Staying Secure on Heroku with the Snyk Add-On

Tim Kadlec's avatar Tim Kadlec

The Snyk Heroku Addon is now out of beta, providing deep integration with your Heroku workflow. In this post, we’ll walk through how to get started using the new add-on to keep your Heroku applications free of known vulnerable dependencies.

For those not familiar, Heroku is a platform as a service that enables developers to build, run, and operate applications entirely in the cloud. Push your code, and they automatically download all the dependencies of your application, build your application, and host it too. You can be up and running in less than five minutes.

We firmly believe good developer tools get the job done and then get out of the way. Heroku certainly fits the bill and was a natural fit for tighter integration with Snyk. The new Snyk Heroku Addon is the best way to continuously secure your Heroku applications. Once attached to your application, the Snyk Add-on will monitor each deploy, identifying any dependencies with known security vulnerabilities and providing you with detailed remediation information so that you can address them quickly.

Attaching the Snyk Add-On To Your Application

The first thing you’ll need to do is attach the Snyk add-on to your Heroku application. The recommended method of attaching the add-on is to use Heroku’s CLI tools to run the heroku addons:create command and passing your application name.

1
2
3
4
5
6
heroku addons:create snyk --app YOUR_APP_NAME_HERE

# Creating snyk on ⬢ goof-app... free
# Welcome to Snyk
# Created snyk-horizontal-10804
# Use heroku addons:docs snyk to view documentation

Once provisioned, Heroku will provide the add-on instance name (in the above example, “snyk-horizontal-10804”). You can use the instance name to attach the add-on to any additional Heroku applications you want to monitor. This will allow you to view all of your Heroku applications within the same Snyk dashboard.

1
heroku addons:attach snyk-horizontal-10804 --app OTHER_APP_NAME

Using the GUI

If the CLI is not your cup of tea, you can also attach the Snyk add-on using the Heroku website. After logging in, select the application that you want to monitor with Snyk and navigate to the Resources tab.

Under “Add-ons” you’ll be able to use the Quick Add search bar to search and select Snyk. You’ll see a pop-up to provision the application, where you can select your plan and get started.

Screenshot of Heroku's Quick Add search bar used to find the Snyk Add-On

Viewing the dashboard

Now that Snyk is monitoring your applications, you can view the current status of your application’s dependencies, and any vulnerabilities that have been found, on the dashboard.

To view your application in the dashboard, you can use the CLI to run the following command:

1
heroku addons:open YOUR_APP_NAME_HERE

Alternatively, you could view the dashboard by going to the Heroku dashboard, choosing the application you want to see the details for, and then select Snyk from the add-ons menu.

In either case, you’ll now be sent to the dashboard for your application where you’ll see a detailed report of any vulnerabilities Snyk found. For each vulnerability, Snyk will provide information about how the vulnerable dependency was introduced into your project, what the vulnerability entails, and what steps you can take to fix the issue.

Screenshot of the Snyk Add-On Dashboard, showing the different vulnerabilities found

Keeping Heroku Applications Secure, Efficiently

Infrastructure is one of those things that, as a developer, you don’t necessarily want to have to spend a great deal of time on. You just want it to work. Heroku has made that happen with tremendous success. And now, with the Snyk Add-on for Heroku, keeping your dependencies vulnerability free is just as efficient.

With a few initial clicks, Snyk will monitor your Heroku applications continuously, ensuring that you always know exactly what is in your Heroku application and what needs to be done to keep your application, and users, safe.

You can get up and running by installing the Snyk Add-on for Heroku today. If you would like more information about the add-on, detailed documentation is on the Heroku site, and we’ve also created a short video that walks you through the process of installing and using the add-on.

Announcing Snyk for .NET, Go and PHP

December 21, 2017

Snyk has always been committed to making it easy to use open-source code without compromising security. Today, we're taking another leap forward and launching support for .NET, Go and PHP!

Bower is dead, long live npm. And Yarn. And webpack.

December 05, 2017

Bower is no longer the dependency manager of choice for front-end projects. While the open source project is still maintained, its creators decided to deprecate it, and have advised how to migrate to other solutions. In this post, we explain why Bower used to be great, list six reasons why it isn't necessary anymore, and explain how to move on to newer and better technologies.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications