Announcing Snyk for .NET, Go and PHP
The holiday season is around the corner, and we thought, why not give a modest gift of our own to Snyk’s growing community?
Snyk has always been committed to making it easy to use open-source code without compromising security. Today, we’re taking another leap forward and launching CLI support for .NET, Go and PHP!
The CLI gives you the flexibility to test your applications manually or at key steps in your CI process. It looks through your dependency tree to identify each dependency in use and its version, before testing them all. Source code management integrations will follow soon.
So, take a few minutes (it won’t take more), and secure your apps.
First, install or upgrade Snyk to the latest version and authenticate:
npm install -g< snyk snyk auth
Snyk looks at the locally installed modules to resolve all dependencies, so you’d need to validate they’re already available.
For .NET, check to make sure that
obj/(.NET Core) folder has been populated via Visual Studio or
For Golang, check to make sure that
vendor/ was populated via
dep ensure or
govendor sync. In addition, the
GOPATH environment variable must be set correctly
For PHP, check to make sure that
composer.lock file has been created by
Then, browse to your project’s folder and test for vulnerabilities:
That would result in displaying all detected vulnerabilities, for example:
$ ✗ snyk test ✗ Medium severity vulnerability found on Microsoft.AspNetCore.All@2.0.0 - desc: Open Redirect - info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCOREALL-600122 - from: firstname.lastname@example.org > Microsoft.AspNetCore.All@2.0.0 ✗ Medium severity vulnerability found on Microsoft.AspNetCore.Server.HttpSys@2.0.0 - desc: Denial of Service (DoS) - info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORESERVERHTTPSYS-600125 - from: email@example.com > Microsoft.AspNetCore.All@2.0.0 > Microsoft.AspNetCore.Server.HttpSys@2.0.0 ✗ High severity vulnerability found on System.Net.Http@4.3.0 - desc: Privilege Escalation - info: https://snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047 - from: firstname.lastname@example.org > System.Net.Http@4.3.0
To track a project for newly disclosed vulnerabilities through the Snyk UI, use the
monitor command. You can use both
snyk test and
snyk monitor in your CI environments to bake security into your deployment pipeline.
The Go ecosystem has a surprisingly large number of package managers but is starting to settle around the “official experiment” package manager dep, with an increasing number of projects adopting it. Still, a noticeable percentage of customers who volunteered to participate in our Go alpha requested support also for govendor. So, the Snyk CLI supports both mentioned package managers.
The Snyk CLI will examine all your imports—direct and transient—matching them with the locked versions saved in your
Stay tuned for a few follow-up posts dedicated for Golang, sharing what we learned about the Go packages ecosystem and the various challenges we faced during the development of the Go support in Snyk.
We scan .NET and .NET Core projects, examining NuGet dependencies for known vulnerabilities. We process
packages.config files for .NET projects, and
obj/project.assets.json files for .NET Core projects.
We also support
.sln files to automate your open source security across all projects in a solution.
Interestingly, as we were developing our .NET support, we were surprised to discover the high importance of scanning .NET for open source vulnerabilities, as the default .NET Core v2 application depends on Microsoft.AspNetCore.All/2.0.0 which introduces over 10 vulnerabilities! So check your projects today.
Snyk supports testing and monitoring PHP projects that have their dependencies managed by composer.
We scan PHP projects by examining your
composer.lock file to compare the specific versions of every direct and deep dependency in your project against our Composer vulnerability database.
Try it out!
We’ve been working hard on this launch, gathering feedback from our alpha users and making refinements along the way. We’re thrilled to now open the CLI up to everyone.
As always, Snyk is free for open-source use—no matter how many open-source projects you have. Open-source is a huge boon for development, and we’re happy to play our part in making it as secure as possible.
If you have any feedback, please let us know. We’re always eager to make Snyk even better. Likewise, if there are any languages or package managers that you would like Snyk to support, let us know which ones. Not only does it help us prioritize, but we love being able to give early access to developers eager to test and provide feedback.