I'm trying to run Snyk on bitbucket pipeline. I'm running the pipes for composer and npm and things are working but I also want to run it for static code analysis. None of the documentation shows how this is possible. I have tried installing snyk with NPM followed by running
snyk auth TOKEN
snyk code test
snyk monitor
but the static code analysis doesn't showup on the Snyk dashboard. Looking for commands or documentation to run static code analysis through the bitbucket pipline.
On
Unfortunately, the monitor command which creates a project in your Snyk account to be continuously monitored is not yet available for Snyk Code (SAST).
The good news is it will be soon available as this is currently in closed beta, with some of our customers choosen as Beta Tester testing its capabilities.
The command will look like this snyk code test --report and will allow you to create a project (meaning sending the report) in your Snyk Organisation.
We will update you as soon as the command is available.
On
Once you have done the auth using
snyk auth $TOKEN
Run below to run the snyk scan and publish the result to your snyk dashboard. It will create a project if it does not exists already :
snyk code monitor --all-projects --org=$ORG_ID --report
This will create a monitor/snyk scan report on Snyk dashboard for which you can later choose the automated frequency of the snyk scan.
If you just want to run the snyk scan but dont want to publish on the snyk dashboard , use below :
snyk code test --all-projects --org=$ORG_ID --report
And in case if you want json output of the scan results, just add "--json"
Ref : Snyk Cli Help Doc
According to their own documentation this is the config: