将 snyk 与我的 azure 管道安全问题集成

Question

I am integrating Snyk with my Azure pipeline, but my concerns are:

1- is Snyk take a copy of my source code and save it on their servers, as I am connecting and giving authentication with an API key to my Azure pipeline?

2- what other options to connect Snyk to my Azure pipeline than CI/CD?

3- When I integrate Snyk to the Azure pipeline, and I scan the source code what is going on in the background, does Snyk have access to my source code? do they have a copy of the source code?

Can anyone help with these questions?

Thanks

Answer 1

It depends on what snyk components you are using. with snyk code, yes the code is uploaded to snyk so they can analyze it. This is required for SAST analysis and they detail how long (up to 24 hrs) and how they store your code: https://docs.snyk.io/more-info/how-snyk-handles-your-data

They claim in that they do not use your code for anything else.

So from a purely techincal perspective, by providing your access key, they do have access to your 1st party code in your Azure pipelines. So the question is how much do you trust their terms of service, specifically that they will not use your code beyond SAST. There is no other option that doesn't upload your code, at this time.

However, with snyk oss no code is uploaded to snyk infrastructure, instead a list of vulnerable libraries is downloaded and compared to what you are refrencing so they can do a SCA.