npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

backstage-plugin-snyk

v2.4.0

Published

[![Inactively Maintained](https://img.shields.io/badge/Maintenance%20Level-Inactively%20Maintained-yellowgreen.svg)](https://gist.github.com/cheerfulstoic/d107229326a01ff0f333a1d3476e068d)

Downloads

7,648

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

snyk-tech-servicessnyk-tech-services

Keywords

Readme

Snyk Backstage Plugin

Inactively Maintained

This repository is in maintenance mode, no new features are being developed. Bug & security fixes will continue to be delivered. Open source contributions are welcome for small features & fixes (no breaking changes)

The Snyk plugin displays security details from snyk.io.

Snyk Tab

Getting started

Requirements: Snyk API enabled (Paid plans only)

  1. Install plugin
# packages/app
yarn add --cwd packages/app backstage-plugin-snyk
  1. Add plugin to the app
// packages/app/src/App.tsx
import { EntitySnykContent } from 'backstage-plugin-snyk';

....

<FlatRoutes>
...
<Route path="/snyk" element={<EntitySnykContent />}/>
...
</FlatRoutes>
  1. Add Snyk card and tab to the entity page The plugin is composed of 2 main parts
  • Snyk tile on the entity overview page
  • Security tab in the entity displaying further details

a. Import the elements

// packages/app/src/components/catalog/EntityPage.tsx
import {
  SnykOverview,
  EntitySnykContent,
  isSnykAvailable,
} from "backstage-plugin-snyk";

b. Add the overview card

Overview card

// packages/app/src/components/catalog/EntityPage.tsx
const entityWarningContent = (
  <>
    ...
    <EntitySwitch>
      <EntitySwitch.Case if={isSnykAvailable}>
        <Grid item md={3}>
          <SnykOverview />
        </Grid>
      </EntitySwitch.Case>
    </EntitySwitch>
    ...
  </>
);

c. Add the tab (feel free to rename title to Security, snyk, vulns, whatever you think is best)

const ServiceEntityPage = (
  <EntityLayoutWrapper>
    ...
    <EntityLayout.Route path="/snyk" title="Security">
      <EntitySnykContent />
    </EntityLayout.Route>
    ...
  </EntityLayoutWrapper>
);
  1. Add snyk proxy config to app-config.yaml file at the root directory. If using Snyk self hosted, adjust target to https://YOURHOSTNAME/api. User Agent helps us see how much API traffic comes from backstage setups so we can invest more in the plugin !
proxy:
  endpoints:
    ...
    /snyk:
      # Host of the API to use on the calls.
      # If you use EU or AU Snyk account, change this to https://api.eu.snyk.io/ or https://api.au.snyk.io/
      target: https://api.snyk.io/
      headers:
        User-Agent: tech-services/backstage-plugin/1.0
        Authorization: token ${SNYK_TOKEN}
    ...

You can also add the following optional configuration to your app-config.yaml

snyk:
  # Host of the Web UI to render links. Defaults to "app.snyk.io"
  # If you use EU or AU Snyk account, change this to app.eu.snyk.io or app.au.snyk.io
  appHost: app.snyk.io
  # Uncomment to specify version of the API to use on the calls. Defaults to "2024-02-28".
  # Override with care, not all versions have a target API
  # apiVersion: 2024-02-28
  # uncomment to specify version for issues API specifically. Defaults to 2024-01-23
  # issuesApiVersion: 2024-01-23
  # Mocks the API calls, useful for development and for testing the plugin without a Snyk account. Defaults to "false"
  mocked: false
  # Will show resolved issues in all the graphs. Defaults to "false" to show only non-resolved issues
  showResolvedInGraphs: false
  1. Get your Snyk token (a service account with Viewer permission at your group level is preferred) and provide SNYK_TOKEN env var with the value ""
export SNYK_TOKEN="123-123-123-123"
  1. Add one of the following annotation to your entities.
  • snyk.io/org-id is the ID of the Snyk organization where your project is. You can find the ID in the Organization Settings in the Snyk dashboard.
  • snyk.io/org-ids specify one or more Snyk organization ids, comma separated. This will try to find any of the targets or projects in any of the organizations. snyk.io/org-id is ignored when this annotation is set.
  1. Then add one or more than one of the following annotations to your entities.
  • snyk.io/target-id specify a single target by name or ID. Target ID will avoid an API call and be therefore faster. Use this API endpoint to get the Target IDs.
  • snyk.io/targets specify one or more targets, by name or ID. Target ID will avoid an API call and be therefore faster. Use this API endpoint to get the Target IDs.
  • snyk.io/project-ids are the project ID (see slug in url or ID in project settings) If multiple projects (like multiple package.json or pom files, add them with increasing number), add them comma separated
  • snyk.io/exclude-project-ids to exclude specific projects you might not want. ....

Example:

apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: goof
  description: Goof
  annotations:
    snyk.io/org-id: 361fd3c0-41d4-4ea4-ba77-09bb17890967
    snyk.io/targets: Snyk Demo/java-goof,508d2263-ea8a-4e42-bc9d-844de21f4172
    snyk.io/target-id: aarlaud-snyk/github-stats
    snyk.io/project-ids: 7439e322-f9c1-4c42-8367-002b33b9d946,db066cb9-b373-46da-b918-b49b541e0d63
    snyk.io/exclude-project-ids: 4737fc9c-3894-40ba-9dc5-aa8ae658c9f6,38e02916-0cf7-4927-ba98-06afae9fef36
spec:
  type: service
  lifecycle: production
  owner: guest
  ....

Some more examples can be found in here

Migration steps from plugin version 1.x to 2.x

  • Update the proxy target to not contain /v1

Troubleshooting

"/snyk":
  target: https://api.snyk.io/
  headers:
    User-Agent: tech-services/backstage-plugin/1.0
    Authorization:
      $env: SNYK_TOKEN
  pathRewrite:
    "^/proxy/snyk/": "/"

Limitations

Infrastructure as Code and Snyk Code projects are not supported currently.