How to integrate GitLab to test and watch your projects
You can add your Node.js, Ruby, Python, Scala and Java GitLab projects and quickly test them, or decide which ones you’d like to continuously watch with Snyk.
This integration only works with GitLab instances that are publicly reachable (not on a private network). For private instances, you will need to set up via Snyk’s Broker first.
- Generate a Personal Access Token in your GitLab. You’ll find this option in your user account settings area, in the “Access Tokens” section.
- Go to Snyk’s integrations page and click “Connect to GitLab”.
- Add your account credentials and the token you just generated to the GitLab integration settings area in Snyk.
Watch a Node.js, Ruby, Python, Scala or Java GitLab project to add it as a project to Snyk. This will allow you to:
- see Snyk tests in your merge requests that check for vulnerabilities.
- get email alerts and a Snyk merge request with fixes when new vulnerabilities that affect your project are disclosed.
- get email alerts and a Snyk merge request if a new upgrade or patch is available for a vulnerability that affects you.
- trigger a Snyk merge request with fixes yourself from the test report page or the project page for your project on dev.snyk.io.
Fix vulnerabilities with Snyk merge requests
Currently for Node.js and Ruby only
When viewing a Snyk test report for a project that you own, or when looking at a project that you are watching with Snyk, you’ll see two options for fixing a vulnerability:
1) ‘Open a fix Merge Request’ link: generate a Snyk merge request with the minimal changes needed to fix the vulnerabilities affecting the project.
2) ‘Fix this vulnerability’ link: generate a Snyk merge request that fixes only this vulnerability.
You can review the vulnerabilities that will be fixed, change your selection, and choose to ignore any vulnerabilities that can’t be fixed right now before opening the merge request on the ‘Open a fix Merge Request’ page.
Note that patching is only supported for Node.js projects; Ruby vulnerabilities can be fixed with upgrades only.
Snyk fixes your Ruby projects by updating vulnerable dependencies in your Gemfile.lock file. When a fix requires a change to your Gemfile, our fix merge requests will propose these changes.
When you open a merge request via dev.snyk.io, we will give you a heads-up when this is the case.
Here’s an example for the merge request:
Get a Snyk merge request when newly disclosed vulnerabilities affect you
Whenever a vulnerability is disclosed that affects a project you’re watching, Snyk will not only email you about it, but also generate a Snyk merge request that addresses the vulnerabilities. You’ll receive a merge request similar to the example above.
Get a Snyk merge request when new upgrades or patches are available
When no upgrade is available, you can ignore or patch the vulnerability (patching is only available for Node.js projects). When a better remediation option has become available, for example an upgrade for a vulnerability you previously ignored, Snyk notifies you about this via email, and also generates a merge request with the new fix.
Disabling the GitLab integration
If you don’t want to watch a GitLab project anymore, you can stop watching this project via the project settings. The project will be set to inactive, and you’ll no longer get alerts, merge requests, or Snyk test on your merge requests. The webhook that enables the GitLab integration for this project will be removed.
You can restart watching at any time.