By combining Snyk SAST and Bright DAST, users can more comprehensively validate their Snyk SAST issues. This approach reduces false positives and improves the reliability of vulnerability assessments, providing a more robust and trustworthy experience.

This is how the Snyk integration works:

1. Bright continuously reviews all Snyk SAST issues.
2. The Bright integration identifies a test for each Snyk issue.
3. A list of tests is collected for each project.
4. The Bright app runs selected tests and provides a list of validated issues.
5. Each Bright issue is linked with a corresponding Snyk SAST issue.

📘

Bright supports connecting multiple Snyk instances

You can connect multiple Snyk instances to the same Bright organization.

Prerequisites

• Created a project in Snyk using an Org Admin service account
• Obtained Snyk organization ID and API key (token)

Step-by-step guide

1. Go to the Bright app.

2. In the left pane, select Settings and navigate to the Integrations tab.

   

3. Click next to Snyk, and then select Settings.

   

4. In the Snyk integration config popup, fill in the following:

   1. (Optional): Give the integration a Title representing the name of this Snyk instance.

   2. Enter the Snyk organization ID.

   3. Enter the Snyk organization API key.

   4. (Optional): Choose a minimum default severity which Bright should pull from Snyk.

      

5. Click Connect.

6. The Bright connection to Snyk is enabled.

   

Map Snyk to a Bright project

📘

A dedicated project is required for the Snyk integration

Once a Bright project is linked to Bright, you can only run Snyk validation scans in this project. If you want to run non-Snyk scans, you will need another project.

Pre-requisites

1. Have a Bright project.
2. Run one or more discoveries to have the entrypoints registered to this project.

Step-by-step guide

1. Open the Project settings page of the Bright project you want to link to Snyk, and navigate to the Integrations tab.

   

2. Click on + Add integration.

3. In the dropdown menu, select Snyk and select the Snyk projects/collections you want to associate with this Bright project.

   

4. Click Save.

5. You can customize the minimum severity that Bright will pull from Snyk by clicking on the Choose min severity dropdown.

   1. Minimal severity - select from Critical, High, Medium, Low, None options. For example, when choosing High, you will only get Critical and High severity issues.
   2. Minimal Snyk Score to validate - use this field to filter issues imported to Bright. For example, when selecting 750, you will get only the issues above this score.

   

6. Click Save.

Running a Snyk validation scan

1. Open the Entrypoints page of the relevant Bright project.

2. Select the entrypoints you want to scan and click on Create new scan.

   

3. Fill in the details in the Details tab.

4. Tests will be automatically selected for you based on the Snyk findings.

   

How to review performed tests

To see a list of tests provided by the Snyk project, do the following:

• Open the Scans page → select a scan.

• Click the Configuration tab and scroll down to Tests to run

  

👍

Bright supports integrating projects with specific Snyk branches, expanding beyond just the main project level. Users can view and select all child branches under a project or choose specific branches as needed.

Scan results

After the tests are completed, a scan page will display a list of issues found. To view a brief, point at the i symbol next to the project name:

• SAST vulnerabilities: all vulnerabilities imported from the Snyk SAST project.
• Validated by Bright: number of Snyk vulnerabilities tested by the Bright DAST.
• Bright finding: Snyk vulnerabilities found by the Bright DAST.

To look deeper at the scan results, open the Snyk Vulnerabilities tab. You can filter the results and adjust the table. To open a vulnerability in your Snyk project, click on the title, and a new tab will appear. To open an issue on your Bright project, click on the item in the Bright finding column. Also, note the Repository column, which shows a connected repository on the Snyk side.