Snyk Buildkite Plugin

A Buildkite plugin that runs Snyk tests in your Buildkite pipelines. The plugin requires a few dependencies install on your agents in order to function:

Snyk CLI snyk-to-html

Refer to the documentation for these tools to ensure they are installed on your agents before running the plugin. If you are using the Buildkite Elastic CI Stack for AWS, you will need to customise the bootstrap script used by the stack.

Options

These are all the options available to configure this plugin’s behaviour.

Required

`scan` (string)

The type of scan that the plugin will perform. Currently supported options are oss, code, container. (default: oss)

Optional

`token-env` (string)

The environment variable the plugin will reference to set SNYK_TOKEN. (default: SNYK_TOKEN)

`org` (string)

Your Snyk Organization slug, sets SNYK_CFG_ORG.

`image` (string)

The image and tag (example: alpine:latest) to pass to the container scan tool.

`annotate` (bool)

Annotate the build according to the scan results. If set to false, no annotation will be created even if vulnerabilities are detected. (default: false)

`block` (bool)

Optionally block the build on vulnerability detection.

Examples

Here are a few examples of using the plugin to scan within your Buildkite pipeline:

steps:
  - label: "🔎 Scanning with Snyk"
    command: "test.sh"
    plugins:
      - snyk#v0.2.0:
          scan: 'oss'
          annotate: true

And with other options as well:

steps:
  - label: "🔎 Scanning code with Snyk"
    command: "test.sh"
    plugins:
      - snyk#v0.2.0:
          scan: 'code'
          annotate: true

Scanning a docker container image by image name and tag:

steps:
  - label: "🔎 Scanning container image with Snyk"
    command: "build.sh"
    plugins:
      - snyk#v0.2.0:
          scan: 'container'
          annotate: true
          image: 'alpine:latest'

Block a build when a vulnerability is detected:

steps:
  - label: "🔎 Blocking snyk scan"
    command: "test.sh"
    plugins:
      - snyk#v0.2.0:
          scan: 'oss'
          annotate: true
          block: true

⚒ Developing

Tests

Run the tests using docker compose run --rm tests

Running the pipeline

You can use the bk cli to run the pipeline locally:

bk local run

📜 License

The package is available as open source under the terms of the MIT License.

Recommended plugins

Trivy

Trivy Security Scanning.

equinixmetal-buildkite

Terraform-OPA

Runs Open Policy Agent against Terraform plans.

echoboomer

sonarscanner

Run sonar-scanner.

wayfair-incubator

Scale-Out Delivery Platform→

Capabilities

Pipelines→

Test Engine→

Package Registries→

Mobile Delivery Cloud→

Bring your own compute

Hosted compute

Replace Jenkins

Workflows for AI/ML

Testing at scale

Monorepo mojo

Bazel orchestration

MCP server

Example pipelines

Webinars

Blog

Public pipelines

Case studies

Events

Follow Buildkite

About

Careers

Follow Buildkite

Snyk Buildkite Plugin

Options

Required

scan (string)

Optional

token-env (string)

org (string)

image (string)

annotate (bool)

block (bool)

Examples

And with other options as well:

⚒ Developing

Tests

Running the pipeline

📜 License

Recommended plugins

Trivy

Terraform-OPA

sonarscanner

Start turning complexity into an advantage

Platform

Hosting options

Resources

Company

Solutions