DEV Community

Cover image for Let's Play Snyk ๐Ÿถ
Damika-Anupama
Damika-Anupama

Posted on

Let's Play Snyk ๐Ÿถ

Hi folks, I'm diving into Snyk this time. This is a platform for developer security that helps protect infrastructure as code, dependencies, containers, and code. Snyk includes the following products and mostly focuses on security and dependency monitoring:

Snyk Plans

Snyk Code

  • Static application security testing (SAST): helps developers find and fix vulnerabilities in their code as they write it. This offers real-time scanning, fix advice, broad language and platform support, machine learning engine, risk prioritization, and workflow integration.

How Snyk shows vulnerabilities in code

  • Features: Secure code without disrupting development workflow, save time and money by preventing code delays and security issues, and become quasi-security professionals with comprehensive security tooling and knowledge.

Snyk Open Source

Image description source

  • What is Snyk Open Source? Software composition analysis (SCA) solution that helps developers find and fix security vulnerabilities and license issues in open source dependencies.
  • How does it work ๐Ÿค” Integrates with various developer tools, scans open source packages and dependencies for vulnerabilities and license issues, providing actionable advice and automated workflows for fixing them.
  • Why use it? Enables developers to secure open source code using industry-leading security and application intelligence, reducing risk and ensuring compliance with regulatory and internal security policies.

Snyk Container

  • What is Snyk Container? Developer-first solution that helps find, prioritize, and fix vulnerabilities in container images and Kubernetes workloads throughout the software development lifecycle.

Snyk Container Preview Source

  • How does Snyk Container work? Snyk Container integrates with daily developers' tools, scans for vulnerabilities in base images, dependencies, Dockerfile commands, and Kubernetes manifests, provides remediation advice, recommendations, and priority scoring.
  • Why use Snyk Container? Snyk Container allows developers to secure containers and Kubernetes workloads without disrupting daily workflows, thereby saving development time, reducing security risks, and achieving compliance objectives.

Snyk Infrastructure as Code

  • What is Snyk IaC? Snyk IaC is a tool that helps developers secure their infrastructure as code (IaC) configurations from code to cloud. It scans IaC files for vulnerabilities and misconfigurations, provides remediation advice and fixes, and detects drift in running cloud environments.

Snyk IaC preview

Snyk IaC integrates with developer workflows, providing security feedback and suggested fixes. It enforces consistent security and compliance rules across SDLC and cloud using OPA's Rego query language. It enables proactive security issue fixation and unifies visibility and governance across multiple IaC frameworks and cloud providers.

Snyk AppRisk

  • What's Snyk AppRisk: A solution that helps teams build, deploy, and operate securely in the cloud by embedding security in developer workflows from code to cloud.

Snyk AppRisk preview source

  • Key Features: Snyk AppRisk provides security feedback and fixes for code, dependencies, container images, and cloud infrastructure as code (IaC) across the software development life cycle (SDLC) and running cloud environments.
  • Benefits: Snyk AppRisk enables developers to proactively fix security issues in their IDE, CLI, and Git workflows, reducing backlogs and time to fix. It also unifies visibility and governance from code to cloud with a single policy engine and ruleset, and speeds up and scales developer-led fixes for cloud misconfigurations with direct links to the source IaC file in Git workflows.
  • Supported Technologies: Terraform, CloudFormation, ARM, Kubernetes, Docker, AWS, Azure, Google Cloud, and more. It also integrates with Sysdig for runtime security and OPA for policy enforcement.

Before we go any farther, I need to volunteer to tackle two key difficulties that you could be having ๐Ÿ˜‰

  • What's the meaning of Snyk?
  • How to pronounce this word ๐Ÿ‘€ This Snyk support provides answers

Image description

Let's use Snyk

There're couple of ways we can use Snyk

  • You can install Snyk CLI using terminal, and scan your project using Snyk

Image description

  • IDE Plugins - my main IDE is VSCode, but you can also use Snyk in Jetbrains IDEs, Eclipse and Visual Studio

Snyk VSCode plugin preview

after the installation how it previews

  • Git Repositories - GitHub, Bitbucket, Gitlab and Azure (TFS). From these GitHub and Bitbucket integrations are popular. For this you have to login with your relevant account

login with git repository integration

after you add github repositories to Snyk, you can see vulnerabilities in each repository Snyk dashboard's projects section

Snyk dashboard projects

You can check each security vulnerability, in each project by going inside, and it'll show like this:

Security vulnerabilities in a project

Settings allows you to adjust git repository Snyk configurations. This has an incredible collection of capabilities, that you may setup Snyk automated pull requests for repositories, enable Snyk scan for manual pull requests, activate Snyk for code, activate Snyk for IaC. Check your Snyk Usage (If you're using the Snyk free plan like me, you can see how much resource you've used). Snyk may be integrated with your existing notification system, such as Slack.

Here's a Snyk-bot's automatic pull request on GitHub repository

Snyk-bot's automatic pull request on GitHub repository

You can change Snyk configurations to check your repository code, IaC weekly due to limited resources in your plan.

Furthermore, you can add Snyk app to your GitHub account from the marketplace:

Snyk app

  • Snyk for CI/CD - Pipelines and integrations in AWS, Azure, Bitbucket and more

Snyk for CI/CD Image source

Top comments (4)

Collapse
 
fyodorio profile image
Fyodor

Snyk is great, one of the best examples of well-thought-out dev ecosystem

Collapse
 
damikaanupama profile image
Damika-Anupama

Yes, indeed! โœจ

Collapse
 
saralsaxena profile image
Saral Saxena

Integration with vs code plugin is paid or letsvsayvfir using synk we need paid account

Collapse
 
damikaanupama profile image
Damika-Anupama

No we can use free tier even for the vs code plugin