Snyk Code scanning added to the Snyk Visual Studio extension
Frank Fischer
18. Januar 2022
0 Min. LesezeitSnyk Code provides a new generation of static application security testing (SAST). It uses a unique process that uses machine learning to rapidly grow its knowledge base and a Snyk security engineer to assure the quality of the rules. As a result, the Snyk Code knowledge base grows exponentially and results in an industry-leading high accuracy.
On top of that, Snyk Code provides real-time scanning so developers can use it right from their favorite IDE. This is a game changer, as developers can get semantic scan results as they develop. This enables developers to rescan after they make small changes and apply fixes before the code even hits the SCM.
Snyk Code is part of the Snyk developer security platform which includes Snyk Open Source, Snyk Container, and Snyk IaC. This means that aside from scanning proprietary code, Snyk also scans immediate and transient open source dependencies, base images, and configs of your projects and not only provides you with fix advice, it applies fixes with the click of a button.
We recently added support within Snyk code for the C# and .NET communities. Results for both were available right from the web interface and plugins for the JetBrains family of IDEs as well as Visual Studio Code. But there was one important IDE missing: Visual Studio.
Note: If you landed here in search of Visual Studio Code, well, we got you covered. Have a look at our IDE Plugins page.
Why is Microsoft Visual Studio Support important to Snyk?
Microsoft Visual Studio has a rich history spanning decades. While it is the primary development tool within the .NET community, it also covers multiple languages outside the CLR including JavaScript, Ruby, Python, and more. With .NET it covers project types from web to Windows client to mobile to gaming applications. Additionally, there is a strong community around native C++ and Visual Studio which in its latest editions can develop for multiple processor types (like x86, x64, or ARM) and even multiple operating systems (Windows and Linux based). It is fair to say, Visual Studio has always been regarded as one of the best IDEs — even by folks that don’t typically use any Microsoft products — and any modern IDE design was inspired by Visual Studio. And Visual Studio overtook Eclipse and continued to top the PYPL IDE index with 29.27% in 2021.
This was more than reason enough for us to refresh and expand our Visual Studio extension. We are happy to announce the latest version of Snyk Vulnerability Scanner extension for Visual Studio.
The Snyk Vulnerability Scanner Extension
The extension brings two services from Snyk directly into Visual Studio: It will scan the dependencies of your project and alert you of known vulnerabilities. With the latest version, it adds coding security and code quality using Snyk Code. To use these services, you simply need to register for a free Snyk account using your GitHub, Gmail, or other credentials.
Pro Tip: If you open the Options dialog in Visual Studio for the Snyk Vulnerability Scanner, you can choose to add Code Quality issues besides security vulnerability. It will simply add the quality results in a new section within the extension window.
By the way, Visual Studio 2019 and the latest preview version — Visual Studio 2022 — are supported. Also, the Visual Studio Extension is an open source project and can be found on GitHub.
Installing the Snyk Vulnerability Scanner in Visual Studio
From Visual Studio, enter Extension in the search bar in the middle top of the IDE window to find and open Manage Extensions. On the top right of the extension manager, there is another search bar. Enter “Snyk” there to find the Snyk Vulnerability Scanner' extension, follow the steps to install.
Another option is to install from the Visual Studio Marketplace. Please note that there are two different versions of the extension, one for Visual Studio 2015, 2017, and 2019 and another for Visual Studio 2022.
Note: You may have to restart Visual Studio to trigger download and install the extension. When it starts the first time, the extension will download the latest version of the Snyk CLI (which it uses in the background).
When using the extension for the first time, you need to authenticate with Snyk. The process will run inside of a browser and result in a token being stored with the extension. The token will be used from there on — no license keys or certificate management needed.
Using the Snyk Vulnerability Scanner in Visual Studio
While Snyk Code supports many languages and frameworks, Visual Studio users may be most interested in C#, JavaScript and TypeScript, Python, and Ruby.
The extension provides a play icon on the top left corner of the window. When a developer reaches a certain maturity with the changes in the application, it makes sense to watch out and fix security issues, a scan is triggered by clicking on the green icon.
Scans usually take seconds (initial scans may take minutes) and results are displayed the moment the scan finishes.
In daily use, a good best practice is to work until you reach a certain maturity with your work, like when you finish with a class design or with an algorithm. Start a scan then and see how things are. As Snyk Code is real-time, you can run a scan anytime without delaying your projects progress.
Pro tip: As Snyk Code is fast, it makes sense to scan more regularly. So instead of collecting the bugs and addressing them at the end, have intermediate milestones while coding to check and fix bugs right away. Also, you might prevent additional bugs from entering the code as you already see what constructs to avoid. On top of that, be sure to rescan after you fix one bug as it might influence others since bugs might disappear because you addressed them in concert with the other one or new ones might arise. This is why it’s so important to shift security left. If a small change can create other changes, imagine how many changes can happen if you run a scan when you’re done writing the whole project!
Give Snyk a try
All you need is to sign up for a free Snyk account by using your GitHub or Google account (or many other identity providers). You can find the Snyk Vulnerability Scanner extension in the Visual Studio Marketplace. Give it a try and let us know how it works for you.
Beginnen Sie mit Capture the Flag
Lernen Sie, wie Sie Capture the Flag-Herausforderungen lösen, indem Sie sich unseren virtuellen 101-Workshop auf Abruf ansehen.