Ecosystems

Interested in ecosystem-specific posts? We’ve got your back! Read through our posts and learn how security impacts your environment.

Remove sensitive data in your files and Azure Repos history

If you find sensitive data in your Azure Repos repository, you need to do a number of things to recover. First of all you'll need to invalidate the tokens and passwords that were once public. Once a secret is public on the internet, you should assume it's in the hands of attackers and react accordingly.

May 6, 2019

Tightly control access to your Azure Repos

The following is a best practice guideline from our series of 8 Azure Repos security best practices DOWNLOAD THE CHEAT SHEET! 3. Tightly control access to your Azure Repos Here in the UK, when it gets really, really hot (read: mildly warm) us Brits tend to open all the windows in the house to make […]

May 6, 2019

Add a SECURITY.md file to your Azure Repos

The following is a best practice guideline from our series of 8 Azure Repos security best practices DOWNLOAD THE CHEAT SHEET! 4. Add a SECURITY.md file to your Azure Repos It’s natural for most project owners and maintainers to add a README.md for their repository. In fact, these days it’s expected and it’s quite frowned […]

May 6, 2019

Use Personal Access Tokens with Azure Repos

Two-Factor Authentication (2FA) adds an additional level of security to your account by requiring not just a username and password, but also a unique code from an authenticator application or sent to you by SMS. This ensures that even if your password is compromised, an attacker can't login to your account without also having your cell phone.

May 6, 2019

Add security testing to pull requests in Azure Repos

By adding Snyk’s native integration with Azure Repos, each pull request will be tested to ensure new vulnerabilities aren’t introduced into the code base. Policies can be defined to configure the severity level of a vulnerability that fails the merge. The following image displays a failed PR due to new vulnerabilities that it would have added:

May 6, 2019

Rotate Azure Repos SSH keys and personal access tokens

Azure Repos access is typically done using SSH keys or personal access tokens (in lieu of a password). But what happens if those tokens are stolen and you didn’t know? Be sure to refresh your keys and tokens periodically, mitigating any damage caused by keys that leaked out.

May 6, 2019

Provide granular permissions and groups for users in Azure Repos

Following the rule of least privilege, ensure that contributors exist in the correct groups and therefore have the necessary permissions to work. Try to restrict administrative actions where possible.

May 6, 2019

190,000 users affected by Docker Hub’s security breach. Now what?

Docker Hub may have reset your account details if it detected that it was part of the breach. What could potentially happen? What should I do to protect my code?

April 29, 2019

Snyk provides a critical security layer for CommunityBridge, a new Linux Foundation platform

we’re delighted to announce a new partnership with the Linux Foundation to support the launch of CommunityBridge; the Foundation’s new funding and innovation platform designed to empower open source developers - and the individuals and organizations who support them - to advance sustainability, security, and diversity in open source technology.

March 12, 2019

Top ten Docker images contain over 8000 vulnerable paths

Introduction In this post, we’ll look deeper into Docker images and the container ecosystems that were covered in our State of Open Source Security report, including our finding that the top ten Docker images contain over 8,000 vulnerable paths. We are excited to help our community better understand Docker security. Since the previous State of […]

March 7, 2019

Secure your build workflow on Bitbucket Pipes with Snyk

Snyk now integrates with Bitbucket Pipes, which allows Bitbucket users to secure their continuous integration/continuous delivery (CI/CD) workflow by finding, fixing and monitoring open-source vulnerabilities (vulns) in their application or docker image dependencies.

March 5, 2019