Snyk Slacker 3000
Warning This is basically a copy of an internal app that was made in a hurry, but we're opening it up so that others can take inspiration from it. Use at your own discretion! The build logic assumes that the app will be run as a container on nais. Some manual setup in Snyk and Slack is required, but not described in detail here.
Custom Snyk webhook integration to support filtering of alerts on severity.
How to use for your team's Snyk organization
Follow these steps to receive Slack messages for "high" and "critical" severity Snyk vulnerabilities and license issues for your team:
- Add the Slack App "Snyker" to your desired Slack channel (Member list -> Integrations -> Add apps -> Search for "Snyker")
- Submit a pull request to this repository, updating config.js with an additional entry:
{
"snykOrg": "…display name of your snyk org…",
"slackChannelId": "…slack channel ID…",
"severity": ["critical", "high"],
"issueType": ["vuln", "license"]
}
Note on Snyk org: Use the display name of your org, and not the normalised version used in URLs and from the Snyk CLI. These are normally the same, but they're sometimes slightly different. E.g. team aura
(display name) has an URL aura-bkp
, which is also what's used from the CLI (--org=aura-bkp
). Here, aura
should be used for snykOrg
.
Note on Slack ID: To find your Slack channel ID, right-click the channel name and select "Copy link". The last part of the copied URL will be the channel ID.
How does it work?
The notifier bot works by registrering itself as a Snyk webhook receiver for the organizations mapped in config.json
.
This is done on startup, by first checking the existing webhooks for each mapped organization, and then creating new ones for those without a configured webhook with the bot as a callback URL.
On startup:
- List all authorized Snyk organizations
- For each organization listed in
config.json
, list all Snyk webhooks - If no organization webhook is found with the correct callback URL, create a new one
On webhook callback received:
- Verify webhook signature (HMAC). Discard if invalid
- Lookup the organization name in
config.json
. Discard if not found - Filter new issues based on the found config
- If new issues found matching the filter, notify configured Slack channel
Development
Requires node
version >=16
Local development
Install and start the bot locally:
$ npm install
$ npm start
See the table below for required environment variables.
Be aware: If you specify SNYK_WEBHOOK_CALLBACK_URL
, the bot will register that URL as a callback receiver in Snyk on startup.
Configuration
Environment variable | Description | Required | Default |
---|---|---|---|
APP_PORT |
Port of webhook receiver server | No | 3000 |
SNYK_API_BASE_URL |
Base URL for Snyk API | No | https://snyk.io/api/v1 |
SNYK_API_KEY |
Organization API token | Yes | |
SNYK_WEBHOOK_CALLBACK_URL |
URL for Snyk webhooks | No | |
SNYK_WEBHOOK_SECRET |
Secret used to verify webhook callbacks | Yes | |
SLACK_BOT_TOKEN |
Slackbot API token | Yes | |
SLACK_SIGNING_SECRET |
Slackbot signing secret | Yes | |
SLACK_ALERT_CHANNEL |
Slack channel for important log messages | No |