snyk.io updates
snyk.io updates
app.snyk.io/projects

GitHub Code Scanning Support for Snyk Open Source

We are happy to announce that Snyk's GitHub Actions now support showing open source vulnerabilities within the GitHub security tab, leveraging the GitHub's new Code Scanning interface! This addition will allow you to automatically scan your open source dependencies for security vulnerabilities and license issues, and view results directly from within GitHub’s Security tab!

For more details and usage instruction, see this section in the Snyk Actions repository.

image.png

Snyk supports Ubuntu 21.04

We are happy to update that Snyk now supports the newest release from Ubuntu - 21.04

For more details, see the product documentation

Snyk for Elixir

We are very happy to announce that the Snyk CLI now supports testing Elixir projects 🎉

You can now test and monitor your Mix/Hex projects for vulnerabilities, with full support for umbrella projects, Elixir & Erlang dependencies.

CLI support for Elixir is available from version 1.561.0, see the documentation for more details.

A JetBrains plugin for Snyk Code and Snyk Open Source

We’re pleased to announce our new plugin for JetBrains IDEs, making it easier for developers to find and fix security issues as they code! Within seconds, the plugin provides a list of all the different types of issues identified, in three categories:

  • Open source security - known vulnerabilities in both the direct and in-direct (transitive) open source dependencies you are pulling into the project.
  • Code Security - security weaknesses identified in your own code.
  • Code Quality - code quality issues in your own code.

image4-200 (dragged).jpg

The plugin is easy to install just like any other JetBrains plugin, directly from within your IDE or from the JetBrains marketplace. Beneath the surface the powerful Snyk AI engine ensures both the speed of executed scans as well as the accuracy of results, guaranteeing an extremely fast feedback loop for developers.

Oh, and did we mention the plugin is totally free?! Any Snyk user using JetBrains IntelliJ and WebStorm can download the plugin and start scanning the code for issues, including free users. 🚀

  • You can install the plugin from the marketplace or click here.
  • For further details, please have a look at the product documentation.
  • If you have any issues please reach out to support@snyk.io.

More granular policies with Project attributes

We are pleased to announce the general availability of project attribute policies, enabling security teams to create granular policies that align with the context of their applications. This gives more power and flexibility to our policies engine, allowing you even greater prioritization of issues.

You can create project attribute policies for License policies and Security policies. Project attribute policies are available for Pro and Enterprise users.

For more details, see the product documentation.

Screenshot 2021-03-26 at 11.04.50 am.png

Maven Plugin V2.0 (CLI Based)

We're happy to share that we just released a new Maven plugin version which is now based on the CLI! 🎉

As the new plugin is based on the CLI, all of the CLI options (args) are now available out-of-the-box from within the plugin and can be easily consumed as part of the Maven build process.

This means that you can now customize the test and monitor runs by setting a custom severity threshold, failing only when there were vulnerabilities that can be fixed, generating json output and more.

For more details and usage instructions, see the Snyk Maven Plugin repository.

Snyk Infrastructure as Code - Terraform Plan support in the CLI

I'm pleased to announce we have released a public beta of new functionality in the Snyk IaC CLI in version 1.511.0

You can now scan your Terraform Plan output, which will include any variables & modules that you use, enabling us to detect a broader range of security misconfigurations.

Additionally any configuration files that you scan (Terraform or Kubernetes) will be processed locally within the CLI and not sent to Snyk for processing.

This functionality is available in beta now and can be used by appending --experimental to any Snyk IaC CLI command. For example $ snyk iac test --experimental or to test a Terraform Plan file name your file tf-plan.json and run $ snyk iac test tf-plan.json --experimental

For more details, see the product documentation

If you have any issues please reach out to support@snyk.io

Quay container registry integration

We're happy to share that Quay container registry is now supported as part of our container integrations offering. Starting today, all Snyk users will be able to scan and fix vulnerabilities in their container images stored in Quay.

To get started, configure Quay from our integrations page. If you're using a self-hosted Quay, contact us for a brokered setup. Otherwise, you can start setting it up yourself and import images.

image.png

Once integrated, you can start adding images from Quay and test them for vulnerabilities.

image.png

To learn more about Snyk integration with Quay, see our documentation.

Automatic fix pull requests for Dockerfiles

We're thrilled to share that Snyk can now raise fix pull requests against your Dockerfiles!

For every scanned Dockerfile that contains a base image for which we provide recommendations, we will raise an automatic fix PR in case there is a better base image that can be used. The PR will be opened with the minor upgrade available.

After it is opened, the fix PR can be found in your Git repository, showing the FROM line changed in your Dockerfile, updated with the new and improved base image version.

image.png

We also provide the option to manually open a fix PR and upgrade to any of the base image recommendations we provide (rather than just the minor version). This option is available using a button next to each one of the base images in the recommendations table.

image.png

You can enable/disable the feature using the setting that can be found in the integration level.

image.png

You can learn more about our automatic Dockerfile fix PR capability in our blog post.

For more details about opening PRs in your Dockerfile, see our product documentation.

Harbor container registry integration

We're happy to announce that Harbor container registry is now supported as part of our container integrations offering.

Starting today, Pro and Enterprise customers can test, fix and monitor vulnerabilities in their container images stored in Harbor.

To get started, you can find Harbor in our integrations page. If you're using self-hosted Harbor, contact us for a brokered setup. Otherwise, you can start setting it up yourself and import images.

image.png

Once integrated, you can start adding images from Harbor and test them for vulnerabilities.

image.png

To learn more about Snyk integration with Harbor, see our documentation.