feat: Add Snyk integration with On New Issue Detected trigger and Ign…

[nebojsaj1726]

Summary

This PR introduces the Snyk security integration to SuperPlane. It establishes the base connection using an API Token and Organization ID, adds the onNewIssueDetected webhook trigger and the ignoreIssue action component.

Implements #2627

Features

• Base Integration: Connects to Snyk via API Token with Organization ID configuration.
• On New Issue Detected Trigger:
  • Webhook-based trigger that fires when Snyk detects new security vulnerabilities.
  • Optional Project ID filter to scope to a specific project.
  • Optional Severity filter (low, medium, high, critical) to only trigger on matching severity or higher.
• Ignore Issue Action:
  • Ignores a specific Snyk security issue via the Snyk API.
  • Configurable Organization ID, Project ID, Issue ID, and Reason.
  • Optional expiration date for the ignore rule.
• UI/UX: Added Snyk integration icon, frontend mappers for canvas rendering, and component documentation.

Implementation Details

• Backend: Implemented package snyk with HTTP client for Snyk API (https://api.snyk.io).
• Structure: Followed standard integration patterns (webhook trigger, action component, client).
• Testing: Unit tests for trigger Setup/HandleWebhook, component Setup/Execute, CompareWebhookConfig, and severity filtering.
• Frontend: Registered integration in sidebar and icon maps, added trigger and component mappers with event sections and state handling.

Testing Notes

The Snyk free plan does not support API access for webhooks, so webhook registration returns 403:

"The org ... is not entitled for api access. Please upgrade your plan to access this capability"

Workaround for testing: The webhook was manually marked as ready in the local database to bypass the provisioning failure. This allowed local testing by curling the webhook endpoint /api/v1/webhooks/{webhook-uuid} with the example payload to simulate incoming Snyk events.

The integration code itself is correct and will work on Snyk Business/Enterprise plans that support webhook API access. The full pipeline (trigger → action) was verified to work correctly — the trigger emits events when receiving webhooks, and the action component executes and calls the Snyk API as expected (403 response due to free plan limitation, but the integration logic is sound).

Test Plan

• All existing tests pass
• Unit tests pass (make test PKG_TEST_PACKAGES=./pkg/integrations/snyk/...)
• Code compiles without errors (make lint && make check.build.app)
• UI builds successfully (make check.build.ui)
• Verified trigger fires via webhook curl
• Verified Ignore Issue executes (403 due to free plan, but pipeline works correctly)
• Verified canvas rendering: trigger shows purple "triggered" badge, action shows red "error" state

Checklist

• Signed-off commits
• Unit tests
• Example data/output JSON
• Documentation

[AleksandarCole]

@nebojsaj1726 thanks for submitting this one!

I tried to get it to work, but I'm a bit stuck, the integrations shows as connected:

However, even though I have some issues:

And the component is configured:

I am not receiving any events.

Few general notes on UX

• Things like Severity should be multiSelect instead of select
• Projects - can we have a Select like what we have for repos for GitHub components or projects for Semaphore components? Also having project names instead of IDs would make more sense.
• OrganizationID - I don't think we should set these at component level, since we're configuring it as a part of setting up integration.
• It would be good if instructions for configuring integration were more descriptive, eg. if user needs to configure PAT we can have a button/link that takes them to that page (https://app.snyk.io/account/personal-access-tokens) as it's a fixed link same for everyone.

[AleksandarCole]

@nebojsaj1726 I also came across https://docs.snyk.io/snyk-api/using-specific-snyk-apis/snyk-apps-apis/create-a-snyk-app-using-the-snyk-api
and I'm wondering if that is something that would be useful to utilize with this integration.

[nebojsaj1726]

@AleksandarCole Thanks for the feedback.

Re: Not receiving events - Are you using a Snyk Business or Enterprise plan?
When I created a free account for testing, I got these errors mentioned above: "The org {name} is not entitled for api access. Please upgrade your plan to access this capability"
All API calls return 403
So i didn't receive any events as well.

I verified the integration logic works by manually setting the webhook to 'ready' status in the database and sending test payloads via curl with proper HMAC signatures - events fired correctly.

Re: UX improvements - All good points, can implement:

1. Change Severity from single select to multiSelect
2. Add Project dropdown with names (requires API call to list projects)
3. Move OrganizationID to integration-level config - question: should users still be able to override it at component level for multi-org scenarios, or always use integration-level setting?
4. Add direct links in instructions to Snyk token page and org settings

Re: Snyk Apps API - Interesting suggestion. The current implementation uses simple API token auth (similar to most integrations). Snyk Apps would provide OAuth-based auth with better token management and refresh, but adds complexity:

• Requires app registration in Snyk
• OAuth authorization flow
• Token refresh handling
• More setup steps for users

We could explore this as a follow-up enhancement once the basic integration is working.

[AleksandarCole]

@nebojsaj1726 I understand now, I guess they let you configure PAT but you can't really use it. The fact that only Enterprise users could use this is very limiting.
I would really like for users on free or pro plans to be able to use this too. Would Apps/OAuth even enable us to do that?

Let me know if there's some way to achieve this for non-enterprise, if not I guess we have to flag this not as Snyk but Snyk Enterprise

[nebojsaj1726]

@AleksandarCole I looked on this and as i saw here https://docs.snyk.io/snyk-api and here https://docs.snyk.io/snyk-api/authentication-for-api - the entire Snyk API is restricted to Enterprise customers. Free/Team plan tokens only work for CLI and IDE authentication, not API calls

Given this limitation, if you want to keep this integration and add appropriate warnings/notifications about the Enterprise requirement, please let me know and I can push the UI improvements.

[AleksandarCole]

Thanks again @nebojsaj1726, I will have to figure out the best way to test this first. Feel free to push the UI changes. After that I will have to find a bit of time for a more detailed review and to do a deeper dive into this before we merge.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Unused Organization struct and Organizations metadata field

Low Severity

The Organization struct and the Organizations field in Metadata are defined but never populated anywhere. The Sync method only sets the User field when calling SetMetadata, leaving Organizations always nil. Other integrations in the codebase keep their Metadata structs tight with only fields that are actually populated during sync. This dead code adds unnecessary noise and could mislead future developers into thinking organization data is being tracked.