We're continuing to expand our new infrastructure as code features, with support for detecting security misconfigurations in Helm Charts now available to all. See the blog post for all the details.
Detect misconfigurations in Helm Charts
Tag your projects using the API
It's now possible to tag your projects via the API! 🎉 Project tags allow you to label your projects in any way you like, such as by team, risk status, or even the type of applications the projects are used by. You can then use the new API to filter all the projects that have the same tag.
For more information on how to use project tags, head on over to the documentation.
This feature will be available in the UI soon, but until then, happy tagging!
Snyk Broker Security Fixes
We have introduced several security fixes to our open source Broker. We’d like to thank Wing Chan of The Hut Group that responsibly disclosed the issues to us via our bug bounty program.
These issues pertained to increased privileges available to specific internal Snyk Personnel only. All issues were patched for all supported SCMs in version 4.80.0 of the Broker. We also have taken steps to improve the auditability of the Broker code, and have also improved both client and server-side logging in order to improve customer and Snyk visibility of activity on the service.
APIs for creating a new Git integration
Happy to share that we've just released new APIs that will allow you to create new Git integrations and to “Brokerize” existing integrations without having to contact Snyk support 🎉
All Git integrations are supported: GitHub, GitHub Enterprise, BitBucket Cloud, BitBucket Server, GitLab and Azure Repos.
With the new set of APIs, you'll be able to:
- Create new integration (Brokered / non Brokered)
- "Brokerize" an existing integration
- "Debrokerize" an existing integration
To find out more about the new endpoints, please take a look at our API docs:
Azure Repos Server Integration (formerly TFS)
We are excited to share that starting today, Pro and Enterprise customers, can test, fix and monitor their Azure Repos Server projects for open source vulnerabilities.
In order to integrate your Azure Repos Server instance to Snyk, all you need to do is to go to the Integrations page and click on Azure Repos:
Once the Azure Repos integration settings page loads, you'll be asked to enter the URL of your on-premise Azure Repo Server instance along with the personal access token you've generated for Snyk:
After filling out these details correctly, you'll get a confirmation message ensuring that Snyk has successfully connected to Azure Repos and you'll be able to start importing projects to Snyk.
Please note that the new integration supports TFS v2018 Update 2 and above.
Detecting application vulnerabilities in container images
Snyk is thrilled to announce the new support for scanning application vulnerabilities in container images, alongside the operating system ones, all in a single scan.
If you have Node, Ruby, Python or PHP applications as part of your image, we can now surface their dependencies vulnerabilities as well during scan. To use this feature, you need to enable it in your container registry integration settings.
To learn more, check out our blog post and get started!
Improved license policy management for Pro and Enterprise customers
Snyk is excited to release the first phase of our shared policies functionality that we will be working on throughout 2020. With new and improved license policies, group administrators can now leverage Snyk to more easily manage and scale their license compliance throughout the SDLC.
Support for Private Artifactory npm registries now available
We are pleased to announce we have added support for private Artifactory npm registries
Whether your Artifactory npm registry is hosted in the cloud or on your internal network, you can now update your settings to enable Snyk to access your private Node.js packages. This works for both
Enabling this feature means Snyk can now re-lock
yarn.lock files and update
package-lock.json files more accurately when creating Fix Pull/Merge Requests.
To get started, check out the documentation!
Skipping failing PR checks
We’re pleased to announce we’ve enhanced Snyk’s security and license testing for pull requests to better support secure development workflows!
To further ensure development pipelines are not broken needlessly and to give developers full visibility into the results of Snyk’s security testing, developers can now see the full details on why their pull request failed and subsequently request the administrator to skip the test and “force pass” the pull request.
More details in this blog post.
Red Hat OpenShift 4 support for the Snyk Container Kubernetes integration
You can now install the Snyk Container Kubernetes integration via the OperatorHub built-in marketplace, and then import and scan workloads for vulnerabilities.
Import OpenShift workloads into Snyk and start tracking your workloads for vulnerabilities. See our documentation for more information.