Snyk is Now Integrated with Chrome's Lighthouse

Tim Kadlec's avatar Tim Kadlec

Today we have another exciting announcement: Snyk is now powering the brand-new vulnerable JavaScript audit in Google Chrome’s Lighthouse, the auditing tool built by the Google Chrome team that checks for how performance, accessible and secure your site is.

Snyk and Lighthouse

Lighthouse is an open-source automated tool from Google Chrome that tests websites against a suite of best-practices and metrics, providing a detailed report so developers can see exactly how they stack up, and how to improve. Lighthouse can be used as a browser extension, node module and now even powers the auditing functionality in the developer tools built directly into Google Chrome.

Lighthouse is a fantastic way for developers to spot problem areas that are all too easy to miss: things like accessibility and performance, which are critical, but also invisible. Security was already represented with tests for HTTPS support, but the Lighthouse team wanted to help developers be even more secure.

Earlier this year, there was a study that said that 37% of sites had at least one client-side JavaScript library containing a known security vulnerability. Our subsequent digging found that the reality was even worse: 77% of the top 5,000 URL’s used a JavaScript library with a known security issue.

Recognizing the importance of the issue, the Lighthouse team asked us to help out with a vulnerable JavaScript libraries audit. We’re huge fans of Lighthouse, so of course, we were more than happy to oblige. As of version 2.5.0, Lighthouse now has a “Best Practices” audit that detects any front-end JavaScript libraries in use with a known security vulnerability by testing against Snyk’s vulnerability database.

A screenshot of the Lighthouse audits in Google Chrome Dev Tools highlighting vulnerable JS results powered by Snyk

When you audit your site, Lighthouse looks for what libraries you’re using, and their versions. Then it checks against Snyk’s database to see if there are known security issues. If there are, your sites audit score will be docked, and you’ll be presented with information about the vulnerabilities, with a link to Snyk so that you can learn more and get the issues resolved.

You can try it out today in Google Chrome Canary—no extra install required, it’s baked in by default. It’ll be making it’s way to Google Chrome itself soon.

Increasing Awareness of Known Vulnerabilities

Lighthouse is a tool your front-end teams will likely be using already (or if they’re not, should be). And with the new Snyk integration, they’ll get critical information about potential security issues built into the rest of their auditing making it easier to take action.

While Lighthouse checks what was delivered (looking at the page itself), the best place to spot vulnerable libraries is before they ever make it to production. The earlier you find vulnerable libraries, the easier it is to address through fixing and upgrades.

For all you developers out there, make sure you’re testing for these vulnerable libraries—and fixing them—as part of your development process. Applying this protection continuously is the best way to protect your site and your users. Snyk is built to do exactly that and is free to for open-source projects, so try it out. Then use Lighthouse to provide another layer of visibility to see if you’re deploying user-facing JavaScript with known security holes.

Having tools like Lighthouse (and Sonar) decide to make detecting these issues in client-side JavaScript a priority is a huge step towards improving the overall security of the web. We’re excited—and proud—to be working with them to help make the web more secure by default.

Attacking an FTP Client: MGETting more than you bargained for

April 04, 2018

Snyk identified and responsibly disclosed a directory traversal vulnerability found in FTP clients that connect to malicious servers. This post contains the full details of the vulnerability and what you can do to avoid it.

Tailoring your notifications

March 29, 2018

The most common way for Snyk users to find out that they have an issue in their project is via our email alerts. It’s a core part of our service, but until recently, we didn’t have much in the way of configuration around what types of issues would trigger an email alert. As we scale our language support, enabling you monitor more projects in Snyk, we want you to feel better informed about the types of issues that matter to you, while making less noise about the issues that don’t.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications