We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source
        Avoid vulnerable dependencies
      • Snyk Code
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
ProductVulnerabilities

Snyk is Now Integrated with Chrome’s Lighthouse

Tim Kadlec
Tim KadlecApril 3, 2018

Today we have another exciting announcement: Snyk is now powering the brand-new vulnerable JavaScript audit in Google Chrome’s Lighthouse, the auditing tool built by the Google Chrome team that checks for how performance, accessible and secure your site is.

Snyk and Lighthouse

Lighthouse is an open-source automated tool from Google Chrome that tests websites against a suite of best-practices and metrics, providing a detailed report so developers can see exactly how they stack up, and how to improve. Lighthouse can be used as a browser extension, node module and now even powers the auditing functionality in the developer tools built directly into Google Chrome.

Lighthouse is a fantastic way for developers to spot problem areas that are all too easy to miss: things like accessibility and performance, which are critical, but also invisible. Security was already represented with tests for HTTPS support, but the Lighthouse team wanted to help developers be even more secure.

Earlier this year, there was a study that said that 37% of sites had at least one client-side JavaScript library containing a known security vulnerability. Our subsequent digging found that the reality was even worse: 77% of the top 5,000 URL’s used a JavaScript library with a known security issue.

Recognizing the importance of the issue, the Lighthouse team asked us to help out with a vulnerable JavaScript libraries audit. We’re huge fans of Lighthouse, so of course, we were more than happy to oblige. As of version 2.5.0, Lighthouse now has a “Best Practices” audit that detects any front-end JavaScript libraries in use with a known security vulnerability by testing against Snyk’s vulnerability database.

lh-audit2

When you audit your site, Lighthouse looks for what libraries you’re using, and their versions. Then it checks against Snyk’s database to see if there are known security issues. If there are, your sites audit score will be docked, and you’ll be presented with information about the vulnerabilities, with a link to Snyk so that you can learn more and get the issues resolved.

You can try it out today in Google Chrome Canary—no extra install required, it’s baked in by default. It’ll be making it’s way to Google Chrome itself soon.

Increasing Awareness of Known Vulnerabilities

Lighthouse is a tool your front-end teams will likely be using already (or if they’re not, should be). And with the new Snyk integration, they’ll get critical information about potential security issues built into the rest of their auditing making it easier to take action.

While Lighthouse checks what was delivered (looking at the page itself), the best place to spot vulnerable libraries is before they ever make it to production. The earlier you find vulnerable libraries, the easier it is to address through fixing and upgrades.

For all you developers out there, make sure you’re testing for these vulnerable libraries—and fixing them—as part of your development process. Applying this protection continuously is the best way to protect your site and your users. Snyk is built to do exactly that and is free to for open-source projects, so try it out. Then use Lighthouse to provide another layer of visibility to see if you’re deploying user-facing JavaScript with known security holes.

Having tools like Lighthouse (and Sonar) decide to make detecting these issues in client-side JavaScript a priority is a huge step towards improving the overall security of the web. We’re excited—and proud—to be working with them to help make the web more secure by default.

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom