Ecosystems

Interested in ecosystem-specific posts? We’ve got your back! Read through our posts and learn how security impacts your environment.

Git checkout remote branch: how it works and when to use it

Git is a fantastic tool many developers use for version control on their projects. Although there are many other version control systems—like Subversion (SVN) and Concurrent Versioning System (CVS)—git is by far the most commonly used. A good reason for this is the focus on distributed development and the easy way to use branches. Let’s […]

December 15, 2020

Command line tools for containers—using Snyk with Buildah, Podman, and Skopeo

As the container ecosystem has matured, the one thing we’re not short on is options—both in terms of the software we use, and how we plug it all together.  One of these options would be the combination of Buildah, Podman, and Skopeo—three open source command line tools with their origins in the RedHat ecosystem. As […]

December 9, 2020

Improved security testing for git-based Gradle projects using lockfile

Over the past year, we have been working hard to improve our testing for Gradle projects imported from Git repositories by making it more reliable, accurate, and scalable.  We understood that parsing a Gradle manifest, instead of a Gradle lock file, would be a never-ending war that we would always lose. Trying to interpret the […]

December 7, 2020

10 Tips for getting that conference CFP accepted

Public speaking is a great privilege and I’m humbled every I am offered a speaking position. It’s a great way to connect with folks and inspire other humans with your mission and the values you live by. A while back, I created a tiny website to curate a list of public speaking tips. Here’s a […]

December 3, 2020

10 git aliases for a faster and productive git workflow

Using git as a code versioning tool is a day-to-day activity for developers, and some of you may be practicing your git workflow through the command line. Preferably with a dark theme too, right? Although a GUI for git might come in handy for an integrated development environment (IDE) such as IntelliJ, or VS Code, […]

December 2, 2020

How do we secure Infrastructure as Code tools?

As its name indicates, Infrastructure as Code (IaC) is the practice of defining the infrastructure your applications run on as code and configuration files.  This allows us to not only automate the provisioning of the resources but also to subject it to the same lifecycle processes that historically have applied only to the application codebase.  […]

November 27, 2020

Snyk CLI cheatsheet

The Snyk CLI is an excellent and powerful tool to scan your applications, containers, and infrastructure as code for security vulnerabilities. In this cheatsheet, we will look at the most powerful features our CLI has to offer. You can use the CLI for scanning and monitoring on your local machine, but you can also integrate […]

November 26, 2020

Command injection: how it works, what are the risks, and how to prevent it

How do command injection attacks work? To understand programming flaws related to OS command injection attacks, let’s explore a variety of command injection vulnerabilities that were discovered in Node.js based applications. systeminformation is an Operating System (OS) information library that spans more than 500,000 downloads a week with regular maintenance (commits) and a community around […]

November 24, 2020

DevSecOps tools for open source projects in JavaScript and Node.js

In this article, I’d like to propose best practices and discuss how maintainers, and developers, can adopt DevSecOps tools for open source projects to better improve their security posture. We are not short on security incidents and horror stories about malicious packages in the JavaScript open source ecosystem. As citizens of the open source ecosystem, […]

November 24, 2020

Kubernetes Operators: automating the release process

Snyk helps our customers to integrate security into their CI/CD pipelines, so we spend a lot of time thinking about automation. When it comes to releasing our own software, we’re always looking to adopt best practices for test and release.  In this blog, I’ll talk about the release process for our Kubernetes Operator, and show […]

November 20, 2020

Docker for Java developers: 5 things you need to know not to fail your security

Docker is the most widely used way to containerize your application. With Docker Hub, it is easy to create and pull pre-created images. This is very convenient as you can use these images from Docker Hub to quickly build an image for your Java application. However, the naive way of creating custom Docker images for […]

November 20, 2020