Configure the Snyk integration to ingest SAST and SCA vulnerability findings into Cortex Cloud, unifying your software package assets and security code.
The Snyk integration connects Cortex Cloud to your Snyk organization, enabling automatic ingestion of security findings from Snyk-scanned repositories. The integration supports two scan types that can be enabled independently or together:
SCA (Software Composition Analysis): Ingests open-source dependency vulnerabilities, producing software package assets and CVE-based vulnerability findings
SAST (Static Application Security Testing): Ingests code-level security vulnerabilities, producing findings with precise source code locations, CWE classifications, and commit attribution
Important
Snyk Free tier is not supported. A paid Snyk plan (Team, Business, or Enterprise) is required to ingest findings from Snyk.
Key benefits
Unified visibility: Snyk findings appear alongside native scan results in the Asset inventory, and Issues and Findings views streamlines remediation and provides a clear, comprehensive view of your application security posture.
Dual scan coverage: Enable SCA, SAST, or both scan types per integration to match your Snyk deployment configuration
Normalized Data: Snyk findings are normalized into the Cortex Cloud data model, enabling cross-tool comparison, unified filtering, and consistent prioritization
Automated Ingestion After initial setup, findings are ingested automatically when external project scans are triggered
Pillar Alignment: ASPM (posture and orchestration) - Third-Party Integration: Ingesting external security tool findings into the unified posture management platform.
Functional responsibilities
AppSec managers (Governance): Consolidate Snyk findings alongside native Cortex Cloud scan results for unified risk visibility, policy enforcement, and compliance reporting across the application portfolio
AppSec Practitioners (Operations): Review Snyk SCA and SAST findings in the Cortex Cloud Findings view, prioritize remediation using CVSS scores and CWE Top 25 classifications, and track fix version availability for vulnerable dependencies
Prerequisites
Permissions: The following user permissions are required:
Ensure that you have a connected version control system (VCS) and repositories
Snyk permissions and requirements:
Permissions: The Snyk API token must have direct organization-level access. The token must have explicit access to the specific Snyk organization being integrated. Group-level permissions alone are not sufficient because Snyk’s REST API requires explicit authorization at the individual Organization level to access scoped endpoints
Organization-Level (mandatory): Assign the Org Collaborator role to the specific organization
Recommended account type: Generate and save the API token from a Service Account. Service accounts are decoupled from individual users, ensuring the integration remains uninterrupted even if an employee leaves the organization or changes roles
Access control: These roles authorize Cortex XSIAM to list applications and retrieve findings without granting excessive administrative privileges
Supported Snyk API endpoints:
Region | API Hostname |
|---|---|
US (default) | api.snyk.io |
US (legacy) | api.us.snyk.io |
EU | api.eu.snyk.io |
AU | api.au.snyk.io |
Onboarding steps
Search for and hover over Snyk and click Add, or Add Another Instance if an instance is already onboarded.
On the Configure Integration step of the integration wizard.
Configure Snyk parameters:
Select your Snyk API URL from the menu (for example
API URLSNYK-US-02 (https://api.us.snyk.io/rest))Enter your Snyk API token
Click .
On the Select Organization step of the wizard: → .
Note
Select Test Connection to verify that Cortex Cloud can connect to your Snyk organization.
On the Select Issue Types step of the wizard: → .
Note
SCA requires Snyk Open Source or Snyk Container projects configured in the organization
SAST requires Snyk Code enabled and projects configured in the organization
Select ingestion targets: On the Map to Repositories step of the wizard, review the detected Snyk projects and confirm or manage their repository mappings
Select Automatically map future Snyk applications to automatically map current and future Snyk projects to Cortex XSIAM repositories. This is recommended to ensure maximum security coverage
Configure unmapped or mismatched applications: Manually configure mapping if Cortex XSIAM cannot match an application to a repository or an update to the mapping is required: From the list of detected applications, select the application from the list, then choose the correct repository from the Repository dropdown menu
Click .
Note
Mapping establishes relationships between Snyk applications and Cortex XSIAM code repositories, simplifying access management and enabling risk analysis at the repository level, including displaying findings on the tenant
Only mapped applications are ingested
After saving, Cortex Cloud triggers the initial scan ingestion for the selected targets.
Verify integration and confirm that the your integrated Snyk instance has a status of Connected.
Navigate to → → .
Hover over and select the resulting entry.
Locate and verify that the status of your instance is Connected and that the mapped applications are displayed and connected.
What gets cleaned up upon deletion
When a Snyk integration is deleted, findings and issues from previous Snyk scans are not closed/resolved. The deletion only removes:
The integration configuration itself
The external project mappings (Snyk organizations/projects)
The scan configuration records
CI/CD graph entities via lifecycle event
The findings and issues that were ingested from Snyk scans remain active in the system after the integration is deleted. This is a behavioral difference from VCS integrations where findings are closed and issues are resolved upon deletion.
Next step: View and manage ingested findings
After third-party scanner integration is configured, Cortex Cloud automatically ingests and normalizes the scan results.Operational management of these findings is consolidated based on the detection type: