Snyk

Discover security vulnerabilities, dependencies, and projects from Snyk and add them to your SixDegree knowledge graph.

Automatically syncs Snyk data into your knowledge graph:

• Organizations: Snyk organizations and their settings
• Projects: Code projects, container images, IaC configurations
• Vulnerabilities: Security issues with severity ratings (Critical, High, Medium, Low)
• Dependencies: Package dependencies and their versions
• License Issues: Open source license compliance issues
• Container Images: Docker, Alpine (apk), Debian (deb), RHEL (rpm) container scans
• IaC Resources: Terraform, Kubernetes, Helm, CloudFormation, ARM templates

AI agents can interact with Snyk using these tools:

Core Tools:

• snyk_list_organizations - List all organizations
• snyk_list_projects - List projects in an organization
• snyk_get_project - Get detailed project information including vulnerability counts
• snyk_search_vulnerabilities - Search for vulnerabilities by severity or package
• snyk_test_project - Trigger a new security scan
• snyk_get_remediation - Get fix recommendations for vulnerabilities

Container Security:

• snyk_scan_container_image - Scan Docker/container images for vulnerabilities
• snyk_list_container_projects - List all container image projects

Infrastructure as Code:

• snyk_scan_iac_file - Scan Terraform, Kubernetes, Helm, CloudFormation, ARM templates

• snyk_list_iac_projects - List all IaC projects (filter by type)

• Snyk account

• Snyk API token (Get one here)

• Your Snyk organization ID (Find it here)

Download the latest release for your platform:

curl -LO https://github.com/sixdegree-ai/molecules/releases/latest/download/snyk-linux-amd64
chmod +x snyk-linux-amd64
mv snyk-linux-amd64 /usr/local/bin/snyk-molecule


curl -LO https://github.com/sixdegree-ai/molecules/releases/latest/download/snyk-darwin-arm64
chmod +x snyk-darwin-arm64
mv snyk-darwin-arm64 /usr/local/bin/snyk-molecule

cd molecules/snyk
go build -o snyk

Create a configuration file snyk-config.yaml:

discovery:
  enabled: true
  settings:
    token: "YOUR_SNYK_API_TOKEN"
    organizations:
      - org_id: "YOUR_ORG_ID"
        include_issues: true
        severity_filter: ["critical", "high"]
    sync_interval: "1h"

mcp:
  enabled: true
  settings:
    token: "YOUR_SNYK_API_TOKEN"
    default_org_id: "YOUR_ORG_ID"

namespace: "production"

1. Go to Snyk Account Settings

2. Scroll down to "API Token"

3. Click "Show" and copy your token

4. Or generate a new Service Account token for automation

5. Go to your Snyk Organizations page

6. Select your organization

7. Go to Settings

8. The Organization ID is shown in the URL: app.snyk.io/org/{ORG_ID}/manage/settings

Discover all Snyk projects and vulnerabilities:

degree discovery run snyk@1.0.0 --config snyk-config.yaml


degree discovery schedule snyk@1.0.0 --config snyk-config.yaml --interval 1h


degree discovery run snyk@1.0.0 --config snyk-config.yaml --dry-run

Once configured, AI agents can interact with Snyk:

Example conversations:

You: "What critical vulnerabilities do we have in our production projects?"

AI: [Uses snyk_search_vulnerabilities]
    "Found 3 critical vulnerabilities:
    - Prototype Pollution in lodash@4.17.15
    - SQL Injection in mysql@2.18.1
    - RCE in express@4.16.4"

You: "How do I fix the lodash vulnerability?"

AI: [Uses snyk_get_remediation]
    "Upgrade lodash to version 4.17.21 or higher.
    Run: npm install lodash@^4.17.21"

You: "Scan the auth-service project"

AI: [Uses snyk_test_project]
    "✅ Security scan initiated for auth-service"

You: "Check our nginx:latest container for vulnerabilities"

AI: [Uses snyk_scan_container_image]
    "Found monitored container with 2 high and 5 medium severity issues"

You: "Scan our Kubernetes deployments for misconfigurations"

AI: [Uses snyk_list_iac_projects]
    "Found 5 Kubernetes configs: 1 critical, 3 high severity issues"

Filter by severity:

organizations:
  - org_id: "prod-org"
    severity_filter: ["critical"]  # Only critical

  - org_id: "dev-org"
    severity_filter: ["critical", "high", "medium"]  # All but low

Filter projects by name:

organizations:
  - org_id: "my-org"
    project_pattern: "^production-.*"  # Only production projects

Multiple organizations:

organizations:
  - org_id: "frontend-org"
    project_pattern: "^app-.*"

  - org_id: "backend-org"
    project_pattern: "^api-.*"

The Snyk molecule creates these entity types in your knowledge graph:

Snyk organizations with properties:

• org_id: Organization ID
• name: Organization name
• slug: Organization slug

Projects being monitored:

• project_id: Project ID
• name: Project name
• type: Project type (npm, maven, docker, etc.)
• origin: Where the project is from (github, gitlab, cli, etc.)
• created: Creation timestamp
• test_frequency: How often it's tested

Security vulnerabilities:

• issue_id: Snyk issue ID (e.g., SNYK-JS-LODASH-1234567)
• title: Vulnerability title
• severity: critical | high | medium | low
• cve: CVE identifier (if applicable)
• cvss_score: CVSS score
• package_name: Affected package
• package_version: Affected version
• is_upgradeable: Can be fixed by upgrading
• is_patchable: Can be fixed by patching

Package dependencies:

• package_name: Package name
• version: Version string
• ecosystem: npm, maven, pip, etc.
• license: Package license

License compliance issues:

• issue_id: Issue ID
• severity: Severity level
• license: License type
• package_name: Package with the issue

Snyk's API has rate limits:

• REST API: 2000 requests per minute per token
• Best practice: Set sync_interval to 1h or more for large organizations

Error: 401 Unauthorized

Solution: Check your Snyk API token:

• Verify token is correct in config
• Ensure token has not expired
• Check token has correct permissions

Error: 404 Organization not found

Solution: Verify your organization ID:

degree discovery run snyk@1.0.0 --config config.yaml --tool snyk_list_organizations

Error: 429 Too Many Requests

Solution:

• Increase sync_interval in config
• Use fewer organizations
• Use project_pattern to filter projects

Enable debug logs:

SNYK_LOG_LEVEL=debug degree discovery run snyk@1.0.0 --config config.yaml

Or in config:

discovery:
  settings:
    log_level: "debug"

• API Token: Store your Snyk token securely (use environment variables or secret management)
• Permissions: Use Service Account tokens with minimal required permissions
• Read-only: This molecule only reads data from Snyk (except for snyk_test_project which triggers scans)

See CONTRIBUTING.md for development setup and guidelines.

MIT License - see LICENSE

• Snyk Documentation

• Snyk API Documentation

• SixDegree Documentation

• Get Snyk API Token

• Issues: GitHub Issues

• Snyk Support: support.snyk.io