From 772ecae340941bf627d56ced858d1757d03ad395 Mon Sep 17 00:00:00 2001 From: balaakasam Date: Sun, 12 Apr 2026 16:39:50 -0400 Subject: [PATCH 1/2] [docs] Improve Snyk parser documentation with export instructions and enterprise workflow --- .../supported_tools/parsers/file/snyk.md | 111 +++++++++++++++++- 1 file changed, 107 insertions(+), 4 deletions(-) diff --git a/docs/content/supported_tools/parsers/file/snyk.md b/docs/content/supported_tools/parsers/file/snyk.md index 717cf64323b..b1bed25e229 100644 --- a/docs/content/supported_tools/parsers/file/snyk.md +++ b/docs/content/supported_tools/parsers/file/snyk.md @@ -2,16 +2,119 @@ title: "Snyk" toc_hide: true --- -Snyk output file (snyk test \--json \> snyk.json) can be imported in -JSON format. Only SCA (Software Composition Analysis) report is supported (SAST report not supported yet). + +Snyk output file can be imported in JSON format. Snyk is a developer-first +security platform that identifies vulnerabilities in open source dependencies +(SCA) and application code (SAST). DefectDojo currently supports the SCA +report format via the Snyk parser. For SAST findings, use the +[Snyk Code](snyk_code.md) parser instead. ### Sample Scan Data + Sample Snyk scans can be found [here](https://github.com/DefectDojo/django-DefectDojo/tree/master/unittests/scans/snyk). -### Default Deduplication Hashcode Fields -By default, DefectDojo identifies duplicate Findings using these [hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/): +--- + +## Supported Report Types + +| Report Type | Supported | Parser | +|---|---|---| +| Snyk SCA (Open Source) | ✅ Yes | Snyk | +| Snyk SAST (Code) | ✅ Yes | Snyk Code | +| Snyk Issue API | ✅ Yes | Snyk Issue API | + +This page covers the **Snyk SCA (Open Source)** parser only. + +--- + +## How to Export from Snyk + +### Option 1 — Snyk Web UI (Recommended for Enterprise Use) + +1. Log in to your Snyk account at **app.snyk.io** +2. Navigate to your **Organization** and select the **Project** you want + to export +3. Click on the project to open the vulnerability list +4. Click the **Export** button at the top right of the findings list +5. Select **JSON** as the export format +6. Save the exported file + +### Option 2 — Snyk CLI + +If you prefer to export via the command line: + +```bash +snyk test --json > snyk.json +``` + +For monorepos or projects with multiple package managers, scan all +projects at once: + +```bash +snyk test --all-projects --json > snyk.json +``` + +For specific package managers: + +```bash +# For npm projects +snyk test --json --file=package.json > snyk.json + +# For Maven projects +snyk test --json --file=pom.xml > snyk.json + +# For Python projects +snyk test --json --file=requirements.txt > snyk.json +``` + +Once you have the JSON file, upload it into DefectDojo under your chosen +Engagement using **Import Scan > Snyk Scan**. + +--- + +## Severity Mapping + +Snyk uses its own severity model which maps to DefectDojo as follows: + +| Snyk Severity | DefectDojo Severity | +|---|---| +| Critical | Critical | +| High | High | +| Medium | Medium | +| Low | Low | + +--- + +## Recommended Workflow for Enterprise Use + +For teams running Snyk across multiple applications and repositories: + +1. **Use Reimport** (not Import) for recurring scans on the same target + to track finding status over time rather than creating duplicate records +2. **Export at the project level** rather than the organization level + to maintain clean engagement boundaries in DefectDojo +3. **Set SLA thresholds** in DefectDojo aligned to Snyk severity levels + so that Critical and High findings trigger appropriate remediation + timelines automatically +4. **Use Snyk's CI/CD integration** to export JSON automatically as part + of your pipeline and feed results into DefectDojo via the API for + continuous vulnerability tracking + +--- + +## Default Deduplication Hashcode Fields + +By default, DefectDojo identifies duplicate Findings using these +[hashcode fields](https://docs.defectdojo.com/en/working_with_findings/finding_deduplication/about_deduplication/): - vuln id from tool - file path - component name - component version + +### Note on Deduplication + +Snyk can report the same vulnerability across multiple projects or +package versions. When importing findings from multiple Snyk projects +into the same DefectDojo product, review your deduplication settings +to avoid over-counting the same underlying vulnerability. From dd6fcf8153505894ddbdbe114e89484a8fd08236 Mon Sep 17 00:00:00 2001 From: Paul Osinski Date: Fri, 8 May 2026 10:18:32 -0400 Subject: [PATCH 2/2] docs(snyk): fix broken internal link to Snyk Code parser Hugo's Goldmark renderer doesn't rewrite .md links, so `[Snyk Code](snyk_code.md)` rendered as a literal href that pointed inside the snyk/ output directory and failed lychee's internal-link check. Use a relative URL to the sibling page, matching the convention already used elsewhere (e.g. netsparker -> ../invicti). Co-Authored-By: Claude Opus 4.7 (1M context) --- docs/content/supported_tools/parsers/file/snyk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/supported_tools/parsers/file/snyk.md b/docs/content/supported_tools/parsers/file/snyk.md index b1bed25e229..07e128f3fab 100644 --- a/docs/content/supported_tools/parsers/file/snyk.md +++ b/docs/content/supported_tools/parsers/file/snyk.md @@ -7,7 +7,7 @@ Snyk output file can be imported in JSON format. Snyk is a developer-first security platform that identifies vulnerabilities in open source dependencies (SCA) and application code (SAST). DefectDojo currently supports the SCA report format via the Snyk parser. For SAST findings, use the -[Snyk Code](snyk_code.md) parser instead. +[Snyk Code](../snyk_code) parser instead. ### Sample Scan Data