Resolving Security Vulnerabilities using Snyk

Learn how to track, resolve and automatically fix security vulnerabilities in your code and containers using Snyk tool.

Photo by Miłosz Klinowski on Unsplash

Introduction

In the ever-evolving landscape of software development, security has emerged as a paramount concern. With cyber threats becoming increasingly sophisticated and frequent, organizations can no longer afford to treat security as an afterthought. Let me introduce Snyk, an innovative tool that has created quite the uproar in the DevSecOps domain. This blog will guide you on an informative journey to discover how Snyk is different when it comes to software security by enabling developers and organisations to create and manage secure code from the ground up.

Snyk has redefined how organisations address security concerns by shifting the focus from reactive measures to proactive prevention. It integrates seamlessly into the development workflow, enabling developers to find, fix, and prevent security vulnerabilities in real-time, long before they pose a threat. This method saves time, labour, and resources by streamlining the development process and enhancing security. Snyk offers perfect balance between speed and security in a time when both are essential, enabling project teams to develop quickly without sacrificing security. Let’s go into greater detail about Snyk in the paragraphs that follow, going over its key characteristics, advantages, and how it’s changing the way we build and deploy code.

Overview

Let’s look at topics covered in this article.

• What is Snyk?
• How to use Snyk?
• Information present in Snyk
• Snyk CLI Commands
• Conclusion

What is Snyk?

Snyk is a simple platform that allows you to scan, identify and fix security vulnerabilities in your code, container images, open source dependencies and infrastructure as code configurations. It is a powerful and versatile tool that plays a pivotal role in enhancing the security and reliability of software applications. It is a developer centric platform focussed to identify and fixing vulnerabilities in the early stage of the software development lifecycle. Personally, I’ve used Snyk quite extensively in my projects and it has been really amazing experience and it stands out because of its effectiveness in finding and mitigating security issues proactively.

Fundamentally, Snyk gives developers the tools they need to check for known security flaws in their code, dependencies, and containers. It has an extensive database of vulnerabilities and integrates seamlessly into the development workflow, making it easy to identify and fix issues right from the code editor, CI/CD process and also build pipelines. What distinguishes Snyk is its capacity to identify vulnerabilities and provide not only with useful information about how to address them but also with suggestions for upgrading or applying patches to libraries and packages that are at risk.

Snyk also excels at supporting a wide range of programming languages, such as JavaScript, Java, Python, and more, which makes it a flexible option for a variety of development stacks. Because of its ongoing monitoring features, developers are always aware of emerging vulnerabilities and can take preventative measures to avoid security issues. In my opinion, Snyk, has proven to be an invaluable resource for protecting apps and making sure they adhere to the toughest security guidelines all during the course of their development.

How to use Snyk?

Firstly, create an account in Snyk if not already. You can login to Snyk official website and get started for free. Once you are logged in you will be redirected to setup page. You can select your Integration method, install snyk cli tool (highly recommended), authenticate your dev machine and finally scan for any issues. You can also skip this step for now.

Setting up Snyk

Once the setup is done, then add your projects based on your configuration, that is, if you have integrated with Github then you can add any repository as a project. This will show up in the projects tab in Snyk home page. Once the project is added then you will see the available vulnerabilities based on its critical level, that is, critical, high, medium or low. Most of the things about solving the vulnerability is self explanatory.

Projects tab of Snyk

Information present in Snyk

Once the code is scanned, Snyk provides us with lot of informations. They are as follows:

1. Priority of the vulnerability :- the priority can be critical, high, medium or low.
2. Introduced through :- tells which dependency caused the vulnerability. It also specifies the nested dependency list in which the vulnerability is introduced.
3. CVSS :- Common Vulnerability Scoring System’s purpose is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities
4. CWE :- Common Weakness Enumeration is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
5. Snyk vulnerability database has the list of security vulnerabilities.

Snyk scans all the projects every 24 hours. Snyk also has retest option that helps to trigger the scan whenever needed. Typically used when the vulnerability is fixed.

