Skip to main content
In this tutorial, we will run Snyk scans against the Kosli CLI git repo and attest the results to a Kosli trail. By the end, you will have a Kosli trail with attested Snyk scan results that you can view in the Kosli app.

Prerequisites

To follow the steps in this tutorial, you need to:

Setup

Set the KOSLI_ORG environment variable to your personal org name and KOSLI_API_TOKEN to your token:
Clone the Kosli CLI git repo:

Create a Flow and Trail

We will start by creating a flow in Kosli to contain trails and artifacts for this tutorial:
You should see: flow snyk-demo was created. Then start a trail to bind our Snyk attestations to:
You should see: trail 'test-1' was begun.

Attest Snyk scans

We can now run Snyk scans and attest them to the trail. After each attestation, you can verify the result by navigating to https://app.kosli.com/`your-personal-org-name`/flows/snyk-demo/trails/test-1 in the Kosli app.

Open Source scan

Snyk Open Source finds vulnerabilities in the open-source libraries used by your application:
You should see: snyk attestation 'open-source-scan' is reported to trail: test-1.

Code scan

Snyk Code scans your source code for security issues:
You should see: snyk attestation 'code-scan' is reported to trail: test-1.

Container scan

Snyk Container scans container images for security issues:
You should see: snyk attestation 'container-scan' is reported to trail: test-1.

IaC scan

Snyk IaC scans IaC configuration files (Terraform, Kubernetes, Helm) for security issues:
You should see: snyk attestation 'helm-scan' is reported to trail: test-1.

What you’ve accomplished

You have run four types of Snyk scans and attested each result to a Kosli trail. The trail now holds a tamper-proof record of your scan findings, linked to a specific git commit. From here you can:
Last modified on June 5, 2026