Hi folks, I'm diving into Snyk this time. This is a platform for developer security that helps protect infrastructure as code, dependencies, containers, and code. Snyk includes the following products and mostly focuses on security and dependency monitoring:
Snyk Code
- Static application security testing (SAST): helps developers find and fix vulnerabilities in their code as they write it. This offers real-time scanning, fix advice, broad language and platform support, machine learning engine, risk prioritization, and workflow integration.
- Features: Secure code without disrupting development workflow, save time and money by preventing code delays and security issues, and become quasi-security professionals with comprehensive security tooling and knowledge.
Snyk Open Source
- What is Snyk Open Source? Software composition analysis (SCA) solution that helps developers find and fix security vulnerabilities and license issues in open source dependencies.
- How does it work 🤔 Integrates with various developer tools, scans open source packages and dependencies for vulnerabilities and license issues, providing actionable advice and automated workflows for fixing them.
- Why use it? Enables developers to secure open source code using industry-leading security and application intelligence, reducing risk and ensuring compliance with regulatory and internal security policies.
Snyk Container
- What is Snyk Container? Developer-first solution that helps find, prioritize, and fix vulnerabilities in container images and Kubernetes workloads throughout the software development lifecycle.
- How does Snyk Container work? Snyk Container integrates with daily developers' tools, scans for vulnerabilities in base images, dependencies, Dockerfile commands, and Kubernetes manifests, provides remediation advice, recommendations, and priority scoring.
- Why use Snyk Container? Snyk Container allows developers to secure containers and Kubernetes workloads without disrupting daily workflows, thereby saving development time, reducing security risks, and achieving compliance objectives.
Snyk Infrastructure as Code
- What is Snyk IaC? Snyk IaC is a tool that helps developers secure their infrastructure as code (IaC) configurations from code to cloud. It scans IaC files for vulnerabilities and misconfigurations, provides remediation advice and fixes, and detects drift in running cloud environments.
Snyk IaC integrates with developer workflows, providing security feedback and suggested fixes. It enforces consistent security and compliance rules across SDLC and cloud using OPA's Rego query language. It enables proactive security issue fixation and unifies visibility and governance across multiple IaC frameworks and cloud providers.
Snyk AppRisk
- What's Snyk AppRisk: A solution that helps teams build, deploy, and operate securely in the cloud by embedding security in developer workflows from code to cloud.
- Key Features: Snyk AppRisk provides security feedback and fixes for code, dependencies, container images, and cloud infrastructure as code (IaC) across the software development life cycle (SDLC) and running cloud environments.
- Benefits: Snyk AppRisk enables developers to proactively fix security issues in their IDE, CLI, and Git workflows, reducing backlogs and time to fix. It also unifies visibility and governance from code to cloud with a single policy engine and ruleset, and speeds up and scales developer-led fixes for cloud misconfigurations with direct links to the source IaC file in Git workflows.
- Supported Technologies: Terraform, CloudFormation, ARM, Kubernetes, Docker, AWS, Azure, Google Cloud, and more. It also integrates with Sysdig for runtime security and OPA for policy enforcement.
Before we go any farther, I need to volunteer to tackle two key difficulties that you could be having 😉
- What's the meaning of Snyk?
- How to pronounce this word 👀 This Snyk support provides answers
Let's use Snyk
There're couple of ways we can use Snyk
- You can install Snyk CLI using terminal, and scan your project using Snyk
- IDE Plugins - my main IDE is VSCode, but you can also use Snyk in Jetbrains IDEs, Eclipse and Visual Studio
- Git Repositories - GitHub, Bitbucket, Gitlab and Azure (TFS). From these GitHub and Bitbucket integrations are popular. For this you have to login with your relevant account
after you add github repositories to Snyk, you can see vulnerabilities in each repository Snyk dashboard's projects section
You can check each security vulnerability, in each project by going inside, and it'll show like this:
Settings allows you to adjust git repository Snyk configurations. This has an incredible collection of capabilities, that you may setup Snyk automated pull requests for repositories, enable Snyk scan for manual pull requests, activate Snyk for code, activate Snyk for IaC. Check your Snyk Usage (If you're using the Snyk free plan like me, you can see how much resource you've used). Snyk may be integrated with your existing notification system, such as Slack.
Here's a Snyk-bot's automatic pull request on GitHub repository
You can change Snyk configurations to check your repository code, IaC weekly due to limited resources in your plan.
Furthermore, you can add Snyk app to your GitHub account from the marketplace:
- Snyk for CI/CD - Pipelines and integrations in AWS, Azure, Bitbucket and more
Top comments (4)
Snyk is great, one of the best examples of well-thought-out dev ecosystem
Yes, indeed! ✨
Integration with vs code plugin is paid or letsvsayvfir using synk we need paid account
No we can use free tier even for the vs code plugin