Secure coding with Snyk’s new JetBrains IDE plugin

We’re pleased to announce our new plugin for JetBrains IDEs, making it easier for developers to find and fix security issues as they code!

Snyk’s new free JetBrains IDE plugin enables developers using IntelliJ IDEA, WebStorm, and PyCharm to easily find and fix known vulnerabilities in their open source dependencies as well as any security issues and bugs in their own code. Using the new plugin, developers can address security across their entire codebase while developing their applications, without disrupting their workflow, and ultimately helping them ship secure code faster.

While this new combined capability is currently supported in IntelliJ IDEA, WebStorm, and PyCharm only, the plugin can be used in any JetBrains IDE to scan for vulnerabilities in your open source dependencies.

This includes:

• Android Studio

• AppCode

• GoLand

• PhpStorm

• Rider

• RubyMine

Speed + security = not mutually exclusive

Developers are under constant pressure to deliver code faster. At the same time, though, they are also expected to ensure that this code is free of security issues and bugs. These two requirements -- a rapid development pace and secure code --  have often come at the expense of one another. On the one hand, pushing code into production unchecked and without any security testing introduces risk. On the other hand, security checks can slow down development when taking place too late in the development process. Testing during the build process or later means developers will need to go back into their code, identify the issue, apply the fix, integrate, test, and start the build process again.

DevSecOps, and the notion of handing over more responsibility for security to developers, are increasingly being adopted by development and security teams as a way to deliver secure code without sacrificing speed. To enable developers to take more ownership for security, they need to be able to integrate security into their development workflow as early as possible in the software development lifecycle and in the easiest way as possible.

This is exactly what Snyk’s new JetBrains plugin was designed to support. Surfacing the different types of security issues in an application, the new IDE plugin is fast, accurate, and easy to use, enabling developers to integrate security and quality testing from their first lines of code, in their IDE.

Let’s take a closer look, shall we?

One plugin to rule them all!

Using one plugin to identify the vulnerabilities in the open source dependencies being pulled into a project and another to identify security issues and bugs in developers’ own code, means context switching and a waste of development time.

Snyk’s new JetBrains plugin removes this pain, combining software compositionanalysis (SCA) and static analysis (SAST) together, making it much easier for developers using IntelliJ IDEA, WebStorm, and PyCharm to get a consolidated view of all the various security and quality issues in their code.

Fast, accurate & free

Snyk’s new JetBrains plugin was designed to fit into the development workflow with as little friction as possible, enabling developers to analyze their code and see results within seconds.

The plugin is easy to set up, and can be downloaded and installed like any other JetBrains plugin directly from within your IDE or from the JetBrains marketplace.

Once installed, the plugin’s different types of security scans can be easily triggered, displaying results within the IDE. The AI engine powering the IDE plugin ensures both the speed of executed scans as well as the accuracy of results, guaranteeing an extremely fast feedback loop for developers.

The security plugin scans are executed against Snyk’s vulnerability database -- the most comprehensive vulnerability database on the market, and results display a wealth of information to help developers quickly take action.

Oh, and did I mention the plugin is totally free?!Any Snyk user using JetBrains IntelliJ, WebStorm or PyCharm can download the plugin and start scanning his code for issues, including free users.

Getting started with secure coding

So how do you get started? Easy. You can set up the plugin from within your JetBrains IDE in three simple steps - install, connect and scan!

First, go to Preferences > Plugins from within your IDE (currently, only IntelliJ and WebStorm are supported), search for Snyk in the JetBrains marketplace, and click OK to download and install the plugin.

Next, you need to connect the plugin with your Snyk account (if you haven’t created your free Snyk account yet, click here). To do this click the Connect your IDE to Snyk button in the plugin’s view and follow the prompts to authenticate.

That’s it! All you have to do now is run a Snyk test. Hit the Analyze now button to commence Snyk’s security testing. Within a few seconds, the plugin will provide a list of all the different types of issues identified, bucketed into three categories:

• Open Source Security - known vulnerabilities in both the direct and in-direct (transitive) open source dependencies you are pulling into the project

• Code Security - security weaknesses identified in your own code

• Code Quality - code quality issues in your own code

To start fixing issues, click any of these categories to expand the tree-view.

For vulnerabilities in open source dependencies, the plugin will explain how the vulnerability was introduced as well as provide the path to remediation by recommending what version of the dependency to upgrade to. A link to Snyk’s vulnerability database provides additional information about the issue, including CVSS, CVE and CWE.

For security and quality issues in the developer’s own code, the plugin details the dataflow, pointing to the relevant files and lines in the code leading to the issue. Developers can click on the file name to quickly open the file at the exact line introducing the issue. Data flow analysis helps you identify problems and how they flow across the application to make complex issues easy to understand and follow.

But the plugin doesn’t stop at that! In addition to showing what is wrong in the code, the plugin also provides examples of how others have fixed the issue to help developers take faster action.

Worried about being overwhelmed with too many issues in your IDE? Don't be. The Snyk plugin makes it easy to prioritize your fix efforts using built-in filtering options.

First, you can choose to run a specific scan instead of running multiple types of scans. At the top of the plugin’s view, click the Scan For Issue Types filter, select what type of scan you’d like to run, and run the scan again. The plugin will only show results for that particular scan.

Second, when sifting through the issues found in the scan, you can decide to focus your attention on fixing those posing the greatest threat - those with an assigned high severity. To do this, use the Severity filters.

For more information on how to use this plugin, check out our How to fix Java security issues while coding in IntelliJ IDEA blog.

Securing your code, from the very start

When testing code from within an IDE, issues are flagged early on in development and before even committing code into a source code management system. Instead of finding a critical vulnerability later on in the software development process and having to re-engineer code when it becomes more time consuming and technically difficult, testing code from the very moment it is added is more efficient and productive.

Developing fast is a business requirement. But so is not exposing the developer, and the organization they work for, to security risk. Snyk’s new JetBrains IDE plugin helps developers meet both these requirements without necessarily sacrificing any of them.