Part2: Scanning Java Dependencies with Snyk (SCA)

🧪 Why Dependencies Can Be Dangerous

You might write a thousand lines of clean Java code — but you’re still importing tens of thousands of lines of someone else’s code via pom.xml.

If even one of those libraries has a vulnerability, your app could be at risk before it ever gets deployed.

That’s why we use Snyk, a Software Composition Analysis (SCA) tool that scans your dependencies and flags known issues — even the transitive ones.

🔍 What Is SCA?

SCA stands for Software Composition Analysis. It scans your:

• pom.xml (Java)
• package.json (Node.js)
• requirements.txt (Python)
• And more…

…and checks for:

• Known CVEs (Common Vulnerabilities and Exposures)
• License issues
• Fix recommendations

🛠 How to Use Snyk Locally

If you want to test it before putting it in the pipeline, install the CLI:

npm install -g snyk snyk auth snyk test --file=pom.xml

This will scan your dependencies and give a full report.

🧰 Integrating Snyk into Azure DevOps Pipeline

Let’s now plug this into our Azure DevOps pipeline.

Step 1: Add your Snyk Token

Go to snyk.io, get your token from the account settings, and add it to Azure DevOps as a secret variable named:

SNYK_TOKEN

Step 2: Add Snyk Scan Stage to azure-pipelines.yml

- stage: SCA
  displayName: 'SCA with Snyk'
  dependsOn: Setup
  jobs:
    - job: snykScan
      displayName: 'Scan Java Dependencies'
      pool:
        vmImage: 'ubuntu-latest'
      steps:
        - checkout: self
        - script: |
            npm install -g snyk
            snyk auth $(SNYK_TOKEN)
            snyk test --file=pom.xml --severity-threshold=high
          env:
            SNYK_TOKEN: $(SNYK_TOKEN)
          displayName: 'Run Snyk Scan'

🧠 What This Does

• Installs the Snyk CLI
• Authenticates with your token
• Scans your dependencies in pom.xml
• Fails the pipeline if any high-severity issues are found

Want it stricter? Change --severity-threshold=high to critical.

💡 Tips

• Use snyk monitor to send results to the Snyk dashboard
• Install Snyk plugin in your IDE (VS Code, IntelliJ) to catch issues as you code
• You can also scan Dockerfiles, images, Kubernetes configs later

✅ What Should Happen?

If all dependencies are safe:

✅ The build continues.

If there are known issues:

❌ The build fails, and you get a detailed report in the logs with links to fixed versions.

⏭️ What’s Next?

Now that we’ve scanned your libraries, let’s scan your code.

In the next part, we’ll plug SonarQube into the pipeline to run a full SAST (Static Analysis) scan on your Java codebase.

⏭️ Continue to Part 3 - SAST Scanning with SonarQube →