Snyk Code in 2021: Redefining SAST

Starting in early 2021, Snyk Code became available as a freemium offering for Snyk users. Snyk Code helps developers quickly and accurately find, prioritize, and fix security flaws in proprietary code. With detailed remediation guidance at every stage of the software development lifecycle (SDLC), from the developer's environment (IDE) to continuous integration and development (CI/CD) pipelines, Snyk Code revolutionizes static application security testing (SAST).

The Snyk Code user interface shows data flow and the information to fix issues.

Snyk Code includes everything an organization needs to maintain a low total cost of ownership (TCO) while keeping developers productive. Providing real-time scanning and recommended fixes, Snyk Code scans for vulnerable code throughout the SDLC, with coverage for many popular languages and frameworks, and integrations with a large selection of developer tools. Another valuable aspect of Snyk Code is the accuracy of its scans — powered by a steadily growing knowledge base that’s maintained by a team of security experts and continually learning from the global developer community. This breadth of coverage and depth of security expertise is how Snyk Code helps organizations become or stay compliant with industry standards like PCI DSS, HIPAA, and ISO 27001.

A fast start and steady growth

From the start, we saw an enormous uptake and the numbers speak for themselves:

• Snyk Code currently reports tens of millions of suggestions every month.

• Over 120,000 projects are currently covered.

• Thousands of new projects are added every week.

• Millions of scans are run using the IDE plugins.

Based on our 2021 data, Snyk Code finds the most issues in JavaScript/TypeScript code, but PHP — just introduced in August — is a close second, followed by Java and Python. The majority of these vulnerabilities are cross-site scripting, but the scans also root out an abundance of hard coded secrets in JavaScript.

Snyk Code works natively in IDEs (here IntelliJ) via the Snyk plugins and extensions.

The feedback for Snyk Code has been overwhelmingly positive. Users frequently mention the speed and accuracy of the scans because it allows developers to embed SAST in every step of the SDLC. “It gives us meaningful static analysis results that we can take action on immediately,” says Joren McReynolds, Director of Engineering at Panther Labs. Snyk Code enables developers to help themselves and fix issues before they enter the SDLC. This is made possible by Snyk Code’s state of the art engine backed by a human-guided learning process that’s constantly improving.

Snyk Code currently supports JavaScript/TypeScript, Java, PHP, Python, C#, Go, and Ruby. It provides extensions or plugins to IDEs like IntelliJ, WebStorm, GoLang, and other JetBrains IDEs plus Visual Studio Code. Additionally, source code management (SCM) systems like GitHub, BitBucket, GitLab, and Azure Repos integrate seamlessly with Snyk to ensure that code stays organized and secure.

Looking forward to 2022

We’ve achieved all this within the first 12 months — and we’re just getting started. In 2022, Snyk Code is expanding to support: more languages like Apex, Kotlin, C++, and Swift, and IDEs like Visual Studio 2022. In addition to engine features that will redefine the idea of static code analysis, the Snyk Code team has plans to add more enterprise capabilities to make Snyk Code a first-class citizen in large, managed environments.

In summary, after less than one year, Snyk Code redefined the idea of SAST. Security can now be a part of every step in the SDLC. To our users and everyone involved, thank you for your feedback! Keep with us or join in, it will be worth it.