Snyk Code (SAST)

The Snyk SAST Connector bridges application security scanning and enterprise risk management by importing static code analysis findings from Snyk into Qualys ETM. This integration solves the fragmentation problem where security teams must manually correlate code vulnerabilities across separate platforms, enabling centralized risk visibility, impact assessment, and remediation prioritization.

By consolidating SAST results for both code repositories and generic applications into a unified platform, security practitioners gain comprehensive visibility into application-layer risks and can prioritize remediation efforts based on business impact rather than managing multiple disconnected tools.

Connector Details

High-level details for the Snyk SAST connector.

Vendor Snyk
Product Name Snyk SAST
Category Application Security
Findings Supported Yes
Assets Supported Code Repository
Version 1.0.0
Integration Type API Integration (REST)
Direction Unidirectional (Snyk to Qualys)
Delta Support Supported

Connection Settings

Before configuring the connector, ensure that the required Snyk permissions and API credentials are available.

User Roles and Permissions

The API token used for the Snyk SAST connector must have the following permissions:

Entity Type Required Permission
Code Repository Organization Collaborator
Generic Application Organization Collaborator

Authentication Details

Provide the following credentials on the connector configuration screen:

Name Key Type Description
API URL api_id String API URL for the Snyk user profile
API Token api_key Encrypted String API token for authenticating with the Snyk platform

Connector Configuration

Basic Details

  1. Log in to Qualys Enterprise TruRisk Management (ETM).
  2. Navigate to Connectors > Integration.
  3. Locate the Snyk SAST Connector and click Manage.
  4. Provide a Name and Description for the connector.
  5. Enter the API URL and API Token.

Profiles

Profiles control what data the connector imports and when it runs.

  1. Click + to create a new profile.
  2. Provide a Name and Description.
  3. Select the Asset Type: Code Repository or Generic Application.
  4. Set the profile Status to Active or Inactive.
  5. Configure a Schedule: Single Occurrence or Recurring with start and end date/time.
  6. Click Next to continue.

Review and Confirm

Review the connector configuration and click Create to finalize the setup.

How Does the Connection Work?

On the configured schedule or when triggered on demand, the Snyk SAST connector fetches SAST assets and findings from the Snyk platform and imports them into ETM.

The connection execution performs a full data pull. Once execution completes, the connector is displayed in the Processed state in the Connectors screen. Findings ingestion may continue after assets are processed.

Connector States

  • Registered – Connector is created and registered.
  • Scheduled – Connector is scheduled to run.
  • Processing – Data is being fetched from Snyk.
  • Processed – Assets are imported; findings may still be processing.

The complete import process may take up to 2 hours, depending on data volume.

Viewing Assets and Findings in ETM

After successful execution, imported data is available in ETM:

  • Assets: Enterprise TruRisk Management > Inventory

Transformation Map Details

Here is the Snyk SAST to Qualys Transformation map.

Code Repo - Transformation Map:

