# Snyk
Connecting Snyk gives SureCloud read access to your Snyk organisation's projects, open vulnerability issues, and licence compliance findings. SureCloud collects open issues by severity across all monitored projects, tracks which projects have active monitoring enabled, surfaces critical and high severity findings that have exceeded defined SLA thresholds without remediation, and reviews ignored issues to verify that suppressions are documented with a rationale. This provides continuous evidence that your application security scanning programme is active and that material vulnerabilities in your dependencies, containers, and code are being tracked to resolution.
{% hint style="info" %}
SureCloud connects to Snyk using a Personal Access Token (API token) generated from a dedicated service account in your Snyk organisation. Snyk supports OAuth 2.0 for some integrations but the API token method is the supported path for system-level CCM integrations.
{% endhint %}
## Authentication and setup
{% stepper %}
{% step %}
#### Create a dedicated service account in Snyk
In the Snyk web app, navigate to **Organisation Settings → Service Accounts → Create a service account**.
* **Name**: `SureCloud CCM`
* **Role**: **Viewer** — provides read-only access to all projects and issues within the organisation
Click **Create**. Snyk displays the API token — copy it immediately, as it is only shown once.
{% hint style="info" %}
Service account tokens in Snyk do not expire automatically. Rotate the token every 90 days as a security best practice by generating a new token in **Organisation Settings → Service Accounts → \[SureCloud CCM] → Manage → Reset token**, then updating it in **SureCloud → Integrations → Snyk → Edit Connection**.
{% endhint %}
{% endstep %}
{% step %}
#### Identify your Snyk organisation ID
In the Snyk web app, navigate to **Organisation Settings → General**. Copy the **Organisation ID** (a UUID in the format `xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`). SureCloud uses this to scope API calls to the correct organisation.
{% endstep %}
{% step %}
#### Enter credentials in SureCloud
In SureCloud, navigate to **Integrations → Snyk → Connect** and provide:
* **API Token**
* **Organisation ID**
Click **Test Connection**, then **Save**.
{% endstep %}
{% endstepper %}
## Endpoints
| API Call | Use Case |
| ------------------------------------------------------ | ----------------------------------------------------------------------------------------- |
| `GET /rest/orgs/{org_id}/projects` | Enumerate all projects in the organisation with their type, status, and last test date |
| `GET /rest/orgs/{org_id}/issues` | Retrieve all open issues across the organisation filtered by severity |
| `GET /rest/orgs/{org_id}/issues/{issue_id}` | Read full issue detail including CVE, CVSS score, fix availability, and SLA breach status |
| `GET /v1/org/{org_id}/projects/{project_id}/issues` | Read issues per project with ignored status and ignore rationale |
| `GET /v1/org/{org_id}/projects/{project_id}/dep-graph` | Read dependency graph for a project (used for licence risk analysis) |
| `GET /rest/orgs/{org_id}/packages/{purl}/issues` | Look up known vulnerabilities for a specific package version |
| `GET /v1/user/me` | Verify service account identity and organisation membership |
{% hint style="info" %}
Snyk provides both a v1 API and a REST API (versioned). SureCloud uses the REST API for project and issue enumeration where available, and falls back to the v1 API for endpoints not yet available in REST. Both APIs are authenticated with the same API token.
{% endhint %}
## Pagination
The Snyk REST API uses cursor-based pagination via a `next` link in the response `links` object. SureCloud follows the `next` URL until no `next` link is present.
```json
{
"data": [
{
"id": "issue-abc123",
"type": "issue",
"attributes": {
"title": "Remote Code Execution",
"severity": "critical",
"status": "open",
"ignored": false
}
}
],
"links": {
"next": "https://api.snyk.io/rest/orgs/org-uuid/issues?starting_after=issue-abc123&version=2024-06-10"
},
"meta": {
"total_results": 1482
}
}
```
The Snyk v1 API uses page-based pagination via `page` and `perPage` query parameters. SureCloud increments `page` until the response returns fewer results than `perPage`.
## Required permissions
The Snyk **Viewer** service account role is sufficient for all SureCloud data collection. Viewer provides read access to all projects, issues, and organisation settings. It does not permit creating or modifying projects, running tests, or changing ignore rules.
For Snyk Group-level deployments with multiple organisations, a separate SureCloud connection is required per organisation, or a Group-level service account with Viewer access across all organisations can be used. Contact SureCloud support for multi-organisation configuration guidance.
## Polling frequency
| Data type | Collection interval |
| ---------------------------------------- | ------------------- |
| Project inventory and monitoring status | 24 hours |
| Open vulnerability issues | 24 hours |
| Ignored issues and suppression rationale | 24 hours |
| Licence compliance findings | 24 hours |
## Troubleshooting
Projects are appearing but issue counts are showing as zero
Issue data is available only for projects that have been tested at least once. A project in a `pending` or `inactive` state has not been tested and will return no issues.
In the Snyk web app, navigate to **Projects** and confirm the affected projects show a last-tested timestamp. If projects show as inactive, re-enable monitoring in **Project Settings → Status → Activate**.
Ignored issues are not showing their ignore rationale
Ignore rationale data is returned in the v1 API project issues endpoint. If rationale is missing, the ignore may have been applied without a reason (Snyk does not require a reason when ignoring via the UI). SureCloud records the rationale where it is present and flags ignores with no rationale as requiring review.
Issues from some projects are not appearing despite the service account having Viewer access
Snyk projects inherit access from the organisation they belong to. If a project was imported into a different Snyk organisation than the one configured in SureCloud, it will not appear in the scoped API responses.
Confirm the **Organisation ID** in SureCloud matches the organisation containing the expected projects. If your Snyk account has multiple organisations, each requires a separate SureCloud connection.
Container image projects are not appearing
Container image projects are returned alongside open source and code projects in the `/rest/orgs/{org_id}/projects` endpoint with a `type` of `deb`, `rpm`, or `apk` depending on the base image. If container projects are missing, confirm the Snyk Container add-on is enabled for your Snyk plan and that at least one container image project has been imported into the organisation.
Snyk REST API reference Snyk v1 API reference
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/snyk.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.