Building the VSTS Snyk task, an interview with Jesse Houwing

Tim Kadlec's avatar Tim Kadlec

Jesse Houwing (@jessehouwing) is a Lead Consultant at Xpirit. Recently he published a really helpful Visual Studio Team Services (VSTS) task making it easier to get Snyk incorporated into your VSTS workflow. We think it’s pretty awesome that he built it, so we wanted to learn a bit more about the task and how he did it.

Why did you first start using Snyk?

I’ve been building Build tasks for Visual Studio Team Services and Team Foundation Server (TFS) using Typescript and Node and found that the modules I depended on changed so often and for many reasons. It was hard to know which updates to take with more urgency than others. I build these tasks in my spare time. Snyk helps me detect the updates to dependencies that are important and warrant my attention. And not just during the build, but most importantly, also after I’ve shipped my tasks to the Visual Studio Marketplace.

Why did you end up building the task for VSTS?

I’ve been using Visual Studio Typescript projects to build my extensions. While it supports running npm commands, it wasn’t really in my standard workflow to write out my build process in my package.json. Very often the only npm step I use in my build is npm install.

Plus, I wanted to store my Snyk API token centrally in VSTS and pass it to my build workflows. At the moment it’s not possible to define build or release variables at a global level in VSTS, but tasks can access tokens and secrets using Service Endpoints.

A screenshot of the configuration settings for the Snyk VSTS task
The Snyk VSTS task can be easily configured inside your VSTS environment.

Can you describe the process of developing the task?

I’d been using Snyk without a plugin for a while, but at the MVP Summit in Seattle, Sam Guckenheimer mentioned Snyk in a long line of other interesting security products. Most of these products were big names and had recently contributed a task to the Marketplace, but Snyk didn’t have one yet.

On the flight back to Amsterdam, which takes about 10 hours, I opened up my laptop and started to code away. I managed to build a pretty decent walking skeleton while debugging against my local TFS 2017 instance.

During development I ran into a few incompatibilities with Windows, which I later found workarounds for. After reaching out to Snyk we worked out a few of the remaining issues, which allowed me to get the preview version out.

So you’re using the integration right now?

At the moment Snyk protects my VSTS Variable Tasks, MsBuild Helper Task, VSTS Snyk Task and Microsoft’s VSTS Extension Build and Release tasks (which I help maintain).

Other extension developers have started to use it as well and I’ve been working with the Visual Studio ALM Rangers to see if we can use Snyk to protect our open source Visual Studio Team Services extensions.

If people want to give the task a try, where can they find it?

The task can be directly installed from the VSTS marketplace. Using it is as simple as installing the task from the marketplace, adding it to your build and checking a couple of checkboxes.

A screenshot of the new Snyk task in VSTS
Once you install the task from the marketplace, you can add it to your build with the click of a button.

The source code is also available on GitHub if anyone wants to contribute.

The MongoDB hack and the importance of secure defaults

January 10, 2017

There's a widespread attack on insecure MongoDB installs that has resulted in over 28,000 databases being held ransom. This post explains the hack, how to protect yourself and what can we learn from it.

Announcing Snyk CLI for Ruby, and more ways to fix Ruby vulnerabilities

December 19, 2016

Since we launched Ruby last month, we’ve been working away on improvements. Today we’re excited to let you know about our extended support for Ruby.

Subscribe to The Secure Developer Podcast

A podcast about security for developers, covering tools and best practices.

Find out more

Interested in web security?

Subscribe to our newsletter:

Get realtime updates and fixes for JavaScript, Ruby and Java vulnerabilities that affect your applications