Resources
Blog

Integrate Snyk Scan Results with OpsLevel's Service Catalog

Integrate Snyk Scan Results with OpsLevel's Service Catalog
John Laban
|
October 21, 2021
Integrate Snyk Scan Results with OpsLevel's Service Catalog

Snyk is rapidly becoming the de facto standard for businesses that want to build security into their continuous software development processes. And with their developer-first tooling and best-in-class security intelligence, it’s no surprise.

From open source and containers to your application code and infrastructure-as-code, Snyk has solutions for finding (and often fixing) security vulnerabilities across your stack. In any context, the insights surfaced by Snyk are valuable, whether critical vulnerabilities are found or not (we think the peace of mind resulting from no vulnerabilities detected is fantastic).

Microservice Complexity

But a reoccurring challenge in a microservices context is connecting the dots so that the correct service owners can quickly review (and act on) Snyk scan results. Shipping quality, secure services is always the goal, but amidst so many operational concerns, vulnerabilities can fall through the cracks.

Plus, platform, security, or SRE teams that are focused on security posture and best practices often struggle to assess the overall state of their architecture. With thousands of scans and hundreds of services, how can they easily identify which services and teams are out of compliance and falling behind?

Using Snyk scan results and OpsLevel checks together overcomes these challenges.

Snyk + OpsLevel

Combining these two solutions unlocks many benefits:

  • It’s clear if a service isn’t being scanned as expected
  • Check writers (e.g. platform or SRE teams) have fine-grained controls for evaluating scan results
  • Automatic reporting on which services and teams are out of compliance
  • Service owners never lose sight of their scan results (and know how urgently they need to address any open vulnerabilities)

And, for all users, reviewing scan results becomes easier and more meaningful thanks to the complete context provided by OpsLevel’s service catalog.

Mapping Vulns to Services

In order to integrate Snyk with OpsLevel, follow our documentation here. It uses OpsLevel’s extensible Custom Event Check framework to receive JSON payloads. To send the scan result JSON payloads, we recommend using Snyk’s CLI tool. An example script can be found in our docs.

Scan results are mapped to services by setting up a check. OpsLevel provides Snyk-specific templates (e.g. No Critical Vulns or Less than 5 Low Vulns) that you can use as a starting point.

You can also write your own with jq–for payload parsing and pass/fail logic–and Markdown plus Liquid–for formatting and templating of result messages.

Education and Prioritization

All checks in OpsLevel come with a natural place for check writers to explicitly educate service owners on what steps to take in order to pass a check, as well as explain why a particular check matters in the first place.

Incorporating Snyk scan results into OpsLevel’s Service Maturity model also makes prioritization clear for service owners. In addition to using the result message and notes sections of a check to give complete context, check writers can use the filters and levels in OpsLevel’s rubric to create a targeted, graduated approach to shipping more secure and mature services.

A service owner's view of their scan results, with more than 3 medium vulnerabilities
A service owner's view of their scan results, with more than 3 medium vulnerabilities


For example, the presence of high vulnerabilities in scan results may be a show-stopper for any customer-facing services, but much less concerning for internal-only services. Distinctions like this are quickly encoded in OpsLevel and then easily reviewed by service owners, so their time is always spent on the right operational or security tasks.

Automated Reporting

Individual check results guide service owners to the appropriate next steps for improving and securing their services. In aggregate, they can inform key stakeholders–platform teams or engineering management–on their organization’s current security posture.

Answering questions like which part of my application is most at risk? or what team is falling behind? is straightforward with OpsLevel’s check reports.

A top down view of all the relevant services' status for this check
A top down view of all the relevant services' status for this check: 1 passing, 1 failing, and 1 with no scan results.

Try OpsLevel + Snyk

If you’re already using Snyk, you’re on the right track towards shipping more secure services. If you haven’t tried Snyk, you can start using it for free. Then accelerate your security journey by embedding your scan results into a comprehensive service catalog. Request your OpsLevel demo today.

SICK OF THE SAME OLD SHEET

More resources

The Pain of Backstage Upgrades
Blog
The Pain of Backstage Upgrades

Internal Developer Portals (IDPs) have become essential for engineering teams striving to deliver high-quality software quickly and efficiently. While Backstage, the open-source framework to build an IDP, from Spotify, is a popular choice for organizations building their own developer portals, it often comes with hidden costs and challenges that aren’t immediately apparent. At OpsLevel, we’ve experienced these pain points firsthand—and we’ve built a solution that lets teams focus on value instead of maintenance.

Read more
OpsLevel CEO John Laban Discusses Platform Complexity and the Future of DevOps on theCUBE
Blog
OpsLevel CEO John Laban Discusses Platform Complexity and the Future of DevOps on theCUBE

TheCUBE recently hosted John Laban, CEO and Co-Founder of OpsLevel, in their latest Media Day event at the New York Stock Exchange. Sitting down with theCUBE’s John Furrier, Laban offered insights into OpsLevel’s mission to simplify the increasing complexity within modern software architecture, shared his journey from Amazon and PagerDuty to founding OpsLevel, and explored the challenges faced by today’s software engineers and platform teams.

Read more
How To Maximize Engineering Efficiency with an Internal Developer Portal
Blog
How To Maximize Engineering Efficiency with an Internal Developer Portal

When it comes to a competitive edge, speed and efficiency are everything. The quicker engineering teams can ship reliable, high-quality features, the more value they bring to the business. An internal developer portal (IDP) is a critical enabler in making this possible. By centralizing tools, resources, and processes, an IDP enhances workflows, streamlines collaboration, and empowers developers to be more autonomous.

Read more
Product
Software catalogMaturityIntegrationsSelf-serviceExtensibilityBook a meeting
Company
About usCareersContact usCustomersPartnersSecurity
Resources
DocsEventsBlogPricingDemoGuide to Internal Developer PortalsGuide to Production Readiness
Subscribe
Join our newsletter to stay up to date on features and releases.
By subscribing you agree to with our Privacy Policy and provide consent to receive updates from our company.
SOC 2AICPA SOC
© 2024 J/K Labs Inc. All rights reserved.
Terms of Use
Privacy Policy
Responsible Disclosure
By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Data Processing Agreement for more information.
Okay!