Skip to main content

Snyk Plugin

The Snyk plugin allows engineers to surface application security issues directly within their Backstage entities. It pulls vulnerability data from Snyk and displays it contextually in two key locations on the entity page, allowing teams to stay informed and take action faster.

note

This plugin is available for Snyk Enterprise users only, as it requires access to organization-level API capabilities. Please contact Snyk to confirm whether your organization plan includes the required API access.

Basic functionality

The Snyk plugin allows you to:

  • View detailed vulnerabilities in the Snyk tab on the entity page, helping teams assess security risks linked to their services.
  • Get a quick snapshot of security issues using the Snyk overview widget, which displays a compact count of vulnerabilities directly on the entity overview page.
  • Connect one or more Snyk organisations to Backstage and link relevant projects or targets to entities using those references.
  • Monitor the health and security of services directly in Backstage, without switching tools.

Notable fields

To connect Snyk to Venue.sh via the plugin settings, the following fields must be configured:

FieldRequiredDescription
API URLUse the correct base URL for your region (see below)
Auth TokenGenerated from your Snyk account (Account Settings > API Token). The auth token must be re-entered if the plugin settings are changed.
Org IDAt least one Snyk organisation must be specified using snyk.io/org-id or snyk.io/org-ids
Target or Project ReferenceYou must provide one of the following to identify the data Snyk should pull for each entity:
  • snyk.io/target-id: A single target by name or ID (faster with ID)
  • snyk.io/targets: One or more targets by name or ID, comma-separated
  • snyk.io/project-ids: One or more project IDs, comma-separated (see slug in project URL or ID in settings)
Exclude Project IDsOptionally exclude specific projects using snyk.io/exclude-project-ids (comma-separated)

Snyk references (Entity YAML)

Add the following references to your entity YAML to connect Backstage entities to the correct Snyk data:

ReferenceDescription
snyk.io/org-idThe ID of the Snyk organization (found in Org Settings).
snyk.io/org-idsComma-separated list of org IDs. If used, this overrides org-id.
snyk.io/target-idA single target by name or ID. Using the ID avoids an API call.
snyk.io/targetsComma-separated list of targets by name or ID.
snyk.io/project-idsComma-separated list of project IDs (from project slug in the URL or from Project Settings).
snyk.io/exclude-project-idsComma-separated list of project IDs to be excluded from display.
tip

Here are some tips for finding the Snyk information detailed in the table above:

  • Org ID - Go to Snyk Dashboard > Organization Settings, and copy the orgId listed.

  • Target IDs - Use Snyk’s API endpoint: GET /org/{org_id}/targets

    This returns a list of available target IDs linked to your organization.

  • Project IDs - Navigate to a specific project in the Snyk dashboard. The ID is visible in the project URL (slug) or in Project Settings.

Configuring the Snyk Plugin in Venue.sh

  1. In the Venue.sh app, click Plugins in the left-side navigation.

  2. Find Snyk, then click Enable Plugin.

  3. Enter the value for API URL.

    Use the correct API base URL based on where your Snyk account is hosted:

    RegionAPI URL
    SNYK-US-01https://api.snyk.io
    SNYK-US-02https://api.us.snyk.io
    SNYK-EU-01https://api.eu.snyk.io
    SNYK-AU-01https://api.au.snyk.io
    tip

    You can find your region in your organization’s Snyk dashboard or by contacting your Snyk account manager.

  4. Enter the value for Auth Token.

    This value is generated from your Snyk account (Account Settings > API Token).

    note

    The auth token must be re-entered if plugin settings are changed.

  5. Click Validate & Enable.