Snyk SAST Integration

[botbuckle]

We kindly urge the inclusion or enhancement of a feature within DefectDojo to facilitate the direct import of Snyk SAST data, complementing the existing support for Snyk SCA data. This addition would enable organizations to seamlessly consolidate both Snyk SAST and SCA findings, providing a comprehensive view of application security. By expanding the integration's capabilities, we can enhance vulnerability management and empower teams to address security issues more comprehensively. Your consideration of this enhancement is greatly appreciated by the security community.

[upatel2227]

Yes, I am looking for the same. Snyk SCA data digests easily into Dojo, but SAST (snykcode) isn't readable by DefectDojo.

[mtesauro]

One of the ways this happens is someone who currently has access to that tool provides a sample file - without an example of the tools output, it's not possible to write a parser.

As it seems that @botbuckle and @upatel2227 have access to the output from synkcode, could one of you provide a sample file of a scan of some open source repo?

[sarim04]

snyk_results.json
Please find the output for Snyk Code, I ran it on JuiceShop

[manuel-sommer]

This json is not a valid json when you download it.

[sarim04]

Hey Sorry, I think I messed up somewhere, here, I validated this too
Uploading vuln.json…

[manuel-sommer]

Could you upload the file to #9270 ?

[sarim04]

Done, thank you

[botbuckle]

Hello @mtesauro

Thanks for the reply, I will try to upload some sample docs shortly after I get it.

[manuel-sommer]

Hi @botbuckle, the following issue tracks the progress to advance this parser: #9270
A sample report was already uploaded. I will make a PR. You can mark my comment as the answer.

[manuel-sommer]

@mtesauro could you close this discussion and mark my comment as the answer?