Snyk Open Source in 2021: A year of innovation

More than 90% of organizations rely on open source software, a reliance that introduces a significant amount of security and legal risk via either direct or transitive open source dependencies.

To overcome this challenge, Software Composition Analysis (SCA) solutions are playing an increasingly important role in helping organizations successfully identify and mitigate potential security issues. Snyk Open Source provides a developer-first SCA solution that helps development and security teams find, prioritize, and fix security vulnerabilities and license issues in the open source components being used to build applications.

During 2021, Snyk Open Source:

• Executed over 500M tests

• Tested over 19M pull requests for vulnerabilities and license issues

• Imported more than 1.7M new projects

With 2022 just over the horizon, this is as good a chance as any to take a look back and examine the progress Snyk Open Source has achieved over the past year on the path to becoming the leading developer-first SCA solution on the market.

Let’s take a look at three key areas where Snyk Open Source delivered new capabilities: integrations, ecosystem support, and making fixes easier!

Integrations

Snyk Open Source aims to meet developers where they are by integrating into existing development workflows. As such, Snyk Open Source integrates early into the SDLC, starting as far left as the developer’s local development environment and moving through the entire development process — in Git-based work streams and CI/CD pipelines.

In 2021, we’ve invested a lot of resources into introducing improvements to existing integrations as well as introducing new points of integration to make the process of security and license scanning as seamless as possible.

Our IDE plugins for JetBrains IDEs were given a facelift and we recently introduced new support for Snyk Open Source in our Visual Studio Code extension.

In June, we announced a new, first-party integration with Atlassian Bitbucket Cloud, embedding Snyk through a new Security tab inside Bitbucket and providing visibility into existing vulnerabilities and open source license issues, so they can better prioritize issues for resolution.

Java Maven developers received news of a revamped plugin, available and published on Maven Central, that enables them to more easily scan their applications for vulnerabilities as an integral part of their build cycle.

We also introduced support for Snyk Open Source in GitHub Code Scanning, enabling developers to automatically scan open source dependencies for issues and view them directly from within GitHub’s Security tab.

Our Jenkins plugin also received a major upgrade, with a long list of usability and performance improvements that make it much easier to integrate security scanning into Jenkins-based pipelines. More details on these improvements can be found in our Jenkins plugin V3 announcement.

Last but not least, the Snyk CLI. Downloaded millions of times a month and executing millions of scans a month, the Snyk CLI is continuously improving and evolving to help better support developers integrate security into their development workflows. 2021 saw a long list of enhancements, including multiple branch support.

Ecosystem support

Snyk Open Source supports a long list of ecosystems to ensure developers can scan any type of application, including all the major programming languages: JavaScript, Java, Python, Go, .NET, Ruby, PHP, Swift, and more. 

Snyk Open Source recently reached an important milestone by extending its security scanning to cover an important use case — unmanaged open source. Developers do not always use package managers to pull in open source into their application, a practice especially prevalent in, but not limited to, specific ecosystems such as C/C++. Our recent beta announcement including support for C/C++ is our first step towards supporting this use case which will also be expanded to support other languages.

Earlier this year, we added support for Elixir. Using the Snyk CLI, Elixir developers can test and monitor their Mix/Hex projects manually or at key steps of their CI process, ensuring that known vulnerabilities are caught early on and before code is deployed into production.

2021 was also a year of consolidation for Snyk Open Source, during which we strengthened our capabilities for some of the ecosystems already supported. Fix advice and automated Fix PRs were added to our .NET support, making it much easier to identify and fix vulnerabilities in .NET applications scanned by Snyk Open Source. We are also in the midst of rolling out a new version of our Maven dependency resolution mechanism which will result in more accurate scanning in projects imported from Git.

Making easier and more accurate fix decisions

Being developer-first means not only enabling developers to identify issues but also helping them take swift and accurate action. Snyk Open Source prides itself in providing actionable and automated fix workflows that make it easy to prioritize and fix the vulnerabilities identified in open source dependencies.

To this end, a new snyk fix command in the Snyk CLI was introduced in October making it easier for developers to automatically apply fix recommendations for vulnerabilities identified during local testing or during CI/CD.

Additionally, we’ve invested in beefing up the security intelligence provided for issues identified in open source dependencies to ensure more accurate prioritization decisions. The new Social Trends feature, for example, informs you whether a specific vulnerability is trending on Twitter or not. Information on whether a vulnerability originates from a malicious package or not is now also available more prominently within Snyk Open Source. An important signal in light of the exponential growth of software supply chain attacks involving malicious open source packages.

Last but not least, we’ve made some significant improvements to the engine powering Reachable Vulnerabilities to help users better determine whether a specific vulnerability is actually reachable or not as part of the application’s execution path and prioritize fixes accordingly (for Java Maven and Gradle projects imported from GitHub). This engine is now powered by Snyk Code — the Snyk static application security testing (SAST) solution, facilitating much faster and more accurate scanning.

What to expect in 2022

With digital transformation accelerating, open source will continue to play a pivotal role in software development. Open source has powered — and will continue to power — the rapid pace of development needed to keep businesses competitive and successful. At the same time, the risk of using open source will continue to rise.

2021 was the year during which the topic of Software Supply Chain Security became a heated topic of conversation. This is not a brand new attack vector, but the growing number of malicious attacks leveraging the modern software supply chain and the attention they received worldwide has brought the topic to the fore. President Biden’s Executive Order helped strengthen the overall awareness for the problem but also the need for a developer-first solution. Snyk Open Source, and the Snyk platform as a whole, already provides ways to help organizations tackle this challenge and we will be investing more resources into developing a tighter solution leading into 2022.

Snyk Open Source will continue to work on additional ways to help development and security teams prioritize vulnerabilities. Facing backlogs consisting of thousands of vulnerabilities, we know that prioritization is a major pain point for organizations of all sizes, and we are already working on some innovative new solutions that will help make the process of prioritization more manageable and effective.

Snyk Open Source will of course continue to invest in tightening support for the existing ecosystems currently supported and will also add coverage for new languages, frameworks, and package managers (did I hear someone say Rust???)

2022 is going to be yet another feature-packed year for Snyk Open Source so stay tuned for news!

Happy new (and secure) year!