I’m excited to announce Snyk is now live!
Snyk helps you find and fix known vulnerabilities in your Node.js dependencies. These are publicly documented security holes, making them easy for attackers to track and exploit.
Snyk’s goal is to make it even easier for you to fix them first. Note that Snyk focuses on fixing security issues, finding them is just a necessary step along the way.
We soft-launched Snyk at Velocity conference a month back. Here’s our keynote video showing the problem, a demo of Snyk (though this was before we added the wizard) and a live exploit!
Help you understand and fix each security issue found.
Suggest the best direct dependency upgrades that will close the security holes.
When an upgrade isn’t available, determine if one of our security team’s patches can fix the issue.
If neither an upgrade nor a patch is available, remember the current state. We’ll notify you when a new remediation path is made available.
$ snyk wizard
?High severity vulnerability found in firstname.lastname@example.org
- info: https://snyk.io/vuln/npm:bassmaster:20140927
- from: email@example.com > firstname.lastname@example.orgUpgrade?Low severity vulnerability found in email@example.com
- info: https://snyk.io/vuln/npm:hapi:20151020
- from: firstname.lastname@example.org > email@example.comIgnore?[audit] Reason for ignoring vulnerability?Not Exploitable?Low severity vulnerability found in firstname.lastname@example.org
- info: https://snyk.io/vuln/npm:ms:20151024
- from: email@example.com > firstname.lastname@example.org > email@example.com
Upgrade to firstname.lastname@example.org
❯ Patch (modifies files locally, updates policy)
Set to ignore for 30 days
Once you’re vulnerability free, you can use snyk test in your CI/CD systems to avoid shipping with vulnerabilities and snyk protect to patch the vulnerabilities you chose. Using snyk monitor will remember which dependencies you use, so we can notify you when a newly disclosed vulnerability affects them. You can read the full details about Snyk and its commands in our docs.
Lastly, if you’re the creator of an open source package, use Snyk to ensure you’re not distributing vulnerabilities to your users. Upgrade dependencies to fix such issues where possible, and use snyk protect to patch them postinstall when you can’t. Once your package has no security issues, put a badge on your README showing it has no known security holes. This will show your users you care about security, and tell them that they should care too.
Snyk is in beta, and we encourage all of you to try it out. If you use it, please share your feedback with us on @snyksec or by emailing email@example.com. Try it out, and help make building and consuming open source secure!