Staying Secure on Heroku with the Snyk Add-On
The Snyk Heroku Addon is now out of beta, providing deep integration with your Heroku workflow. In this post, we’ll walk through how to get started using the new add-on to keep your Heroku applications free of known vulnerable dependencies.
For those not familiar, Heroku is a platform as a service that enables developers to build, run, and operate applications entirely in the cloud. Push your code, and they automatically download all the dependencies of your application, build your application, and host it too. You can be up and running in less than five minutes.
We firmly believe good developer tools get the job done and then get out of the way. Heroku certainly fits the bill and was a natural fit for tighter integration with Snyk. The new Snyk Heroku Addon is the best way to continuously secure your Heroku applications. Once attached to your application, the Snyk Add-on will monitor each deploy, identifying any dependencies with known security vulnerabilities and providing you with detailed remediation information so that you can address them quickly.
Attaching the Snyk Add-On To Your Application
The first thing you’ll need to do is attach the Snyk add-on to your Heroku application. The recommended method of attaching the add-on is to use Heroku’s CLI tools to run the
heroku addons:create command and passing your application name.
heroku addons:create snyk --app YOUR_APP_NAME_HERE # Creating snyk on ⬢ goof-app... free # Welcome to Snyk # Created snyk-horizontal-10804 # Use heroku addons:docs snyk to view documentation
Once provisioned, Heroku will provide the add-on instance name (in the above example, “snyk-horizontal-10804”). You can use the instance name to attach the add-on to any additional Heroku applications you want to monitor. This will allow you to view all of your Heroku applications within the same Snyk dashboard.
heroku addons:attach snyk-horizontal-10804 --app OTHER_APP_NAME
Using the GUI
If the CLI is not your cup of tea, you can also attach the Snyk add-on using the Heroku website. After logging in, select the application that you want to monitor with Snyk and navigate to the Resources tab.
Under “Add-ons” you’ll be able to use the Quick Add search bar to search and select Snyk. You’ll see a pop-up to provision the application, where you can select your plan and get started.
Viewing the dashboard
Now that Snyk is monitoring your applications, you can view the current status of your application’s dependencies, and any vulnerabilities that have been found, on the dashboard.
To view your application in the dashboard, you can use the CLI to run the following command:
heroku addons:open YOUR_APP_NAME_HERE
Alternatively, you could view the dashboard by going to the Heroku dashboard, choosing the application you want to see the details for, and then select Snyk from the add-ons menu.
In either case, you’ll now be sent to the dashboard for your application where you’ll see a detailed report of any vulnerabilities Snyk found. For each vulnerability, Snyk will provide information about how the vulnerable dependency was introduced into your project, what the vulnerability entails, and what steps you can take to fix the issue.
Keeping Heroku Applications Secure, Efficiently
Infrastructure is one of those things that, as a developer, you don’t necessarily want to have to spend a great deal of time on. You just want it to work. Heroku has made that happen with tremendous success. And now, with the Snyk Add-on for Heroku, keeping your dependencies vulnerability free is just as efficient.
With a few initial clicks, Snyk will monitor your Heroku applications continuously, ensuring that you always know exactly what is in your Heroku application and what needs to be done to keep your application, and users, safe.
You can get up and running by installing the Snyk Add-on for Heroku today. If you would like more information about the add-on, detailed documentation is on the Heroku site, and we’ve also created a short video that walks you through the process of installing and using the add-on.