Implementing and maintaining security across all stages of the software development life cycle (SDL) or even staying compliant with standards in the software industry can be a daunting task for any business. This is why companies that have already embraced DevOps must evolve quickly and adopt DevSecOps to secure their entire cloud-native stack.
One of the solutions that can help you achieve this objective is an open-source security scanning tool known as Snyk. Launched in 2015, Snyk tests your code, container images, open-source libraries, or even Infrastructure as Code (IaC) for vulnerabilities.
Table of Contents
- What is Snyk?
- Snyk Pricing
- Snyk Integrations
- Implementing Security in your Development Environment with Snyk
- Languages and Package Managers Supported by Snyk
- Snyk and Container Image Security Scanning
- Snyk and Kubernetes Security Scanning
- Snyk and Infrastructure as Code Security Scanning
What is Snyk?
In terms of cost, Snyk’s pricing model is quite attractive. For instance, Snyk’s free tier offers:
- 200 open-source tests per month
- 100 container tests per month
- 300 IaC tests per month
- 100 Snyk Code tests per month
Essentially, you can configure these scans one by one so that you don’t waste them scanning a particular resource daily that might receive very little change over time. If need be, you can even ignore scanning some resources completely. Check out the pricing information about the other plans Snyk offers here.
Snyk supports several integrations. The categories and specific examples include:
- Source Control: Azure, Bitbucket Cloud, Bitbucket Server, GitHub, GitHub Enterprise, and GitLab.
- Container Registries: ACR, Artifactory, DigitalOcean, Docker Hub, ECR, GCR, GitHub, Container Registry, GitLab Container Registry, Google Artifact Registry, Harbor, Nexus, and Quay.
- Cloud Providers: AWS
- Continuous Integration: Azure Pipelines, Bitbucket Pipelines, Circle CI, Jenkins, TeamCity and Terraform Cloud.
- IDE: Android Studio, Eclipse, JetBrain, and VS Code.
- Platform as a service: Cloud Foundry, Heroku, and Pivotal Web Services.
- Serverless: AWS Lambda and Azure Functions.
- Notifications: Jira and Slack.
It is important to note that true to their word, Snyk now supports AWS, which means it can scan your cloud provider like Bridgecrew would.
Implementing Security in your Development Environment with Snyk
Generally, developers accept the idea that they should take more responsibility for security as long as the tool you use provides the necessary functionalities for that. In this context, you may be interested in Snyk’s education product called Snyk Learn, which aims to help you code and build secure application, and in the process, ensure you are entirely in control of your security education journey.
Consistent with their developer-first approach to security, Snyk also recently announced Snyk Advisor which can be a great resource to use when you need to install an extra npm, PyPI package (more package managers such as Maven, Go, NuGet, etc.are supported) or even a Docker image to be aware of any vulnerabilities associated with those and reduce any potential risk in selecting a non-reputable package.
Here’s an example of the npm package underscore.
Nonetheless, Snyk can be integrated directly into an IDE to make it easy to detect any misconfigurations or security issues before pushing a commit to the repository. The list of IDEs currently supported comprises:
Languages and Package Managers Supported by Snyk
Employing Snyk as your security scanner means you can detect vulnerabilities across a majority of development languages and package managers associated with them. With that said, the languages and package managers Snyk supports include:
- Golang: dep, govendor
- Java: Maven, Gradle
- .NET: nuget, paket
- PHP: composer
- Python: pip, poetry
- Ruby: Bundler
Here’s an example project where this repo contains a package.json where some npm dependencies are defined. You have some useful features such as one that forces package.json and package-lock.json to be in sync:
From this example, it looks like we have one package that is fixable by upgrading to a newer version. Snyk can open a pull/merge request for this fix. Simply click on Fix these vulnerabilities on the fixable package or for the whole package.json
In this case, we selected to fix the entire package.json, therefore we would select the one vulnerability that can be fixed:
Since the repository was hosted on GitLab, if we go over this new merge request created by Snyk, this is what you should see:
A convenient feature Snyk offers is that, in just a few clicks, this open-source security scanning tool gives you the opportunity to fix security issues related to package managers.
Snyk and Container Image Security Scanning
Many people don’t know fully what is in their container image since most of us are not building them from scratch but use a base image in our DockerFile. As a side note, you can read more on how to build secure container images here.
For this reason, you need to trust an upstream provider to do the heavy lifting and vulnerability fixing for you since they’ll have much bigger teams working on this. But a good start would be scanning your images and Dockerfiles with Snyk which supports a majority of the container registries.
If you’re looking for a container registry, check out our guide that outlines the top 9 container registries, and how to choose the most suitable one for your projects.
Snyk and Kubernetes Security Scanning
Support for Kubernetes is available as Snyk offers a way to scan your manifest files that might contain a misconfiguration. However, you can also deploy a Snyk Kubernetes Monitor with a helm chart to your Kubernetes Cluster which will automatically scan the container image associated with your workloads such as;
- Pods and Services
Snyk and Infrastructure as Code Security Scanning
This is no surprise after all the features we have listed that Snyk can test and monitor Terraform modules, AWS CloudFormation, Kubernetes YAML as mentioned above, JSON but also Helm charts to detect any configuration or security issues. It is important to note that support for Terraform Cloud is new feature they added into Snyk recently. In this article, we covered in detail how to use a Run task in Terraform Cloud. A similar integration is done for Snyk with Terraform Cloud
With the new Run-check feature, Snyk is able to receive the Terraform Plan file, and as you can see we integrated Snyk in our deployment pipeline with Infracost to ensure our changes are safe to apply.
You can also see on the screenshot below, that the Terraform Plan we were running contains 2 security issues of medium and low severity. Clicking on details takes us straight to the problem with an explanation of its impact and how we could fix it but Snyk isn’t able to provide a fix through a merge request for IaC at this moment.
Note that instead of relying on your CI to run these scans, you could always get Snyk CLI to run locally first to increase speed and avoid making a new commit to test your change to your IaC.
Configuration is shifting to code, which is cheaper and faster to fix problems earlier in the process. You do not necessarily need to be a security expert to maintain your infrastructure and application security. With an open source security scanning tool like Snyk and how easily it integrates with the rest of your cloud stack there are no excuses.
If you’re interested in learning more about their latest features, check out the Snykcon they held not too long ago.
You may also be interested in:
More cost-effective than hiring in-house, with Nearshore Boost, our nearshore software development service, you can ensure your business stays competitive with an expanded team and a bigger global presence, you can be flexible as you respond to your customers’ needs.
Learn more about our services by booking a free consultation with us today!