Snyk auto fix feature

Snyk provides options to automatically fix the issues if the issue is related to any package. The fix is not reliable because fixing or updating package version may require code level changes. For this, you still have to manually check with your local changes and then once the changes are passing successfully then only merge the changes. The auto PR fix can be reliable for minor changes in the package.

Ignore a vulnerability

Snyk also gives us the option to skip or ignore certain vulnerability. Even though it is not recommended to skip or ignore certain vulnerability but for some edge cases like if the vulnerability is present in another core package, then it is acceptable, or else it is always recommended to fix the vulnerability.

If you wish to ignore the vulnerability then there are three options that are mentioned as follows:

• Ignore Permanently :- Ignored permanently and it won’t appear in the dashboard
• Ignore temporarily :- Ignored temporarily for a period of time.
• Not vulnerable :- Ignored for a period of time.

Fixing a vulnerability

As soon as you trigger a vulnerability it is advisable to use the auto fix feature to automatically create a PR which has mostly the changes that need to be done. If the auto fix is not working then update the package locally in your dev machine. Once the package is updated then test the changes, if the tests are passing successful then push the changes to production. Then try to retest the Snyk scanner. The vulnerability should be mitigated or fixed.

The Snyk dashboard is really amazing to keep track of the vulnerabilities while working as an organisation. But Snyk also provides CLI tool that can be easily integrated while developing the project itself. Following are some of the useful Snyk CLI Commands that can improve your productivity two folds.

Snyk CLI Commands

Snyk’s Command Line Interface (CLI) offers a robust set of commands to help developers and security professionals secure their projects. There are a lot of CLI commands but I’ve curated the most frequently used and most used commands below:

1. snyk test

• Description: This is a fundamental Snyk CLI command that is used to test your project for any known vulnerabilities. It scans your project’s dependencies and provides a report on the vulnerabilities discovered.
• Usage: Running snyk test in your project's directory will analyze your project's package manager files (e.g., package.json for node.js) and provide a summary of vulnerabilities found.

2. snyk monitor

• Description: This command is used to push the project’s dependencies and vulnerabilities to the Snyk dashboard. It helps to collaborate with multiple team members in an organization.
• Usage: Running snyk monitor command sets up continuous monitoring for your project and it provides real-time updates on vulnerabilities.

3. snyk ignore

• Description: You can use this command to ignore vulnerabilities that you think the fix is not provided as of now. In such cases you can ignore the vulnerability for certain period of time or you can set them using --expiry flag.
• Usage: To ignore a vulnerability, you can run snyk ignore <vulnerability-id>. The vulnerability-id is a unique identifier associated with the specific vulnerability. You can also ignore all vulnerabilities associated with a specific project by running snyk ignore — all-projects.

4. snyk container test <image>:<tag> | snyk container test <image> — file=Dockerfile

• Description: You can also test the vulnerabilites inside docker images. You can test the docker image by providing the image name and its tag. If you want to test the docker image for custom images then you can provide the same command with this additional flag --file=Dockerfile
• Usage: To test docker images use the first command to get the report of all the security vulnerabilites present in the image. If you need to do the same for local images then do the same with --file=Dockerfile flag.

5. snyk iac test /path/to/config.yaml

• Description: This command allows you to scan your IaC files for known security issues or misconfigurations. This can be used on your local machine or in your CI environment.
• Usage: Try to use the command like snyk iac test <file> where <file> is the path your IaC file (e.g, Terraform or CloudFormation script) that you want to analyze. Snyk will then analyze the file and provides a report on the security issues found.

Conclusion

In this article, we have seen what is Snyk, how to use Snyk, common information presented in Snyk vulnerability board and also how Snyk CLI Commands work. We have seen the most frequently used commands and also its usage. Apart from these, we have seen how we can login to Snyk and setup the tool with Github or any other providers. We have also seen how to fix security vulnerability from the dashboard, its auto fix feature and the steps to be taken to remediate the issues. I hope this article was useful to you all. Will see you in my next article until then, as always code learn repeat ……..

Follow for more…

hemanthhari2000

Hemanth Kumar