snyk.io updates
snyk.io updates
app.snyk.io/projects

You can now ​​detect cloud infrastructure drift and unmanaged Terraform resources via the Snyk CLI.

 

New

  

Using the CLI command you can:

  • Detect drift within a specific feature or cloud environment
  • Discover unmanaged resources in your cloud environments
  • See % IaC coverage of your cloud environments

This release includes a brand new CLI UI for clearer reporting. For usage and constraints, please see the product documentation, the release blog post or the Snyk CLI help.

Secure your IaC in Terraform Cloud

 

New

  

The Snyk run tasks integration automates security and compliance in Terraform Cloud workflows.

Using the Snyk integration you can:

  • Track security and compliance status of your workspaces
  • Manage security guardrails and policy enforcement across workspaces
  • Resolve security misconfigurations with fix guidance in Snyk

To start, navigate to your Integrations page in Terraform cloud and connect Snyk to your workspaces.

This feature is available on all Snyk plans.

For usage and context, see the Terraform Cloud integration documentation and our blog post. Also available is a great Hashicorp + Snyk tutorial.

Support for Terraform Variables in Snyk IaC

 

New

  

Scanning for Terraform Variables is now released in the Snyk CLI 🎉.

snyk iac test will now process IaC configurations defined using variables, enabling greater security findings and more accurate results.

Upgrade Snyk CLI to v1.868.0 or above and run snyk iac test as usual in your directory with TF files.

For usage and constraints, see our documentation.

Snyk Container - Custom Base Image Recommendations

 

New

    

Open beta

  

We are excited to announce that custom base image recommendations for Snyk Container are now available as an Open Beta 🎉.

Using the custom base image recommendation feature, Snyk can recommend an image upgrade from a pool of the customer’s internal images. This allows teams to be notified of newer and more secure versions of their internal base images.

This feature is available for Business and Enterprise pricing plans.

View the documentation for more details.

Snyk IaC - CLI Share Test Results

 

Open beta

  

We are excited to announce that the ability for the Snyk IaC CLI to share test results with the Snyk platform is now available in open beta 🎉.

This feature is available on all plans and is now live.

What can you expect:

  • Share test results from the CLI to the Snyk Platform.
  • Issues ignored locally on the CLI will be ignored on the Snyk Platform.
  • Users can share the origin of their code base with the target reference flag.
  • Users can add tags and attributes locally to share with the Snyk Platform.

What does this mean for you?

  • Update to the latest version of the Snyk CLI (v1.899.0).

  • Run command snyk iac test --report to use the new feature.

View the documentation for more details.

Oracle Linux Security Data Improvements - Upcoming Changes

 

Improved

  

We would like to inform you about upcoming changes to how we provide security data for the Oracle Linux platforms.

As part of a continual effort to improve our container security data, we are changing how we provide information for Oracle Linux vulnerabilities. Prior to these changes, we provided information on Oracle Linux vulnerabilities only through Erreta Linux Security Advisories (ELSA), which are collections of fixed CVEs. We are moving from ELSA, and instead will present issues based on the individual CVEs.

The following are some of the key features of this change:

  • Enhanced accuracy: By showing individual CVEs instead of an ELSA, which may cover more than one CVE, you will have more details about each vulnerability Snyk detects.

  • Enriched metadata: Showing individual CVEs allows us to provide enriched vulnerability metadata on these CVEs, like Exploit Maturity, Social Trends and more.

  • Oracle’s security analysis: We will provide the severity of the issues as defined by the Oracle Security team (Low, Moderate, Important, Critical), in addition to the severity determined by NVD, as part of the Relative Importance feature.

Important notes:

  • Old data will no longer be accessible once the new data is available.
  • The current unique public Snyk IDs will be obsolete.
  • The number of issues will increase significantly as a result of this change - you may notice an increase in the Reports graphs.

The rollout will start tomorrow, on April 13th. After the change, rescanning of the project is required (either a manual test or scheduled scanning for monitored projects).

Improved UI for Snyk IaC

 

Improved

  

Snyk IaC has a new look 🎉. Terraform, CloudFormation, and Kubernetes files now have a detailed row view displaying one code snippet per issue, making it easier to identify the issue in code and creating consistency across the UI for Helm chart files and Snyk Code projects.

What has changed?

  • Filter by severity: sort by severity of High, Medium, and Low
  • Work by misconfiguration: the file is separated into misconfiguration issues and code snippets, instead of a code block of the entire file containing issues.
  • ‘Ignore’ button is now located underneath code snippet

New UI view

image2.png

To temporarily continue using the previous UI view, you can opt-out of the update via our feature flag under Snyk Preview. Opting out is a temporary action as the previous UI will be deprecated in a month’s time.

Announcing C/C++ for Snyk Open Source

 

New

  

We are excited to extend Snyk’s developer-first experience to one of the oldest and largest developer communities. Today, we are announcing the general availability of C/C++ in Snyk Open Source, enabling development and security teams to find and fix known security vulnerabilities in their C/C++ open source library dependencies.

Check out the details

CVE-2022-22965 - “SpringShell” RCE vulnerability in spring-beans before 5.2.20/5.3.18

CVE-2022-22965 was reserved for a 0-day RCE vulnerability in spring-beans as Spring team officially acknowledged the vulnerability and issued a fixed version for the currently known exploit. Scan your applications with Snyk to find out if you are vulnerable and mitigate by upgrading Spring to the latest version.

All Snyk projects are being re-tested, but we recommend to re-test your projects actively to make sure the process is done. While there are several partial mitigations published online currently, we highly recommend upgrading to a fixed version to protect against this vulnerability.

The Snyk Security team is continuously investigating the issue, as we expect further exploits and bypasses to show up. Please look for updates in our advisory and on spring blog.

Credential format changes for Snyk Apps

 

Improved

    

Open beta

  

The credential formats for Snyk Apps have changed, to be recognizable and compatible with third-party secret scanning systems.

Specifically, the format of client secrets and refresh tokens have changed. Both credential types now include a prefix (snyk_) followed by an identifier (cs_ for client secrets, rt_ for refresh tokens) and a trailing version number (currently _v1).

To illustrate, the credential types adhere to the following general form:

  • For refresh tokens: ^snyk_rt_.+_v1$ (e.g. snyk_rt_8R6aIT88713YlnZ5loA3rO5nFkzap0rs3miIPFb0J78_JOCRYo3olA5cubc5jYxy8R7xhf9m9cP8wwJ3FYy4Kis_v1)
  • For client secrets: ^snyk_cs_.+_v1$ (e.g. snyk_cs_FDals7bwaCdSIW_6sOaV92yQouJ8GlztpuBZLLpyEp80_v1)

Existing credentials will continue to work. To take advantage of the new client secret format, you will need to rotate the client secret for your Snyk App using the POST /orgs/{org_id}/apps/{client_id}/secrets API endpoint, new refresh tokens will reflect the latest format automatically, you may exchange an existing refresh token for a new one using the POST /oauth2/token API endpoint.

You can learn more about Snyk Apps, currently available as an open beta, here.