Product Vulnerabilities

Snyk is Now Integrated with Chrome’s Lighthouse

Tim Kadlec
Tim Kadlec April 3, 2018

Today we have another exciting announcement: Snyk is now powering the brand-new vulnerable JavaScript audit in Google Chrome’s Lighthouse, the auditing tool built by the Google Chrome team that checks for how performance, accessible and secure your site is.

Snyk and Lighthouse

Lighthouse is an open-source automated tool from Google Chrome that tests websites against a suite of best-practices and metrics, providing a detailed report so developers can see exactly how they stack up, and how to improve. Lighthouse can be used as a browser extension, node module and now even powers the auditing functionality in the developer tools built directly into Google Chrome.

Lighthouse is a fantastic way for developers to spot problem areas that are all too easy to miss: things like accessibility and performance, which are critical, but also invisible. Security was already represented with tests for HTTPS support, but the Lighthouse team wanted to help developers be even more secure.

Earlier this year, there was a study that said that 37% of sites had at least one client-side JavaScript library containing a known security vulnerability. Our subsequent digging found that the reality was even worse: 77% of the top 5,000 URL’s used a JavaScript library with a known security issue.

Recognizing the importance of the issue, the Lighthouse team asked us to help out with a vulnerable JavaScript libraries audit. We’re huge fans of Lighthouse, so of course, we were more than happy to oblige. As of version 2.5.0, Lighthouse now has a “Best Practices” audit that detects any front-end JavaScript libraries in use with a known security vulnerability by testing against Snyk’s vulnerability database.

lh-audit2

When you audit your site, Lighthouse looks for what libraries you’re using, and their versions. Then it checks against Snyk’s database to see if there are known security issues. If there are, your sites audit score will be docked, and you’ll be presented with information about the vulnerabilities, with a link to Snyk so that you can learn more and get the issues resolved.

You can try it out today in Google Chrome Canary—no extra install required, it’s baked in by default. It’ll be making it’s way to Google Chrome itself soon.

Increasing Awareness of Known Vulnerabilities

Lighthouse is a tool your front-end teams will likely be using already (or if they’re not, should be). And with the new Snyk integration, they’ll get critical information about potential security issues built into the rest of their auditing making it easier to take action.

While Lighthouse checks what was delivered (looking at the page itself), the best place to spot vulnerable libraries is before they ever make it to production. The earlier you find vulnerable libraries, the easier it is to address through fixing and upgrades.

For all you developers out there, make sure you’re testing for these vulnerable libraries—and fixing them—as part of your development process. Applying this protection continuously is the best way to protect your site and your users. Snyk is built to do exactly that and is free to for open-source projects, so try it out. Then use Lighthouse to provide another layer of visibility to see if you’re deploying user-facing JavaScript with known security holes.

Having tools like Lighthouse (and Sonar) decide to make detecting these issues in client-side JavaScript a priority is a huge step towards improving the overall security of the web. We’re excited—and proud—to be working with them to help make the web more secure by default.