How Reddit Used Snyk’s API to Automate & Scale Application Security

Highlights

  • Leveraged Snyk API to automate security scanning across over 1000 repositories
  • Simplified Snyk adoption with the Snyk Python client
  • Built Snyk integration with GitHub Enterprise for automated synchronization of repositories

The Challenge: Leveraging a Small AppSec Team At Scale

Reddit is one of the largest social media platforms today, focused on building forum-style communities for people to discuss shared interests. As the company has grown, however, so has the number of code repositories and breadth of technologies that the platform has been built upon. Reddit formalized its AppSec efforts by adopting Snyk to mitigate the risks of its evolving codebase.

In addition, Reddit had a small security team which was asked to scale efforts across numerous development teams with almost 600 engineers. With the Snyk platform already in place for software composition analysis, Reddit needed a robust API  that could easily integrate with its entire tech stack to automate tedious AppSec tasks.

Our application security team at Reddit was just myself up until recently,” revealed Spencer Koch, Security Professional at Reddit. “If you only had a few repos, that’s fine to interact with the Snyk UI, but Reddit has over a thousand repos. I didn’t have the luxury of clicking through the UI to suppress issues, add repos, or handle other administrative tasks.

The Solution: Using Snyk’s API for Automated Remediation

While the Snyk UI is convenient for organizations with just a few code repositories, making manual changes within the UI wasn’t efficient at the scale that Reddit needed. The Snyk API allowed Reddit to not only automate repetitive tasks, but also closely integrate security scanning with GitHub Enterprise (GHE). This integration enables Reddit to automatically detect open source vulnerabilities and remediate them through pull requests. 

After getting our repos clean, we flipped the script so that new pull requests would fail if there are any security vulnerabilities,” stated Koch. “This shifted Reddit away from a reactive security team initiated approach toward a developer-centric, developer-led approach for remediation. The only way we could manage all this work was using the Snyk API.

The Snyk API & Python Wrapper

Along with using the Snyk API directly, Reddit also leverages Snyk’s Python wrapper. Since a large portion of Reddit’s tech stack is Python, the pysnyk client integrates Snyk more tightly into existing developer tooling. This tight integration has reduced friction and sped the adoption of the Snyk platform into the developers’ workflow, which enabled Reddit’s security team to immediately gain insights into application vulnerability risks.

Reddit also built a GHE integration that the company has since open-sourced to the AppSec community. Reddit created snyk-sync to run a regularly scheduled cron job every week to synchronize any changes with GHE repositories. These updates include adding new repositories or removing dead ones, setting appropriate GHE integration settings, and alerting when a manual CI step with Snyk CLI is required. Reddit also leverages pysnyk to perform bulk actions like suppressing issues flagged within codebases from third-party vendors or open source projects that aren’t relevant to Reddit’s codebase. 

We like Snyk because of the ability to centralize some of our tooling and being able to touch things at scale within our developers’ workflows,” stated Koch.

Snyk is very dev-centric and was also easy for us to scale out without being disruptive to developers. The PR tests with GHE to give developers feedback meshed really well with our current workflow and reduced friction.

The Impact: Scaling Security Across More Than 1000 Repositories

By leveraging Snyk’s API and Python client, Reddit has dramatically increased the speed at which developers and security engineers gain useful security observability and vulnerability management. In fact, Reddit’s security team rolled out the Snyk platform in a couple of weeks covering a majority of the Reddit codebase with relative ease, achieving open source dependency scanning at scale for a quick return on investment.

“The human element is extremely important,” Koch said. “Without the Snyk API, many security tasks would take a lot of time with Reddit’s scale, so automating some of these things has reduced the operational burden and lowered the total cost of ownership for adopting the Snyk platform.”