Snyk
Snyk output file can be imported in JSON format. Snyk is a developer-first security platform that identifies vulnerabilities in open source dependencies (SCA) and application code (SAST). DefectDojo currently supports the SCA report format via the Snyk parser. For SAST findings, use the Snyk Code parser instead.
Sample Scan Data
Sample Snyk scans can be found here.
Supported Report Types
| Report Type | Supported | Parser |
|---|---|---|
| Snyk SCA (Open Source) | ✅ Yes | Snyk |
| Snyk SAST (Code) | ✅ Yes | Snyk Code |
| Snyk Issue API | ✅ Yes | Snyk Issue API |
This page covers the Snyk SCA (Open Source) parser only.
How to Export from Snyk
Option 1 — Snyk Web UI (Recommended for Enterprise Use)
- Log in to your Snyk account at app.snyk.io
- Navigate to your Organization and select the Project you want to export
- Click on the project to open the vulnerability list
- Click the Export button at the top right of the findings list
- Select JSON as the export format
- Save the exported file
Option 2 — Snyk CLI
If you prefer to export via the command line:
snyk test --json > snyk.jsonFor monorepos or projects with multiple package managers, scan all projects at once:
snyk test --all-projects --json > snyk.jsonFor specific package managers:
# For npm projects
snyk test --json --file=package.json > snyk.json
# For Maven projects
snyk test --json --file=pom.xml > snyk.json
# For Python projects
snyk test --json --file=requirements.txt > snyk.jsonOnce you have the JSON file, upload it into DefectDojo under your chosen Engagement using Import Scan > Snyk Scan.
Severity Mapping
Snyk uses its own severity model which maps to DefectDojo as follows:
| Snyk Severity | DefectDojo Severity |
|---|---|
| Critical | Critical |
| High | High |
| Medium | Medium |
| Low | Low |
Recommended Workflow for Enterprise Use
For teams running Snyk across multiple applications and repositories:
- Use Reimport (not Import) for recurring scans on the same target to track finding status over time rather than creating duplicate records
- Export at the project level rather than the organization level to maintain clean engagement boundaries in DefectDojo
- Set SLA thresholds in DefectDojo aligned to Snyk severity levels so that Critical and High findings trigger appropriate remediation timelines automatically
- Use Snyk’s CI/CD integration to export JSON automatically as part of your pipeline and feed results into DefectDojo via the API for continuous vulnerability tracking
Default Deduplication Hashcode Fields
By default, DefectDojo identifies duplicate Findings using these hashcode fields:
- vuln id from tool
- file path
- component name
- component version
Note on Deduplication
Snyk can report the same vulnerability across multiple projects or package versions. When importing findings from multiple Snyk projects into the same DefectDojo product, review your deduplication settings to avoid over-counting the same underlying vulnerability.