Snyk Code (SAST)
The Snyk SAST Connector bridges application security scanning and enterprise risk management by importing static code analysis findings from Snyk into Qualys ETM. This integration solves the fragmentation problem where security teams must manually correlate code vulnerabilities across separate platforms, enabling centralized risk visibility, impact assessment, and remediation prioritization.
By consolidating SAST results for both code repositories and generic applications into a unified platform, security practitioners gain comprehensive visibility into application-layer risks and can prioritize remediation efforts based on business impact rather than managing multiple disconnected tools.
Connector Details
High-level details for the Snyk SAST connector.
| Vendor | Snyk |
| Product Name | Snyk SAST |
| Category | Assets (Code Repo) |
| Findings Supported | Yes |
| Assets Supported | Code Repository, Generic Application |
| Version | 1.0.0 |
| Integration Type | API Integration (REST) |
| Direction | Unidirectional (Snyk to Qualys) |
| Delta Support | Supported |
Connection Settings
Before configuring the connector, ensure that the required Snyk permissions and API credentials are available.
User Roles and Permissions
The API token used for the Snyk SAST connector must have the following permissions:
| Entity Type | Required Permission |
|---|---|
| Code Repository | Organization Collaborator |
| Generic Application | Organization Collaborator |
Authentication Details
Provide the following credentials on the connector configuration screen:
| Name | Key | Type | Description |
|---|---|---|---|
| API URL | api_id |
String | API URL for the Snyk user profile |
| API Token | api_key |
Encrypted String | API token for authenticating with the Snyk platform |
Connector Configuration
Basic Details
- Log in to Qualys Enterprise TruRisk Management (ETM).
- Navigate to Connectors > Integration.
- Locate the Snyk SAST Connector and click Manage.
- Provide a Name and Description for the connector.
- Enter the API URL and API Token.
Profiles
Profiles control what data the connector imports and when it runs.
- Click + to create a new profile.
- Provide a Name and Description.
- Select the Asset Type: Code Repository or Generic Application.
- Set the profile Status to Active or Inactive.
- Configure a Schedule: Single Occurrence or Recurring with start and end date/time.
- Click Next to continue.
Review and Confirm
Review the connector configuration and click Create to finalize the setup.
How Does the Connection Work?
On the configured schedule or when triggered on demand, the Snyk SAST connector fetches SAST assets and findings from the Snyk platform and imports them into ETM.
The connection execution performs a full data pull. Once execution completes, the connector is displayed in the Processed state in the Connectors screen. Findings ingestion may continue after assets are processed.
Connector States
- Registered – Connector is created and registered.
- Scheduled – Connector is scheduled to run.
- Processing – Data is being fetched from Snyk.
- Processed – Assets are imported; findings may still be processing.
The complete import process may take up to 2 hours, depending on data volume.
Viewing Assets and Findings in ETM
After successful execution, imported data is available in ETM:
- Assets: Enterprise TruRisk Management > Inventory
Transformation Map Details
Here is the Snyk SAST to Qualys Transformation map.
Code Repo - Transformation map:
| Source Field | Target Field |
|---|---|
| relationships.target.data.attributes.url | asset.assetHeader.externalAssetId |
| FUNCTION_PICKER (attributes.status) | asset.assetHeader.status |
| relationships.target.data.meta.integration_data.owner | asset.assetDetail.repositoryAssetClass.owner |
| id | asset.assetHeader.vendorAssetId |
| attributes.name | asset.assetDetail.name |
| attributes.created | asset.assetDetail.sourceCreatedAt |
| attributes.created | asset.assetDetail.sourceUpdatedAt |
| FUNCTION_PICKER (attributes.origin) | asset.assetDetail.repositoryAssetClass.type |
| relationships.target.data.attributes.url | asset.assetDetail.repositoryAssetClass.repoUrl |
| attributes.business_criticality.0 | asset.assetDetail.businessInfo.businessCriticality |
| attributes.settings.recurring_tests.frequency | asset.assetDetail.typedAttributes.& |
| relationships.organization.data.id | asset.assetDetail.typedAttributes.& |
| issues[].attributes.title | findingGroup.findings[].name |
| issues[].attributes.description | findingGroup.findings[].description |
| issues[].attributes.risk.score.value | findingGroup.findings[].riskScore |
| issues[].attributes.classes.0.source | findingGroup.findings[].subCategory |
| issues[].id | findingGroup.findings[].externalFindingId |
| issues[].attributes.effective_severity_level | findingGroup.findings[].severity |
| FUNCTION_PICKER (issues[].attributes.status) | findingGroup.findings[].findingStatus |
| issues[].attributes.created_at | findingGroup.findings[].firstFoundOn |
| issues[].attributes.updated_at | findingGroup.findings[].lastFoundOn |
| issues[].attributes.ignored | findingGroup.findings[].exceptionDetail.isFindingToBeIgnored |
| issues[].attributes.classes.0.id | findingGroup.findings[].findingType.vulnerability.cweId |
| issues[].attributes.ignored | findingGroup.findings[].riskAcceptance.ignored |
| attributes.target_reference | findingGroup.findings[].typedAttributes.& |
Generic Application - Transformation map:
| Source Field | Target Field |
|---|---|
| attributes.name | asset.assetDetail.genericApplicationAssetClass.name |
| id | asset.assetHeader.externalAssetId |
| FUNCTION_PICKER (attributes.status) | asset.assetHeader.status |
| id | asset.assetHeader.vendorAssetId |
| attributes.name | asset.assetDetail.name |
| attributes.created | asset.assetDetail.sourceCreatedAt |
| attributes.created | asset.assetDetail.sourceUpdatedAt |
| attributes.business_criticality.0 | asset.assetDetail.businessInfo.businessCriticality |
| attributes.settings.recurring_tests.frequency | asset.assetDetail.typedAttributes.& |
| relationships.organization.data.id | asset.assetDetail.typedAttributes.& |
| issues[].attributes.title | findingGroup.findings[].name |
| issues[].attributes.description | findingGroup.findings[].description |
| issues[].attributes.risk.score.value | findingGroup.findings[].riskScore |
| issues[].attributes.classes.0.source | findingGroup.findings[].subCategory |
| issues[].id | findingGroup.findings[].externalFindingId |
| issues[].attributes.effective_severity_level | findingGroup.findings[].severity |
| FUNCTION_PICKER (issues[].attributes.status) | findingGroup.findings[].findingStatus |
| issues[].attributes.created_at | findingGroup.findings[].firstFoundOn |
| issues[].attributes.updated_at | findingGroup.findings[].lastFoundOn |
| issues[].attributes.ignored | findingGroup.findings[].exceptionDetail.isFindingToBeIgnored |
| issues[].attributes.classes.0.id | findingGroup.findings[].findingType.vulnerability.cweId |
| issues[].attributes.ignored | findingGroup.findings[].riskAcceptance.ignored |
| attributes.target_reference | findingGroup.findings[].typedAttributes.& |