Ending Snyk CLI support for Node.js 8.x

Starting from 15.02.2021, the Snyk CLI will no longer support Node.js 8.x.

LTS support for this version expired at the end of 2019 and no longer receives security updates. We consider it a general security best practice to always use runtime environments that are more up-to-date.

What does this mean? Starting from the stated date above, using the latest version of the Snyk CLI (v. 1.437.4 and above) with Node.js 8.x, either locally or as part of an automated build pipeline, might fail.

What should you do? For optimized Snyk CLI operations, we recommend upgrading Node.js to the current stable version - version 14.x.

The Snyk team is here to help! Feel free to reach out to support in case you encounter any issues or have any questions.

Snyk Infrastructure as Code - CLI Performance

I'm pleased to announce that we have released a significant performance improvement to the Snyk CLI for scanning your Infrastructure as Code files.

Handling large volumes of files is now performant and benchmarking shows that scanning 500 Terraform files takes < 20 seconds. To benefit from these improvements ensure you are using a CLI version > 1.438.0 and run $ snyk iac test

If you have any issues please reach out to support@snyk.io

Prioritize fixes more efficiently with Reachable Vulnerabilities for GitHub Java Maven projects

We are happy to announce the availability of Reachable Vulnerabilities for GitHub Java Maven projects. Reachable Vulnerabilities analysis will take a deeper look into how your projects are using their open source dependencies, and how those open source dependencies interact with each other, identifying whether the vulnerable part of a dependency is indeed reached or not.

The reachability analysis will provide your development and security teams with deep application-level context for vulnerabilities identified in GitHub-hosted applications, enabling them to prioritize fixes more efficiently.

This feature is in open beta and we'll be gradually making it available to Snyk users over the upcoming weeks. If you can't wait and want to get access sooner, reach out to support@snyk.io. For more details, please see the main documentation.

Snyk Infrastructure as Code - Reporting

I'm pleased to announce that we have launched reporting capabilities for the Snyk Infrastructure as Code (IaC) product. Any issues that are detected in your Kubernetes, Helm or Terraform files will now be included in the summary graphs and detailed breakdowns in the Snyk UI.

The reporting data can be exported via CSV and is also accessible via the API.

This beta is open to all paying Snyk IaC customers. If you are eligible you can opt in by navigating to the settings page for your organisation, selecting "Snyk Peek" on the left hand side and then turning reporting on.

When this functionality is released, it will be automatically available to all paid Snyk IaC customers.

If you have any issues please reach out to support@snyk.io

Broker Token Sharing and Rotation APIs

Happy to announce that we've just released a new set of APIs, allowing to share Broker tokens between multiple SCM integrations and rotate tokens continuously, without downtime.

To learn more about the new APIs, please look at the following endpoints in our API docs website:

The APIs are available for Standard, Pro and Enterprise users.

Import Go Modules projects from Git

We are pleased to announce that we are releasing support for importing Go Modules project from Git repos!

We have supported Go Modules in the Snyk CLI for some time, but the ability to import directly from a Git repo has been one of our most popular feature requests.

This feature is in open beta and we'll be gradually making it available to Snyk users over the next few weeks. If you can't wait and want to get access sooner, reach out to support@snyk.io.

For more details, please see the main documentation.

Understand Container vulnerabilities with Relative Importance

Container vulnerabilities are tricky things to deal with, requiring an understanding of both Linux security and container image architecture. We’re pleased to announce a new feature that helps take some of the mystery out of prioritising and fixing container vulnerabilities: relative importance.

Snyk now surfaces the different sources that we're considered when determining a Linux Container severity.

Read more about relative importance, and our general Linux Container Security story!

Bug fix: Fixable issues in Reporting

Tomorrow at 9 AM EST, we will push a bug fix that may impact the count of fixable issues in the grouped view of the Issues tab within reporting.

Screenshot 2020-12-02 at 8.17.22 am.png

This fix corrects a mistake in aggregation that incorrectly marked entire issue groups as not fixable if some issues in that group were not fixable. These issue groups will now be marked as fixable, as some issues within the group are fixable.

Prioritize your vulnerabilities with our new Security Policies

We're pleased to announce the general availability of Security Policies - enabling security teams to create rules to automatically prioritize or de-prioritize specific vulnerabilities, and ensuring developers can easily understand which vulnerabilities should be tackled first.

This is just the beginning for Security Policies! We will be adding more conditions and actions over time to give you even more control over what your developers see.

More information about how Security Policies can help with prioritization is available on our blog. To learn more about how to use this capability, check out our help center documentation.

Security Policies is available for Pro and Enterprise users.

Dockerfile vulnerabilities detection directly from Git

We're thrilled to announce that Snyk now detects Dockerfiles directly from your source code manager and surfaces base image vulnerabilities.

This allows you to identify issues before building the container image, and fix them before they land in registry or production based on our base image recommendations.

To get started, import your Git repository (where your Dockerfile lies) and check out the new Dockerfile project created. There, you can see all the relevant information to start taking action, including base image vulnerabilities, base image recommendations and the option to link the Dockerfile project to other image projects you have in Snyk.

dockerfileproj.png

To learn more about Dockerfile project, visit our Knowledge Center.