Using the CLI command you can:
This release includes a brand new CLI UI for clearer reporting. For usage and constraints, please see the product documentation, the release blog post or the Snyk CLI help.
The Snyk run tasks integration automates security and compliance in Terraform Cloud workflows.
Using the Snyk integration you can:
To start, navigate to your Integrations page in Terraform cloud and connect Snyk to your workspaces.
This feature is available on all Snyk plans.
For usage and context, see the Terraform Cloud integration documentation and our blog post. Also available is a great Hashicorp + Snyk tutorial.
Scanning for Terraform Variables is now released in the Snyk CLI 🎉.
snyk iac test will now process IaC configurations defined using variables, enabling greater security findings and more accurate results.
Upgrade Snyk CLI to v1.868.0 or above and run snyk iac test as usual in your directory with TF files.
For usage and constraints, see our documentation.
We are excited to announce that custom base image recommendations for Snyk Container are now available as an Open Beta 🎉.
Using the custom base image recommendation feature, Snyk can recommend an image upgrade from a pool of the customer’s internal images. This allows teams to be notified of newer and more secure versions of their internal base images.
This feature is available for Business and Enterprise pricing plans.
View the documentation for more details.
We are excited to announce that the ability for the Snyk IaC CLI to share test results with the Snyk platform is now available in open beta 🎉.
This feature is available on all plans and is now live.
What can you expect:
What does this mean for you?
Update to the latest version of the Snyk CLI (v1.899.0).
Run command snyk iac test --report to use the new feature.
View the documentation for more details.
We would like to inform you about upcoming changes to how we provide security data for the Oracle Linux platforms.
As part of a continual effort to improve our container security data, we are changing how we provide information for Oracle Linux vulnerabilities. Prior to these changes, we provided information on Oracle Linux vulnerabilities only through Erreta Linux Security Advisories (ELSA), which are collections of fixed CVEs. We are moving from ELSA, and instead will present issues based on the individual CVEs.
The following are some of the key features of this change:
Enhanced accuracy: By showing individual CVEs instead of an ELSA, which may cover more than one CVE, you will have more details about each vulnerability Snyk detects.
Enriched metadata: Showing individual CVEs allows us to provide enriched vulnerability metadata on these CVEs, like Exploit Maturity, Social Trends and more.
Oracle’s security analysis: We will provide the severity of the issues as defined by the Oracle Security team (Low, Moderate, Important, Critical), in addition to the severity determined by NVD, as part of the Relative Importance feature.
Important notes:
The rollout will start tomorrow, on April 13th. After the change, rescanning of the project is required (either a manual test or scheduled scanning for monitored projects).
Snyk IaC has a new look 🎉. Terraform, CloudFormation, and Kubernetes files now have a detailed row view displaying one code snippet per issue, making it easier to identify the issue in code and creating consistency across the UI for Helm chart files and Snyk Code projects.
What has changed?
New UI view
To temporarily continue using the previous UI view, you can opt-out of the update via our feature flag under Snyk Preview. Opting out is a temporary action as the previous UI will be deprecated in a month’s time.
We are excited to extend Snyk’s developer-first experience to one of the oldest and largest developer communities. Today, we are announcing the general availability of C/C++ in Snyk Open Source, enabling development and security teams to find and fix known security vulnerabilities in their C/C++ open source library dependencies.
CVE-2022-22965 was reserved for a 0-day RCE vulnerability in spring-beans as Spring team officially acknowledged the vulnerability and issued a fixed version for the currently known exploit. Scan your applications with Snyk to find out if you are vulnerable and mitigate by upgrading Spring to the latest version.
All Snyk projects are being re-tested, but we recommend to re-test your projects actively to make sure the process is done. While there are several partial mitigations published online currently, we highly recommend upgrading to a fixed version to protect against this vulnerability.
The Snyk Security team is continuously investigating the issue, as we expect further exploits and bypasses to show up. Please look for updates in our advisory and on spring blog.
The credential formats for Snyk Apps have changed, to be recognizable and compatible with third-party secret scanning systems.
Specifically, the format of client secrets and refresh tokens have changed. Both credential types now include a prefix (snyk_) followed by an identifier (cs_ for client secrets, rt_ for refresh tokens) and a trailing version number (currently _v1).
To illustrate, the credential types adhere to the following general form:
^snyk_rt_.+_v1$ (e.g. snyk_rt_8R6aIT88713YlnZ5loA3rO5nFkzap0rs3miIPFb0J78_JOCRYo3olA5cubc5jYxy8R7xhf9m9cP8wwJ3FYy4Kis_v1)^snyk_cs_.+_v1$ (e.g. snyk_cs_FDals7bwaCdSIW_6sOaV92yQouJ8GlztpuBZLLpyEp80_v1)Existing credentials will continue to work. To take advantage of the new client secret format, you will need to rotate the client secret for your Snyk App using the POST /orgs/{org_id}/apps/{client_id}/secrets API endpoint, new refresh tokens will reflect the latest format automatically, you may exchange an existing refresh token for a new one using the POST /oauth2/token API endpoint.
You can learn more about Snyk Apps, currently available as an open beta, here.
