnerabilities are detected and prioritized in the Snyk UI: