snyk.io updates
snyk.io updates
app.snyk.io/projects

Snyk Container Security Data Update to Red Hat Enterprise Linux (RHEL) and Amazon Linux

 

New

  

We are changing the way we display vulnerabilities, from RHSA and ALAS to present issues based on the CVEs as part of an ongoing effort to improve our container security data.

Prior to these changes, we have provided information only through Red Hat Security Advisory (RHSA) and Amazon Linux Security Advisories (ALAS), both of which are collections of fixed CVEs.

The following are some of the key features of this change:

  • Enhanced accuracy by showing CVEs - Instead of presenting a consolidated single advisory, which may cover more than one CVE, we will now show each CVE separately. In addition, for Red Hat Enterprise Linux we will now show both fixed and unfixed CVEs, whereas the RHSA only shows fixed CVEs. For Amazon Linux, we will still only support fixed CVEs at this time. 
  • Showing individual CVEs allows us to provide enriched vulnerability metadata on these CVEs, like Exploit Maturity, Social Trends and more.
  • In addition, we will also provide the severity of the issues as evaluated by the Red Hat Security Team (Low, Moderate, Important, Critical), as part of the Relative Importance feature.

Important notes: 

  • Once the rollout is over, the old data will not be available.
  • The number of issues might increase significantly as a result of the change. If you use the Reports function you may see a spike in issues.

Snyk Learn

 

New

  

Snyk Learn: Developer-First Security Education

We are excited to announce the release of Snyk Learn - an all-new free high-quality security education solution that puts developers in control of their own security education journey.

With content that is natively integrated into the development workflow, and tailored for developers, Snyk Learn makes security education relevant, actionable and engaging.

Learn something new today at learn.snyk.io

image.png

Snyk Apps

 

New

 

Open beta

  

We’re excited to announce the open beta of Snyk Apps - new extensibility points that enable you to expand the Snyk platform to easily integrate into your specific workflows!

Snyk Apps turn integrations into first-class citizens of the Snyk platform and as such, have the following characteristics:

  • Snyk Apps are easy to build and use with a great UX for both authors and end users provisioning them.
  • Snyk Apps are based on the Snyk API. This means that integrations are inherently more stable and safer to use than before. A Snyk app will not, for example, break when a user accidentally deletes their personal API key!
  • Snyk Apps are more secure. Implementing OAuth 2.0, they have granular permissions that you define so they only get access to what they need.

We’d love to invite our users to build their own app!

More details on Snyk Apps and how to get started can be found in our documentation.

👩‍🔧 Happy building!

Planned downtime on Sunday 3rd October

We are making some small changes to our production databases in preparation for a planned upgrade of them later this year. This requires bringing our databases off line for 15-30 minutes.

On Sunday 3rd October 2021, Snyk production will be unavailable:

  • Beginning 2pm UTC.
  • We expect production to be up and running before 2:30pm UTC.

We apologise for any impact this may cause.

Reachable Vulnerabilities for GitHub Java projects

 

New

 

 

Snyk Open Source now supports reachable vulnerabilities analysis for Maven and Gradle projects imported from GitHub.

Snyk will display any path found from your code to the vulnerable functions of each issue. You can filter for reachable vulnerabilities in Reports and the Project Issues, and they are also factored into Priority Scores.

This feature is powered by the semantic code analysis capabilities of Snyk Code (no separate subscription required), and requires Snyk to temporarily clone your repository.

You can opt-in by visiting Settings > Languages > Reachable Vulnerabilities.

Screen Shot 2021-09-27 at 11.09.38.png

New Docs and Support Portals

 

New

 

 

We are happy to announce a new, dedicated Docs Portal for Snyk user documentation, to give you better and clearer access to our user docs, with enhanced navigation, and integration with learning and solutions documentation:

docs portal.png

We’ve also revamped our Support Portal, to allow quicker and better access to all Snyk KnowledgeBase articles:

Screenshot 2021-09-15 at 07.44.04.png

We’ll continue to invest in User Content, including increased functionality and quality improvements, to help you access the knowledge you need to use Snyk.

Smaller and faster CLI!

 

Improved

 

 

We're happy to announce that we've released a new version of Snyk CLI which is much smaller and faster 🏃‍♀️

New CLI releases are now using Webpack to bundle dependencies into a single package. This greatly reduces its overall download size and makes npm installations almost instant.

Our binary releases are now also compressed, dropping download sizes by a over 50%. Along with savings made by bundling, our binaries went from a whopping ~90MB to ~40MB.

These changes will greatly improve the speed and reliability of Snyk CLI both on your workstations and in your CI/CD pipelines.

To try out the new version, please update your Snyk CLI installation to use the latest version.

For more information, please visit the CLI repo page on GitHub or visit our user documentation.

Identifying malicious packages

 

New

 

 

Snyk now factors whether a vulnerability originates from a malicious package or not into Snyk’s Priority Score, helping you find, prioritize and fix these issues more efficiently. Snyk will also add a warning on the relevant issue card itself to ensure maximum visibility.

More and more software supply chain attacks are leveraging open source packages to spread malicious code. Continue using open source but stay vigilant!

Malicious.png

For more details, please see the Snyk Priority Score docs.

Debian 11 stable and Debian 12 testing support

 

New

 

 

We are pleased to announce that Snyk Container now supports the new Debian 12 (“bookworm”) work-in-progress testing release.

In addition, Snyk has been supporting the testing releases of Debian 11 (“bullseye”) for the past two years, which has now become the new stable Debian 11 release.

See our documentation for more details about supported distributions.

Ignore Snyk IaC issues via the CLI

 

New

 

 

We've just added the ability to ignore Snyk Infrastructure as Code issues via the CLI.

Using the CLI is a common pattern during development of your infrastructure, either running scans locally or as part of your CI/CD pipelines.

You can use the .snyk file to ignore any issues that are not relevant to your deployment, and have these stored as part of your repository to be picked up automatically in any future CLI scans.

See our user documentation to get started.