snyk.io updates
snyk.io updates app.snyk.io/projects

Snyk Open Source in Visual Studio Code

 

New

  

We’re pleased to announce our new extension for Visual Studio Code, making it easier for developers to find and fix security issues as they code! Within seconds, the extension provides a list of all the different types of issues identified, in categories:

  • Open source security - known vulnerabilities in both the direct and in-direct (transitive) open source dependencies you are pulling into the project.
  • Code Security - security weaknesses identified in your own code.
  • Code Quality - code quality issues in your own code.

vscode-os.png

The extension is easy to install just like any other Visual Studio Code extension, directly from within your IDE or from the Visual Studio Code marketplace. Beneath the surface the powerful Snyk AI engine ensures both the speed of executed scans as well as the accuracy of results, guaranteeing an extremely fast feedback loop for developers.

For further details, please have a look at the product documentation.

If you have any issues, don't hesitate to reach out to support@snyk.io.

G Georgi

Snyk IaC - Custom Rules

 

New

  

We're excited to announce the ability for users to write and execute their own security rules through the Snyk IaC product.

This gives security and platform teams the power to enforce checks that are custom to your needs, such as tagging standards or using infrastructure in approved ways.

Developers will receive combined feedback on their IaC configuration status, powered by both the Snyk provided and custom rules added by you.

For more information and how to get started check out the blog post here https://snyk.io/blog/developing-custom-iac-rules-with-snyk-iac/

B Ben

Automated fixes for vulnerabilities in .NET dependencies

 

New

 

Improved

  

We’re pleased to announce improved support for .NET applications in Snyk Open Source, allowing developers to fix vulnerabilities in dependencies with the help of actionable advice and automated pull requests 🎉

Snyk Open Source will now display actionable fix advice, trigger fix pull requests, and automatically test new pull requests in your repository.

For more information, check out the official announcement and Snyk for .NET.

Happy fixing!

Stephanie, Product Manager

Snyk's SCM contributors count tool

 

Improved

  

Now improved and released, this tool can scan your Snyk account and/or your SCM’s repos to get a unique committers count for the last 90 days with a breakdown of the repos and committers' details.

For existing Snyk customers, use this tool to validate your license usage or to evaluate new usage for expanding your Snyk monitored repos.

For onboarding customers, use this tool to get an estimate of the needed Snyk licenses or just to get a sense of what’s going on in your SCMs.

For more details, see our user docs.

Download the tool here.

I Ilan

Maven accuracy improvements

 

Improved

  

We are about to roll out a new version of our Maven dependency resolution mechanism 🎉

You can expect to see more accurate packages and versions in Maven projects imported from Git, for example when using frameworks such as Spring Boot and Jackson that use dependencyManagement.

Note that when the upgrade is applied you may find that more vulnerabilities are reported for your projects. This is because the new dependency graph contains more accurate versions, which can be older and more vulnerable than the previous results.

This upgrade will be applied gradually to all Snyk organizations over the next few weeks.

No action is required from yourself, the updated results will appear when your project's daily recurring tests are run.

Stephen, Senior Product Manager

Multiple branch / version support in the CLI

 

New

 

Open beta

  

Sometimes your project might have multiple states which you want to monitor separately. These could be branches, releases, deployments and so on. We are happy to announce that you can now use --target-reference to separate projects into these specific groupings, being able to monitor multiple instances of your project.

To start using this feature, you’d need to update the CLI to the latest version and run the snyk monitor command with the --target-reference option.

For more information, please visit our user documentation.

image.png

Or, Product Manager

Snyk Container Security Data Update to Red Hat Enterprise Linux (RHEL) and Amazon Linux

 

New

  

We are changing the way we display vulnerabilities, from RHSA and ALAS to present issues based on the CVEs as part of an ongoing effort to improve our container security data.

Prior to these changes, we have provided information only through Red Hat Security Advisory (RHSA) and Amazon Linux Security Advisories (ALAS), both of which are collections of fixed CVEs.

The following are some of the key features of this change:

  • Enhanced accuracy by showing CVEs - Instead of presenting a consolidated single advisory, which may cover more than one CVE, we will now show each CVE separately. In addition, for Red Hat Enterprise Linux we will now show both fixed and unfixed CVEs, whereas the RHSA only shows fixed CVEs. For Amazon Linux, we will still only support fixed CVEs at this time. 
  • Showing individual CVEs allows us to provide enriched vulnerability metadata on these CVEs, like Exploit Maturity, Social Trends and more.
  • In addition, we will also provide the severity of the issues as evaluated by the Red Hat Security Team (Low, Moderate, Important, Critical), as part of the Relative Importance feature.

Important notes: 

  • Once the rollout is over, the old data will not be available.
  • The number of issues might increase significantly as a result of the change. If you use the Reports function you may see a spike in issues.
T Tal

Snyk Learn

 

New

  

Snyk Learn: Developer-First Security Education

We are excited to announce the release of Snyk Learn - an all-new free high-quality security education solution that puts developers in control of their own security education journey.

With content that is natively integrated into the development workflow, and tailored for developers, Snyk Learn makes security education relevant, actionable and engaging.

Learn something new today at learn.snyk.io

image.png

Ben W, VP Product, Developer Journeys

Snyk Apps

 

New

 

Open beta

  

We’re excited to announce the open beta of Snyk Apps - new extensibility points that enable you to expand the Snyk platform to easily integrate into your specific workflows!

Snyk Apps turn integrations into first-class citizens of the Snyk platform and as such, have the following characteristics:

  • Snyk Apps are easy to build and use with a great UX for both authors and end users provisioning them.
  • Snyk Apps are based on the Snyk API. This means that integrations are inherently more stable and safer to use than before. A Snyk app will not, for example, break when a user accidentally deletes their personal API key!
  • Snyk Apps are more secure. Implementing OAuth 2.0, they have granular permissions that you define so they only get access to what they need.

We’d love to invite our users to build their own app!

More details on Snyk Apps and how to get started can be found in our documentation.

👩‍🔧 Happy building!

Creager, Platform Extensibility

Planned downtime on Sunday 3rd October

We are making some small changes to our production databases in preparation for a planned upgrade of them later this year. This requires bringing our databases off line for 15-30 minutes.

On Sunday 3rd October 2021, Snyk production will be unavailable:

  • Beginning 2pm UTC.
  • We expect production to be up and running before 2:30pm UTC.

We apologise for any impact this may cause.

N Nickie