> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pwnbook.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Snyk

> Pull Snyk vulnerability findings for open source dependencies, container images, and code into Pwnbook engagements for unified security tracking.

## Overview

Snyk is a developer security platform covering open source dependencies (SCA), container images, infrastructure as code, and code (SAST). The Pwnbook Snyk integration imports findings from your Snyk organization so you can review and track them alongside other engagement findings.

## Prerequisites

* A Snyk account (Free, Team, or Enterprise)
* A Snyk API token
* Your Snyk organization ID
* Admin or Owner access in Pwnbook to configure the integration

## Credentials required

| Field               | Description                                                                                                 |
| ------------------- | ----------------------------------------------------------------------------------------------------------- |
| **API Token**       | A Snyk personal or service account token. Generate one at **Snyk Account Settings → General → Auth Token**. |
| **Organization ID** | The UUID of your Snyk organization. Found at **Snyk Organization Settings → General**.                      |

## Setup

<Steps>
  <Step title="Generate a Snyk API token">
    1. Log in to [snyk.io](https://snyk.io).
    2. Click your account name → **Account Settings**.
    3. Under **General**, copy your **Auth Token**.

    For team or enterprise environments, create a **service account token** instead:

    1. Go to **Organization Settings → Service Accounts**.
    2. Click **Create a service account**.
    3. Give it a name (e.g., `pwnbook`) and assign the **Viewer** role.
    4. Copy the generated token.

    <Tip>Service account tokens are preferred for integrations because they aren't tied to a personal account and have finer-grained permissions.</Tip>
  </Step>

  <Step title="Find your organization ID">
    1. In Snyk, go to **Organization Settings → General**.
    2. Copy the **Organization ID** (UUID format).

    If you have multiple Snyk orgs, repeat the integration setup for each one.
  </Step>

  <Step title="Configure the integration in Pwnbook">
    1. Go to **Organization Settings → Marketplace → Snyk**.
    2. Click **Configure**.
    3. Enter your **API Token** and **Organization ID**.
    4. Click **Save & Test**.
  </Step>
</Steps>

## What gets synced

| Data                            | Description                                                            |
| ------------------------------- | ---------------------------------------------------------------------- |
| **Open source vulnerabilities** | CVEs in npm, pip, Maven, Go, and other package managers                |
| **Container vulnerabilities**   | Base image and package vulnerabilities in Docker/OCI images            |
| **IaC misconfigurations**       | Security issues in Terraform, CloudFormation, and Kubernetes manifests |
| **Code issues**                 | SAST findings from Snyk Code                                           |
| **Severity**                    | Critical, high, medium, low                                            |
| **CVE / CWE**                   | Standard identifiers with CVSS scores                                  |
| **Fix availability**            | Whether a fix version exists and what it is                            |
| **Exploit maturity**            | Proof-of-concept or in-the-wild exploit availability                   |

## Viewing findings in Pwnbook

Synced Snyk findings appear in the engagement under **Security Findings → Snyk**. You can:

* Filter by severity, issue type, and project
* View CVSS scores, CVE details, and fix recommendations
* Assign findings to tasks
* Mark findings as resolved or suppressed

## Disconnecting

To remove the Snyk integration:

1. Go to **Organization Settings → Marketplace → Snyk**.
2. Click **Disconnect**.
3. Confirm.

Previously synced findings remain in Pwnbook until manually deleted.
