I'm looking for insights on using the Snyk integration with Bitbucket. Our company is aiming for SOC 2 compliance, and one of the requirements involves scanning our code for CVEs during our CI/CD process. While other CI/CD tools offer free options like Dependabot, we're stuck with Bitbucket and considering Snyk for this purpose. However, Snyk's full features seem to require a paid plan for our needs. Has anyone had experience with this integration, or do you have any alternatives in mind? We're likely sticking with Bitbucket since we use a lot of Atlassian tools.
5 Answers
I’ve used Snyk with Bitbucket, and the free version lets you add it to multiple repositories to check for issues on merges. You'll get a weekly report of vulnerabilities. If you're using AWS, consider leveraging AWS Inspector as another route for SOC 2 compliance.
You can integrate the Snyk CLI directly into your CI/CD process to scan for vulnerabilities. There’s a useful IntelliJ plugin too, which allows devs to scan their local builds automatically.
Don't overlook Grype! It's another option for scanning, and you can check it out [here](https://github.com/anchore/grype).
Snyk is primarily CLI-based, so there's no need to rely solely on the integration. You can use the Snyk CLI in your CI/CD pipeline, but keep in mind it does come with a cost.
You can set up the Snyk CLI in a container to scan the repository. The output might be detailed, but it definitely gets the job done.
Related Questions
Online Hash Generator - String to Hash Converter
Convert CSV To HTML Table
Convert Json To Xml
Bitrate Converter
JavaScript Multi-line String Builder
GUID Generator