Integrate Sysdig Risk Spotlight with Snyk

Snyk.io vulnerability management workflow can consume Runtime Insights information to filter and prioritize detected vulnerabilities, following a similar approach as Risk Spotlight Integrations.

To integrate Sysdig Risk Spotlight information with Snyk vulnerability management workflows:

Have an account and working license to use both products: Snyk, Sysdig Secure.
Instrument the target runtime nodes using both products: Snyk, Sysdig Secure.
Contact Sysdig Support to explicitly enable Risk Spotlight in the backend for your Sysdig account.

Both Snyk and Sysdig instrumentation must be in place. Choose the installation path below that corresponds to the components installed on your infrastructure.

Installation Instructions

Snyk Installed, Sysdig Not Installed

Note the namespace you are currently using to run the Snyk instrumentation. Default: snyk-monitor.

Install Sysdig agent bundle sysdig-deploy adding the eveEnabled parameter to the helm chart.

Example:

 helm install --namespace sysdig-agent sysdig-agent \
 ....other parameters...
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
  sysdig/sysdig-deploy

Make sure the Sysdig agent images and RuntimeScanner pods are running and healthy:

kubectl -n sysdig-agent get po

NAME                                             READY   STATUS    RESTARTS   AGE
sysdig-agent-8rmkt                               1/1     Running   0          24s
sysdig-agent-hprw7                               1/1     Running   0          24s
sysdig-agent-jrx2q                               1/1     Running   0          24s
sysdig-agent-node-analyzer-5hltb                 4/4     Running   0          24s
sysdig-agent-node-analyzer-b5ftm                 4/4     Running   0          24s
sysdig-agent-node-analyzer-cd8rc                 4/4     Running   0          24s

Update your Snyk monitor installation with Sysdig Risk Spotlight API Token and endpoint following Snyk instructions.

Sysdig Installed without EVE, Snyk Not Installed

If you already installed the Sysdig agent using the helm chart without enabling eve parameter, do the following:

Install Snyk instrumentation following its documentation.

Upgrade the sysdig-deploy helm chart with the required eve settings:

helm upgrade sysdig-agent \
  --namespace sysdig-agent \
  --reuse-values \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.deploy=true \
  --set nodeAnalyzer.nodeAnalyzer.runtimeScanner.settings.eveEnabled=true \
  sysdig/sysdig-deploy

No Sysdig, No Snyk

Install the Sysdig agent bundle using the official helm chart, and including the steps and parameters from the first installation scenario.
Install Snyk instrumentation following its documentation.

Check Integration in Snyk UI

Check to confirm that runtime vulnerabilities are detected and prioritized in the Snyk UI:

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.