Snyk Scan results within SonarCloud

SonarCloud
1

As a Cloud Security Architect, I would like the ability to pull Snyk code scans into SonarCloud so that software engineers only have to log into one platform to review security findings.

Details:

  • ALM: Gitlab

  • CI system: Gitlab

  • Scanner command used when applicable (private details masked): Nothing today

  • Languages of the repository: TypeScript, Python, CDK, Terraform

  • Only if the SonarCloud project is public: All projects are private

  • Error observed: No Error, yet.

  • Steps to reproduce:

  • Kick off a Sonar scan within a pipeline

  • Kick off a Snyk scan within a pipeline

  • Log into SonarCloud and review scan results

  • Log into Snyk and review scan results

  • Potential workaround:
    At the beginning of a build pipeline, first, kick off a Snyk scan, and results are either passed to SonarCloud. Or alternatively, the ID of the Snyk scan is shared with SonarCloud where results from Snyk are pulled during a managed service based on a defined time.

  • Side Note:
    There is a similar process for checkmarx and sonar today.

2

Hi,

Welcome to the community!

It looks like you’re interested in the Generic Issue Data format.

 
HTH,
Ann

4

Hi,

It’s just been pointed out to me that Snyk raises issues on files that SonarCloud doesn’t know about. So Generic Issue import won’t work after all, and it doesn’t look like there’s a solution for you (unless you want to alter your Snyk reports to point to files SonarCloud analyzes, but I recognize that might be counter-productive).

 
Ann

5

Correct. Do you know if there is anything on Sonar’s roadmap?

7

Sorry, I’m not aware of anything.

 
:slightly_frowning_face:
Ann