snyk.io updates app.snyk.io/projects

We’re pleased to announce our new plugin for JetBrains IDEs, making it easier for developers to find and fix security issues as they code! Within seconds, the plugin provides a list of all the different types of issues identified, in three categories:

• Open source security - known vulnerabilities in both the direct and in-direct (transitive) open source dependencies you are pulling into the project.
• Code Security - security weaknesses identified in your own code.
• Code Quality - code quality issues in your own code.

The plugin is easy to install just like any other JetBrains plugin, directly from within your IDE or from the JetBrains marketplace. Beneath the surface the powerful Snyk AI engine ensures both the speed of executed scans as well as the accuracy of results, guaranteeing an extremely fast feedback loop for developers.

Oh, and did we mention the plugin is totally free?! Any Snyk user using JetBrains IntelliJ and WebStorm can download the plugin and start scanning the code for issues, including free users. 🚀

• You can install the plugin from the marketplace or click here.
• For further details, please have a look at the product documentation.
• If you have any issues please reach out to support@snyk.io.

We are pleased to announce the general availability of project attribute policies, enabling security teams to create granular policies that align with the context of their applications. This gives more power and flexibility to our policies engine, allowing you even greater prioritization of issues.

You can create project attribute policies for License policies and Security policies. Project attribute policies are available for Pro and Enterprise users.

For more details, see the product documentation.

We're happy to share that we just released a new Maven plugin version which is now based on the CLI! 🎉

As the new plugin is based on the CLI, all of the CLI options (args) are now available out-of-the-box from within the plugin and can be easily consumed as part of the Maven build process.

This means that you can now customize the test and monitor runs by setting a custom severity threshold, failing only when there were vulnerabilities that can be fixed, generating json output and more.

For more details and usage instructions, see the Snyk Maven Plugin repository.

I'm pleased to announce we have released a public beta of new functionality in the Snyk IaC CLI in version 1.511.0

You can now scan your Terraform Plan output, which will include any variables & modules that you use, enabling us to detect a broader range of security misconfigurations.

Additionally any configuration files that you scan (Terraform or Kubernetes) will be processed locally within the CLI and not sent to Snyk for processing.

This functionality is available in beta now and can be used by appending --experimental to any Snyk IaC CLI command. For example $ snyk iac test --experimental or to test a Terraform Plan file name your file tf-plan.json and run $ snyk iac test tf-plan.json --experimental

For more details, see the product documentation

If you have any issues please reach out to support@snyk.io

We're happy to share that Quay container registry is now supported as part of our container integrations offering. Starting today, all Snyk users will be able to scan and fix vulnerabilities in their container images stored in Quay.

To get started, configure Quay from our integrations page. If you're using a self-hosted Quay, contact us for a brokered setup. Otherwise, you can start setting it up yourself and import images.

Once integrated, you can start adding images from Quay and test them for vulnerabilities.

To learn more about Snyk integration with Quay, see our documentation.

We're thrilled to share that Snyk can now raise fix pull requests against your Dockerfiles!

For every scanned Dockerfile that contains a base image for which we provide recommendations, we will raise an automatic fix PR in case there is a better base image that can be used. The PR will be opened with the minor upgrade available.

After it is opened, the fix PR can be found in your Git repository, showing the FROM line changed in your Dockerfile, updated with the new and improved base image version.

We also provide the option to manually open a fix PR and upgrade to any of the base image recommendations we provide (rather than just the minor version). This option is available using a button next to each one of the base images in the recommendations table.

You can enable/disable the feature using the setting that can be found in the integration level.

You can learn more about our automatic Dockerfile fix PR capability in our blog post.

For more details about opening PRs in your Dockerfile, see our product documentation.

We're happy to announce that Harbor container registry is now supported as part of our container integrations offering.

Starting today, Pro and Enterprise customers can test, fix and monitor vulnerabilities in their container images stored in Harbor.

To get started, you can find Harbor in our integrations page. If you're using self-hosted Harbor, contact us for a brokered setup. Otherwise, you can start setting it up yourself and import images.

Once integrated, you can start adding images from Harbor and test them for vulnerabilities.

To learn more about Snyk integration with Harbor, see our documentation.

We’ve redesigned the issue card on the project page, to help developers understand what they need to fix something much quicker. This involves streamlining the header of the card to only contain key information required to fix issues. The other contextual information is still available in the card, but tucked away slightly so you can really focus on the critical information.

We’ve also added an extra filter, and the ability to sort issues so that you can focus on the issues which are the most important to tackle.

To see how we’ve made the issue card more concise and valuable, open any Snyk projects you have. For more information on the specific features within the issue card, see the product user documentation.

Custom webhooks are in beta 🎉

Subscribe to push events from Snyk! This new API functionality can be used to receive Snyk payloads in third-party systems (collaboration tools or incident management platforms) when a Snyk event is triggered, such as when a new vulnerability is identified.

The first event you can subscribe to is project_snapshot, which is triggered every time a project is scanned for vulnerabilities. New issues are included in the payload your webhook receives, along with the project, org, and group for context.

To learn more about the new webhooks feature, see our API documentation.

As a feature of the API, webhooks are available in all paid plans.

We have released a bug fix to align the way license severities are resolved and displayed for dependencies using dual/multiple licenses.

Previously, for these dependencies, the resolved license severity was not always displayed within the Snyk UI and exported CSV reports. Also, the API (Licenses, Licenses by organization, and List all licenses) response did not show when a certain dependency uses more than one license.

This fix aligns Snyk’s license reporting, to show accurate license details across the UI, exported CSVs, and the API.