Coveo Quickly and Easily Adopts Snyk for Open Source and Container Security

Case Study Highlights

  • Unified solution for container security assessment, open source vulnerability reporting, and license management.
  • Easy-to-use API-driven solution into existing workflows, empowering Coveo’s developers to handle security themselves.
  • Fixing in an automated and process-driven manner gives Coveo peace of mind with open source and container image vulnerabilities

The Challenge: address license violations and security vulnerabilities as early as possible  

As a cloud-first company, the Coveo team is focused on microservices. While Coveo had a DevOps model in place, developers didn’t have the tooling they needed to perform regular vulnerability scans on their own, when needed. Coveo recognized that to fully embrace DevOps, the ability to scan each open source package and container image for vulnerabilities before moving to production was critical. Coveo also needed a new solution for license compliance when the company’s vendor partner abruptly dropped the offering.

The Solution: one service for license management and open Source and container security

Coveo turned to Snyk initially for license management. When it came time to choose a new vulnerability management tool, the team considered Snyk.

After comparing Snyk to other options, Coveo ultimately chose Snyk to consolidate licence management and reporting on vulnerabilities on one platform. Snyk allows the DevOps teams to identify vulnerabilities and stay up-to-date with the latest security fixes. This is now the primary benefit Snyk offers Coveo developers.

“Snyk allows us to see vulnerabilities before releasing into production,” said Jean-Philippe Lachance, a security analyst at Coveo. “If we don’t, we might be out of business because of a vulnerability.”

Coveo finds Snyk’s ease of use its top technical benefit. Coveo also leverages the Snyk API, which its developers prefer to use over UIs for some specific use cases. Coveo recently built an alert system integrated into Slack with updates on the severity level and discovery date of vulnerabilities. This allows Coveo’s developers to react faster and fix their issues before being blocked by the deployment pipeline, which would prevent deployment due to new vulnerabilities based on severity level or longevity. 

Continuously fix vulnerabilities in open source dependencies and containers

Snyk enables Coveo developers to own the security of the services they manage, combining license management and vulnerability scanning. When their original solution for container security became increasingly challenging to manage and upgrade, Coveo again turned to Snyk.  Using one simple, developer-friendly tool that would also secure container images appealed to Coveo. 

“Snyk offers an easy-to-use SaaS service,” said Jean-Philippe. “We needed a reliable solution to validate container images before moving to production, and Snyk is helping us do this in a simple way.”

The Impact: increased visibility and improved security  

With Snyk, Coveo has found one platform to handle both license and vulnerability management.

Snyk provides Coveo and its customers with peace of mind that they are aware of and prioritizing mitigation of open source vulnerabilities, as well as avoiding copyright infringement. Coveo is able to demonstrate to customers that they take security seriously and thus can be trusted as technology partner. 

 “Snyk allowed us to more easily follow a process, looking at vulnerabilities and scan results. It was a big cultural change for us, but it has benefited Coveo greatly,” said Jean-Philippe.

Coveo developers are able to follow appropriate security processes because Snyk is integrated directly into their CI/CD pipeline.  The open source nature of Snyk also allows developers to adapt Snyk to their unique needs, fix bugs, and generally have a high degree of self-sufficiency with the tool. 

Empowering developers to handle security

With Snyk in place, DevOps team members can manage vulnerabilities with much more autonomy and efficiency. Each team’s Security Champion are empowered to monitor vulnerabilities and determine for themselves how and the timeframe for addressing them. 

Coveo’s DevOps teams are provided with oversight, but overall given the responsibility and power to prioritize their security actions. Snyk’s support of this “trust but verify” approach greatly facilitated adoption across the organization. 

“Snyk’s hosted services are so simple for Coveo to manage. Now our developers are empowered to handle vulnerability and license management on their own,” said Jean-Philippe.

Coveo also finds Snyk’s customer satisfaction team is highly responsive to their needs, enabling them to customize the product to their use cases and changing needs over time. Coveo’s advice to other security teams is to embrace security and start using Snyk as possible in development.