Snyk Code

Summary

Integrate Snyk Code (SAST) findings into Chariot via the Snyk REST API. Snyk Code uses the DeepCode AI engine for semantic code analysis (data flow, taint tracking, control flow, type inference) across 15+ languages.

Background

Snyk Code is an AI-powered SAST tool. Integration is polling-based (webhooks do NOT support Snyk Code events). The Chariot backend already has 20+ integration patterns (Qualys, Wiz, GitHub, BurpSuite Enterprise) via BaseCapability + init() + Send() that map cleanly to Snyk's data model.

Technical Details

API

• Base URL: https://api.snyk.io/rest (4 regional variants)
• Versioning: Date-based (recommended: 2024-10-15)
• Format: JSON:API compliant (Content-Type: application/vnd.api+json)
• Rate Limit: 1,620 req/min per API key (HTTP 429 on exceed)
• Auth: Service Account token recommended (Authorization: token {TOKEN}). Enterprise plan required.

Key Endpoints

| Method | Path | Purpose | | -- | -- | -- | | GET | /orgs/{org_id}/issues?type=code | List Snyk Code findings with source locations | | GET | /orgs/{org_id}/issues/{issue_id} | Get specific issue detail | | GET | /orgs/{org_id}/projects | List projects (find Code Analysis projects) | | GET | /orgs/{org_id}/settings/sast | Check Snyk Code enablement | | GET | /orgs | List accessible organizations |

Issue Response Fields

• effective_severity_level: "high", "medium", "low" (no Critical)
• type: "code" for Snyk Code findings
• severities: Array with type, source, level, score, vector
• scan_item: Relationship to project/target
• ignored: Boolean

Severity Mapping

| Snyk Code | Chariot Risk Status | | -- | -- | | High | H | | Medium | M | | Low | L |

Snyk Code uses only 3 severity levels (no Critical). Priority Score (0-1000) stored as attribute for supplemental ranking.

Data Mapping

| Snyk Code Field | Chariot Entity | Chariot Field/Method | | -- | -- | -- | | Issue ID | Risk | Key (dedup identifier) | | Severity (H/M/L) | Risk | Status severity character | | CWE ID | Risk Attribute | risk.Attribute("cwe", cweId) | | Priority Score | Risk Attribute | risk.Attribute("priority_score", score) | | File Path | Risk Attribute | risk.Attribute("file_path", path) | | Line Number | Risk Attribute | risk.Attribute("line_number", line) | | Description | Risk Definition | Definition file | | Data Flow | Risk Proof | Proof file with source-to-sink flow | | Fix Analysis | Risk Definition | Recommendation section | | Repository | Asset | Code repository as Asset |

Implementation Plan

1. Add SnykCredential to tabularium - New credential type in /modules/tabularium/pkg/model/model/credential.go storing: API token, org ID, and regional base URL
2. Create integration handler at /modules/chariot/backend/pkg/tasks/integrations/snyk/ using BaseCapability pattern
3. Implement polling via GET /orgs/{org_id}/issues?type=code with cursor-based pagination
4. Map findings to Chariot Risks with severity, CWE, file path, and line number attributes
5. Store data flow as Proof files - Snyk's source-to-sink taint flow attached to Risk entities
6. Implement exponential backoff for rate limits (1,620 req/min) with errgroup Medium concurrency (30)

Reference Integrations

• Qualys (qualys.go): XML API, pagination, full vulnerability mapping with CVSS/CVE attributes
• Wiz (wiz.go): Cloud security with CheckAffiliation
• BurpSuite Enterprise (burp-enterprise.go): Web app scanning pattern

Permissions Required

| Permission | Purpose | | -- | -- | | Org Collaborator (minimum) | Read issues, projects, settings | | Org Admin | Full CRUD, manage integrations |

Key Considerations

• Snyk Code must be enabled at the organization level before API access works
• Webhooks do NOT support Snyk Code events - polling is required
• SARIF format available but REST API JSON is more direct for Chariot mapping
• Enterprise plan required for full API/Service Account access
• Validate with live Snyk account before implementation to confirm response schema

Research

Full research available at .claude/.output/research/2026-03-06-111722-snyk-code-integration/

References

• Snyk REST API Docs
• Snyk Issues API
• Snyk Code Docs
• Snyk Auth Docs
• snyk/code-client-go - Official Go SAST client
• cloudquery/snyk-client-go - Auto-generated REST client