This article was originally posted on my presonal blog
It's important you keep your Javascript projects secure, especially with all the NPM packages you might be using, and their own dependencies that so many developers don't look into.
A lot of times, your dependencies (or your dependencies' dependencies) might have security issues in a certain version. A lot of times it gets fixed in the next version, but if you don't act on updating your dependencies accordingly, then your project could be in danger to an attack of some kind (depending on the security issue).
It can be harder when it's the dependencies' dependencies. You might not know of a dependency in your project and that dependency's version could be insecure due to an exploit. Keeping up with your dependencies, or sometimes knowing how to fix them, can be a hassle.
One way is you can leverage NPM's audit command. However, sometimes you might find it hard to resolve the issue, or you might not know about an exploit in the versions you currently have and forget to check your project. This is where services like Snyk come in.
What is Snyk
Snyk is a platform that ensures your projects security, generally. It has a lot of services, and one of them is Snyk Open Source, which provides security management to open source projects. This service is free to use.
Through Snyk Open Source, you can track any repository you have, be informed of any exploits and vulnerabilities, and learn how to resolve them.
Usage
First, you need to create an account. You can create an account with GitHub, BitBucket, Google or other platforms as well. If you have repositories on GitHub or BitBucket and you want to track their security, then I suggest creating an account with one of them as you will give them immediate access to your repositories on account creation.
Once you create an account, if you gave access to your repositories, then you will get to choose which ones you want Snyk to manage its security. The entire list will be shown to you, so you can easily choose among them.
After you are done setting up your account, you will see your dashboard, where you will see the pending tasks regarding exploits and security issues in your projects that need to be resolved.
If you open a project, you can see all the issues in your project. All issues have 3 levels of severities: High, Medium and Low.
For each issue, you can see its severity, type of exploit, which package is causing it, which version is the exploit caused by and if there is a version that fixes the exploit, and the path that the exploit originated one. This last one is very helpful when the exploit is in a dependency of other dependencies.
If you also click on "More about this issue" at the bottom of the issue, you can see more information about the security issue caused, what the attack can cause, and how to resolve the issue. If the issue can be easily resolved, you will also have the option to create a PR right from the interface, which makes it even easier. You can see many other information about the exploit as well.
This way you can either use their "PR Fix" if it's available, or learn how you can resolve it yourself by looking at the "Remediation" and the path of the exploit.
Once you have fixed the issue, you can click on "Retest now" in the project's page and see if the issue is now resolved.
Email Notifications
Another great feature is that once Snyk finds a vulnerability in your project, it will send you an Email about it. That way you can always stay updated about vulnerabilities and learn how to resolve them as soon as possible.
Conclusion
There are a lot of services out there that helps you keep your projects secure not just Snyk. It's very important to use one of them to make sure your projects are never using dependencies that can cause your project to be exploited.
Top comments (4)
For GitHub there's a dependabot, which is now aquired by GitHub and hence absolutely free for GitHub users and doesn't need external dashboard. Dependabot submits PRs when a new version of package is available and raises alarms if there's a security issue.
I tried Snyk and it seemed annoying because some issues it found weren't exactly issues, had no fix and no way to ignore them (maybe there is and I just couldn't find). Anyway, dependabot is much quieter in this sense:-)
I’ve used dependabot but I don’t think it’s enough. Yes it submits PRs but if the fix is not something in your dependencies directly, then it doesn’t help much. Plus, there are some issues that dependabot doesn’t catch for some reason.
very informative
Good write-up Shahed, thanks for sharing!