Skip to main content

Snyk

Snyk integration allows your product to connect with Snyk's vulnerability management platform to retrieve project scan results, vulnerability data, issues, and dependency information. This integration is ideal for centralizing vulnerability visibility, tracking remediation, and automating risk analysis across repositories, containers, and cloud configurations scanned by Snyk. It uses the Snyk REST API and supports organization-level API tokens for authentication.

Credentials Needed

To integrate with Snyk's API, you need the following credentials:

Required credentials:

  • Snyk API Token
  • (Optional) Organization ID (to scope results to a specific Snyk org)

The API token is unique to your Snyk account or service user and should be stored securely. Organization-scoped tokens are recommended for team or automation integrations.

Permissions Needed / API Scopes

Snyk uses token-based authentication, not OAuth scopes. The token inherits the permissions of the user or service account it belongs to.

PermissionDescription
Org ReadRequired to list organizations and projects
Project ReadRequired to fetch project details and vulnerabilities
Issue ReadRequired to fetch issues and vulnerabilities
Integration Read/Write (optional)Needed for integrations and automation setup

Minimum Required Permissions: Organization and Project read permissions

Creating Users / Access Tokens

Step 1: Generate a Snyk API Token

  1. Log in to your Snyk Account: https://app.snyk.io
  2. Click on your Profile Avatar → Account Settings
  3. Under the API Token section:
    • Click "Generate" or "Regenerate Token" (if one already exists)
  4. Copy the generated API Token
    • Example: 12345678-abcd-1234-efgh-5678ijklmnop
  5. Store it securely in your platform's secret vault

Step 2 (Optional): Get Organization ID

If you belong to multiple organizations in Snyk, fetch the org list using the API to identify the correct one.

curl -X GET "https://api.snyk.io/v1/orgs" \
  -H "Authorization: token <SNYK_API_TOKEN>" \
  -H "Content-Type: application/json"

Example Response:

{
  "orgs": [
    {
      "id": "f1a2b3c4-d5e6-7890-1234-abcdef123456",
      "name": "Security Team"
    }
  ]
}

Test Connectivity

You can validate your Snyk credentials by listing your organizations or projects.

Example: List Organizations

curl -X GET "https://api.snyk.io/v1/orgs" \
  -H "Authorization: token <SNYK_API_TOKEN>" \
  -H "Content-Type: application/json"

Example Response:

{
  "orgs": [
    {
      "id": "abc123",
      "name": "Engineering",
      "slug": "engineering"
    }
  ]
}

Example: List Projects in an Organization

curl -X GET "https://api.snyk.io/v1/org/<ORG_ID>/projects" \
  -H "Authorization: token <SNYK_API_TOKEN>" \
  -H "Content-Type: application/json"

Example Response:

{
  "projects": [
    {
      "id": "p12345",
      "name": "web-api",
      "type": "npm",
      "origin": "github",
      "created": "2025-10-10T08:45:00.000Z"
    }
  ]
}

Save the Results in the Platform and Create Connection

  1. In your product's integration setup, securely store:
    • SNYK_API_TOKEN
    • (Optional) SNYK_ORG_ID
  2. Label the connection as Snyk Integration
  3. Test by fetching organizations or projects from the Snyk API
  4. Once validated, enable workflows such as:
    • Importing vulnerability data from Snyk scans
    • Mapping Snyk projects to your internal assets
    • Correlating open vulnerabilities across environments

Best Practices

  • Use organization-level API tokens for team automation
  • Store tokens securely in a secret vault or encrypted database
  • Rotate tokens every 90 days or per security policy
  • Limit tokens to accounts with read-only roles where possible
  • Handle rate limiting (Snyk API default: 60 requests/minute)
  • Cache project and issue data to minimize API calls
  • Sync Snyk issues periodically (e.g., every 6–12 hours)
  • Use project filters (type, origin, isMonitored) to fetch relevant data efficiently
  • Log failed API calls for troubleshooting

Useful Snyk API Endpoints

ResourceMethodEndpointDescription
List orgsGET/v1/orgsGet organizations for the user
List projectsGET/v1/org/{org_id}/projectsGet all Snyk projects
Get project issuesGET/v1/org/{org_id}/project/{project_id}/issuesRetrieve issues for a specific project
Project detailsGET/v1/org/{org_id}/project/{project_id}Get project metadata
DependenciesGET/v1/org/{org_id}/project/{project_id}/dependenciesGet dependency tree
Test dependency filePOST/v1/testTest a local manifest for vulnerabilities
Delete projectDELETE/v1/org/{org_id}/project/{project_id}Remove project from Snyk

Official Docs: https://apidocs.snyk.io

Example: Retrieve Vulnerabilities

curl -X GET \
  "https://api.snyk.io/v1/org/<ORG_ID>/project/<PROJECT_ID>/issues" \
  -H "Authorization: token <SNYK_API_TOKEN>" \
  -H "Content-Type: application/json"

Example Response:

{
  "issues": {
    "vulnerabilities": [
      {
        "id": "SNYK-JS-LODASH-567746",
        "title": "Prototype Pollution",
        "severity": "high",
        "package": "lodash",
        "version": "4.17.11",
        "from": ["lodash@4.17.11"],
        "exploitMaturity": "mature"
      }
    ]
  }
}

Example JSON: Create a Unified Vulnerability Record in Your Platform

{
  "tool": "snyk",
  "project": "web-api",
  "package": "lodash",
  "severity": "high",
  "title": "Prototype Pollution",
  "fixAvailable": true,
  "exploitMaturity": "mature",
  "identifier": "SNYK-JS-LODASH-567746",
  "sourceLink": "https://app.snyk.io/org/engineering/project/p12345"
}

Webhook / Automation (Optional)

Snyk allows Webhooks to automatically notify your system when new issues are found or projects are updated.

Setup Steps

  1. Go to Snyk Organization Settings → Webhooks
  2. Click Add Webhook
  3. Enter your platform's webhook URL, e.g.: https://yourplatform.com/webhooks/snyk
  4. Select event types such as:
    • project_created
    • project_updated
    • test_completed
    • issue_created
    • issue_updated
  5. Save and test the webhook

Your platform will now receive JSON payloads when new vulnerabilities are detected or project scans are updated.

Example Webhook Payload

{
  "event": "issue_created",
  "org_id": "f1a2b3c4",
  "project_id": "p12345",
  "issue": {
    "id": "SNYK-JS-EXPRESS-12345",
    "title": "Regular Expression Denial of Service (ReDoS)",
    "severity": "medium",
    "package": "express",
    "introducedThrough": ["express@4.17.1"],
    "fixAvailable": true
  }
}