Snyk is exploring using the open-source Golang project Bento to read data from Kafka streams and materialize intelligence to various outputs. We are pleased to share that we are proactively helping secure the Bento project by contributing dependency fix updates.
What is Bento?
Bento is an open-source streaming data processing tool designed for ease of use and reliability. It features declarative configuration, enabling connections to diverse data sources and sinks, and handles common data engineering tasks such as transformations, integrations, and multiplexing. Written in Go, Bento is extensible through plugins, making it adaptable to various data processing needs.
Following is an example Bento configuration file demonstrating pipeline data processing
input:
gcp_pubsub:
project: foo
subscription: bar
pipeline:
processors:
- mapping: |
root.message = this
root.meta.link_count = this.links.length()
root.user.age = this.user.age.number()
output:
redis_streams:
url: tcp://TODO:6379
stream: baz
max_in_flight: 20
Snyk secures the Bento project
At Snyk, we like to ‘dogfood’ our products, and we use Snyk in our CI/CD pipelines as one example of leveraging Snyk’s developer-first security products.
During a container security scan of the Bento v1.5.0 binary, we detected a vulnerability in golang.org/x/crypto/ssh.
This vulnerability, tracked via CVE-2025-22869 in Snyk’s vulnerability database, is a denial of service attack that impacts the Golang projects that depend on the x/crypto/ssh library.
Given that Bento is an open-source project, we contacted the maintainers over Discord and were pleased to find them happy for us to contribute some fixes. We created two PRs to fix the issue:
- A Pull Request to update to go 1.23
- A followup Pull Request to bump the use of Go’s crypto library to use a safe version that does not introduce security vulnerabilities.
Both of our contributions have been merged into the main branch of the Bento project and will be part of future releases.
Snyk invitation to secure Open Source projects
Earlier this year, we launched Snyk’s Secure Developer Program—a new program that invites open source maintainers to connect their projects to Snyk and receive the full enterprise-grade and unlimited scans experience from Snyk. This includes API access, Snyk’s own DeepCode AI Fix, Service Accounts, and many more features to help you address security vulnerabilities and produce secure software.
Top comments (0)