Red Ventures Rolls Out Container Scanning At Scale Using Snyk

Highlights

  • Expanded Snyk dependency scanning implementation to include container scanning 
  • Scaled container scanning across 350+ AWS accounts and 1300+ new images daily
  • Integrated Snyk CLI seamlessly into existing developer workflows
  • Automated container registration using custom-built discovery service
  • Delivered actionable security insights directly to engineers for remediation

The Challenge: Managing security across a diverse tech stack

While Red Ventures operates at the forefront of digital experiences, their pace and the complexity of their business can make security a challenge. The company has a large technology stack spread across hundreds of Amazon Web Service (AWS) accounts, development teams, code repositories, and more. 

One problem the team faced was that their existing container scanning tool wasn’t giving them the actionable insights needed to make a measurable improvement to security. The company began looking for a robust container security tool that could seamlessly integrate with their tech stack.

“Earlier this year, we had a problem,” revealed Alfonso Cabrera, Director of Platform Engineering at Red Ventures, “We weren’t happy with the home-grown tooling that was supposed to give us insight into the security of our container images. As we evaluated the tooling landscape, we took a hard look at Snyk’s container scanning product because we had already seen success with their application dependency scanning and really liked the platform.” 

The Solution: Integrating Snyk CLI into their development process

After evaluating the options, Red Ventures chose Snyk for container image scanning because the platform could integrate seamlessly with their existing tech stack. They had already rolled out Snyk for application dependency scanning and aligned the tool to their 350+ AWS accounts. That’s why they built a central scanning process based on the Snyk CLI that combines all their repositories across various platforms and accounts into a single Snyk organization. Now they have complete security visibility in one place.

“We have a scanning process that’s based off of CodeBuild. We pull the Docker image that we’re trying to take a look at, use the Snyk CLI to examine it, and then put that image in a queue to be processed,” explained Matt Stegall, Senior Engineer at Red Ventures. “On the other side of that queue, we pull the results, figure out if there’s anything interesting or actionable, and take that data to create JIRA tickets.”

In addition, Red Ventures has over 700 engineers across various businesses and projects, which means each team has slightly different ways of doing things. For example, many engineers used self-hosting and Artifactory for storing container images that needed to be picked up by Snyk as well. To improve consistency, Red Ventures built a custom discovery service that integrated with Snyk to automatically detect and enroll new images as they’re pushed to Amazon Elastic Container Registry (ECR) and existing images already within their numerous AWS accounts.

Surfacing actionable security issues

Red Ventures knew they needed to create a frictionless experience for developers if they wanted to improve their container security. That’s why they integrated Snyk with their existing JIRA boards, and only opened new tickets for security issues that had remediations available. By evaluating the findings before they reach JIRA, Red Ventures is able to surface actionable security issues and drive more efficient remediation. As a developer-first security tool, Snyk fits organically into their engineering workflows. 

“Realistically, we knew most software engineers weren’t going to proactively log into Snyk to view the findings for their images,” Alfonso explained. “We wanted to meet them where they worked and find a way to surface the critical findings directly to them for remediation.”

The Impact: Scaling security while increasing depth

The Snyk platform enables Red Ventures to scan the 1300+ new images its engineers generate each day using their existing tools and systems like JIRA, Amazon ECR, and more. Their custom discovery tool finds and enrolls images with Snyk, and AWS CodeBuild creates JIRA tickets for any fixable security issues within their containers. 

This new Snyk implementation—combined with their existing application dependency scanning—ensures in-depth and actionable security tasks are delivered directly to engineers without complicating their workflows or requiring them to become security experts. The extensibility of Snyk’s platform proved invaluable when integrating the platform with Red Ventures’ complex and evolving tech stack.

“Keeping oriented towards how your systems may be extended and how you may be able to build on them is really important because the tools that we use change every day and the technologies we want to integrate with change so often in this industry,” concluded Stegall. “So keeping in mind how your system is going to change over time is even more important in this space.”