Source Field Target Field
SCRIPT_BASE_FUNCTION asset.assetHeader.externalAssetId
FUNCTION_PICKER asset.assetHeader.status
relationships.target.data.meta.integration_data.owner asset.assetDetail.repositoryAssetClass.owner
id asset.assetHeader.vendorAssetId
attributes.name asset.assetDetail.name
attributes.created asset.assetDetail.sourceCreatedAt
attributes.created asset.assetDetail.sourceUpdatedAt
FUNCTION_PICKER asset.assetDetail.repositoryAssetClass.type
relationships.target.data.attributes.url asset.assetDetail.repositoryAssetClass.repoUrl
attributes.business_criticality.0 asset.assetDetail.businessInfo.businessCriticality
attributes.settings.recurring_tests.frequency asset.assetDetail.typedAttributes.snykSASTSettingsRecurringFrequency
issues[].attributes.title findingGroup.findings[].name
issues[].attributes.description findingGroup.findings[].description
issues[].id findingGroup.findings[].externalFindingId
FUNCTION_PICKER findingGroup.findings[].severity
FUNCTION_PICKER findingGroup.findings[].findingStatus
issues[].attributes.created_at findingGroup.findings[].firstFoundOn
issues[].attributes.updated_at findingGroup.findings[].lastFoundOn
issues[].attributes.classes.0.id findingGroup.findings[].findingType.vulnerability.cweId
issues[].attributes.ignored findingGroup.findings[].riskAcceptance.ignored
attributes.target_reference asset.assetDetail.typedAttributes.snykSASTTargetReference
org.id asset.assetDetail.typedAttributes.snykSASTOrganizationId
org.attributes.name asset.assetDetail.typedAttributes.snykSASTOrganizationName
org.attributes.group_id asset.assetDetail.typedAttributes.snykSASTGroupId
org.attributes.updated_at asset.assetDetail.typedAttributes.snykSASTOrgUpdatedAt
org.attributes.created_at asset.assetDetail.typedAttributes.snykSASTOrgCreatedAt
attributes.target_file asset.assetDetail.typedAttributes.snykSASTTargetFile
attributes.type asset.assetDetail.typedAttributes.snykSASTType
issues[].findingDetectionUrl findingGroup.findings[].findingDetectionURL
issues[].findingUrl findingGroup.findings[].findingURL

Generic Application - Transformation Map:

Source Field Target Field
attributes.name asset.assetDetail.genericApplicationAssetClass.name
id asset.assetHeader.externalAssetId
FUNCTION_PICKER asset.assetHeader.status
id asset.assetHeader.vendorAssetId
attributes.name asset.assetDetail.name
attributes.created asset.assetDetail.sourceCreatedAt
attributes.created asset.assetDetail.sourceUpdatedAt
attributes.business_criticality.0 asset.assetDetail.businessInfo.businessCriticality
attributes.settings.recurring_tests.frequency asset.assetDetail.typedAttributes.snykSASTSettingsRecurringFrequency
issues[].attributes.title findingGroup.findings[].name
issues[].attributes.description findingGroup.findings[].description
issues[].id findingGroup.findings[].externalFindingId
FUNCTION_PICKER findingGroup.findings[].findingStatus
FUNCTION_PICKER findingGroup.findings[].severity
issues[].attributes.created_at findingGroup.findings[].firstFoundOn
issues[].attributes.updated_at findingGroup.findings[].lastFoundOn
issues[].attributes.classes.0.id findingGroup.findings[].findingType.vulnerability.cweId
issues[].attributes.ignored findingGroup.findings[].riskAcceptance.ignored
attributes.target_reference asset.assetDetail.typedAttributes.snykSASTTargetReference
org.id asset.assetDetail.typedAttributes.snykSASTOrganizationId
org.attributes.name asset.assetDetail.typedAttributes.snykSASTOrganizationName
org.attributes.group_id asset.assetDetail.typedAttributes.snykSASTGroupId
org.attributes.updated_at asset.assetDetail.typedAttributes.snykSASTOrgUpdatedAt
org.attributes.created_at asset.assetDetail.typedAttributes.snykSASTOrgCreatedAt
attributes.target_file asset.assetDetail.typedAttributes.snykSASTTargetFile
attributes.type asset.assetDetail.typedAttributes.snykSASTType
issues[].findingDetectionUrl findingGroup.findings[].findingDetectionURL
issues[].findingUrl findingGroup.findings[].findingURL

API Endpoints

The connector uses the following Snyk SAST REST API endpoints to retrieve data

Name

Endpoint

List Orgs API

  https://api.us.snyk.io/rest/orgs?version=2025-11-10

Get Project Per Org API 

  https://api.us.snyk.io/rest/orgs/<id>/projects?version=2025-11-10

Get Issues Per Project API 

 https://api.us.snyk.io/rest/orgs/<id>/issues?version=2025-11-18&type=package_vulnerability
&scan_item.type=project&scan_item.id=<id>

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: April, 2026