Launching Snyk

Guy Podjarny's avatar Guy Podjarny

I’m excited to announce Snyk is now live!
Snyk helps you find and fix known vulnerabilities in your Node.js dependencies. These are publicly documented security holes, making them easy for attackers to track and exploit.

Snyk’s goal is to make it even easier for you to fix them first. Note that Snyk focuses on fixing security issues, finding them is just a necessary step along the way.

We soft-launched Snyk at Velocity conference a month back. Here’s our keynote video showing the problem, a demo of Snyk (though this was before we added the wizard) and a live exploit!

To secure a project, install snyk using npm and run Snyk’s wizard. The wizard will help secure your project in several steps:

  • Use Snyk’s API to match your dependencies against our open source vulnerability database.
  • Help you understand and fix each security issue found.
  • Suggest the best direct dependency upgrades that will close the security holes.
  • When an upgrade isn’t available, determine if one of our security team’s patches can fix the issue.
  • If neither an upgrade nor a patch is available, remember the current state. We’ll notify you when a new remediation path is made available.
$ snyk wizard

? High severity vulnerability found in bassmaster@1.5.1
  - info: https://snyk.io/vuln/npm:bassmaster:20140927
  - from: myapp@0.0.0 > bassmaster@1.5.1 Upgrade

? Low severity vulnerability found in hapi@10.5.0
  - info: https://snyk.io/vuln/npm:hapi:20151020
  - from: myapp@0.0.0 > hapi@10.5.0 Ignore
? [audit] Reason for ignoring vulnerability? Not Exploitable

? Low severity vulnerability found in ms@0.1.0
  - info: https://snyk.io/vuln/npm:ms:20151024
  - from: myapp@0.0.0 > mongoose@4.1.12 > ms@0.1.0
  Upgrade to mongoose@4.2.4
❯ Patch (modifies files locally, updates policy)
  Set to ignore for 30 days
  Skip

Once you’re vulnerability free, you can use snyk test in your CI/CD systems to avoid shipping with vulnerabilities and snyk protect to patch the vulnerabilities you chose. Using snyk monitor will remember which dependencies you use, so we can notify you when a newly disclosed vulnerability affects them. You can read the full details about Snyk and its commands in our docs.

A screenshot of the email that Snyk sends when new vulnerabilities have been disclosed.

Lastly, if you’re the creator of an open source package, use Snyk to ensure you’re not distributing vulnerabilities to your users. Upgrade dependencies to fix such issues where possible, and use snyk protect to patch them postinstall when you can’t. Once your package has no security issues, put a badge on your README showing it has no known security holes. This will show your users you care about security, and tell them that they should care too.

Vulnerabilities Vulnerabilties 0 0 Vulnerabilities Vulnerabilties 15 15

Snyk is in beta, and we encourage all of you to try it out. If you use it, please share your feedback with us on @snyksec or by emailing support@snyk.io. Try it out, and help make building and consuming open source secure!

Keeping your Open Source credentials closed

December 14, 2015

Earlier this month, a researcher named ChALkeR shared his research on leaked credentials in npm packages. The findings showed credentials, such as npm and GitHub tokens and passwords, are frequently included in published npm packages or GitHub repositories. In fact, 13 of the top 15 npm packages depend on packages that leaked credentials, thus exposing their users.

10 Reasons To Use HTTPS

July 10, 2015

HTTPS, HTTP over TLS, has been around since 1994, and has been well adopted by the security sensitive web — online banking, shopping, taxes and more. However, the vast majority of websites (est. 81% to 97%) continue to communicate using clear (unencrypted) HTTP — no matter how insecure that is.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications