I’m excited to announce Snyk is now live!
Snyk helps you find and fix known vulnerabilities in your Node.js dependencies. These are publicly documented security holes, making them easy for attackers to track and exploit.
Snyk’s goal is to make it even easier for you to fix them first. Note that Snyk focuses on fixing security issues, finding them is just a necessary step along the way.
We soft-launched Snyk at Velocity conference a month back. Here’s our keynote video showing the problem, a demo of Snyk (though this was before we added the wizard) and a live exploit!
- Use Snyk’s API to match your dependencies against our open source vulnerability database.
- Help you understand and fix each security issue found.
- Suggest the best direct dependency upgrades that will close the security holes.
- When an upgrade isn’t available, determine if one of our security team’s patches can fix the issue.
- If neither an upgrade nor a patch is available, remember the current state. We’ll notify you when a new remediation path is made available.
$ snyk wizard ? High severity vulnerability found in email@example.com - info: https://snyk.io/vuln/npm:bassmaster:20140927 - from: firstname.lastname@example.org > email@example.com Upgrade ? Low severity vulnerability found in firstname.lastname@example.org - info: https://snyk.io/vuln/npm:hapi:20151020 - from: email@example.com > firstname.lastname@example.org Ignore ? [audit] Reason for ignoring vulnerability? Not Exploitable ? Low severity vulnerability found in email@example.com - info: https://snyk.io/vuln/npm:ms:20151024 - from: firstname.lastname@example.org > email@example.com > firstname.lastname@example.org Upgrade to email@example.com ❯ Patch (modifies files locally, updates policy) Set to ignore for 30 days Skip
Once you’re vulnerability free, you can use
snyk test in your CI/CD systems to avoid shipping with vulnerabilities and
snyk protect to patch the vulnerabilities you chose. Using
snyk monitor will remember which dependencies you use, so we can notify you when a newly disclosed vulnerability affects them. You can read the full details about Snyk and its commands in our docs.
Lastly, if you’re the creator of an open source package, use Snyk to ensure you’re not distributing vulnerabilities to your users. Upgrade dependencies to fix such issues where possible, and use
snyk protect to patch them
postinstall when you can’t. Once your package has no security issues, put a badge on your README showing it has no known security holes. This will show your users you care about security, and tell them that they should care too.
Snyk is in beta, and we encourage all of you to try it out. If you use it, please share your feedback with us on @snyksec or by emailing firstname.lastname@example.org. Try it out, and help make building and consuming open source secure!
Keeping your Open Source credentials closed
December 14, 2015Earlier this month, a researcher named ChALkeR shared his research on leaked credentials in npm packages. The findings showed credentials, such as npm and GitHub tokens and passwords, are frequently included in published npm packages or GitHub repositories. In fact, 13 of the top 15 npm packages depend on packages that leaked credentials, thus exposing their users.
10 Reasons To Use HTTPS
July 10, 2015HTTPS, HTTP over TLS, has been around since 1994, and has been well adopted by the security sensitive web — online banking, shopping, taxes and more. However, the vast majority of websites (est. 81% to 97%) continue to communicate using clear (unencrypted) HTTP — no matter how insecure that is.
Subscribe to The Secure Developer Podcast
A podcast about security for developers, covering tools and best practices.
Interested in web security?
Subscribe to our newsletter: