Introducing Snyk Preview: Early access to Snyk features
In 2020, over 30 new major features were released across the Snyk platform — in Snyk Open Source, Snyk Container, Snyk Infrastructure as Code, and Snyk Code. While both our development and product teams deserve credit for Snyk’s rapid pace of development, our users also play an important role by continuously providing us with their feedback and insight.
Our ultimate goal is to help development and security teams be successful in mitigating risk. As such, we aspire to provide the best developer-friendly tool that suits their needs. Collaborating with our users is crucial for ensuring that new functionality, once delivered, actually provides value, and that unintended side effects on existing workflows are kept to a minimum.
This is why we’re excited to announce Snyk Preview — a new way for our users to easily get a first taste of upcoming features before they are generally available within the platform!
Snyk Preview is available within the Snyk UI at Settings > Snyk Preview, for users with Admin permissions across Snyk plans. It already includes a few upcoming features that you can try out for yourselves. Let’s take a closer look.
Prioritize more effectively with Critical severity
Knowing what vulnerability to fix first is one of the biggest challenges facing organizations today. To help you make that decision, Snyk provides a wealth of information for vulnerabilities, designed to help you understand the risk it poses. This includes Snyk’s Priority Score and advanced security context regarding a vulnerability’s fixability, exploitability, and reachability.
Of course, Snyk also provides the industry’s standard security metadata. Snyk’s CVSS scoring for vulnerabilities is based on CVSS v3, whereas CVSS severity levels are currently based on CVSSv2, but starting on June 28, we will introduce CVSS v3-based severity levels. Meaning, that any security vulnerability identified by Snyk Open Source and Snyk Container with a CVSS score higher than 9.0 will be assigned a critical severity level.
What does this mean for you as an existing Snyk user?
Well, you may notice a sudden reduction in the number of High severity issues across your projects as some of these issues will now be assigned a critical severity level. More importantly, this change affects automated CLI/API-based pipelines and so you will need to make some changes to adjust your processes.
This is why we wanted to give users, via Snyk preview, the option of hopping on board before the due date arrives. We have put together a detailed migration guide that will help you fully understand the change and how it affects the way you are working in Snyk. Of course, if you have any questions, please feel free to let us know.
Clear your vulnerability backlog faster
Using Snyk Preview, you can test out some improvements made to Backlog PRs, one of the automated pull requests Snyk triggers to help you keep your projects secure.
Just as a reminder, and for context, Snyk currently supports three types of automated pull requests: Upgrade PRs are opened when Snyk identifies that new versions for your dependencies exist. Fix PRs are opened in two cases—when a new, fixable vulnerability is identified or when a new fix becomes available for an existing vulnerability. And last but not least, Backlog PRs are opened for fixable vulnerabilities already in your backlog and in a prioritized fashion, based on Snyk’s Priority Score.
Backlog PRs currently focus on removing a single vulnerability by recommending a version for the relevant dependency. While this ensures you are introducing the smallest possible change to your dependencies (and therefore the lowest breakage probably), it also can result in a series of iterative PRs if a dependency contains multiple vulnerabilities.
The new behavior we are experimenting with takes a more dependency-first approach, triggering a pull request that removes all of the vulnerabilities affecting a single dependency within your project. This helps you clear more vulnerabilities, faster, and also makes the work for the developer simpler as it means returning a dependency to a healthy and secure state with a single PR. It is also a bit riskier since it involves bumping the dependency by a number of versions.
To find out more information about Snyk Preview, check out the online documentation.