Skip to main content

Launching Snyk

Artikel von:

3. Dezember 2015

0 Min. Lesezeit

I’m excited to announce Snyk is now live!

Snyk helps you find and fix known vulnerabilities in your Node.js dependencies. These are publicly documented security holes, making them easy for attackers to track and exploit.

Snyk’s goal is to make it even easier for you to fix them first. Note that Snyk focuses on fixing security issues, finding them is just a necessary step along the way.

We soft-launched Snyk at Velocity conference a month back. Here’s our keynote video showing the problem, a demo of Snyk (though this was before we added the wizard) and a live exploit!

To secure a project, install snyk using npm and run Snyk’s wizard. The wizard will help secure your project in several steps:

  • Use Snyk’s API to match your dependencies against our open source vulnerability database.

  • Help you understand and fix each security issue found.

  • Suggest the best direct dependency upgrades that will close the security holes.

  • When an upgrade isn’t available, determine if one of our security team’s patches can fix the issue.

  • If neither an upgrade nor a patch is available, remember the current state. We’ll notify you when a new remediation path is made available.

1$ snyk wizard
2? High severity vulnerability found in bassmaster@1.5.1
3  - info: https://snyk.io/vuln/npm:bassmaster:20140927
4  - from: myapp@0.0.0 > bassmaster@1.5.1 Upgrade
5
6? Low severity vulnerability found in hapi@10.5.0
7  - info: https://snyk.io/vuln/npm:hapi:20151020
8  - from: myapp@0.0.0 > hapi@10.5.0 Ignore
9? [audit] Reason for ignoring vulnerability? Not Exploitable
10
11? Low severity vulnerability found in ms@0.1.0
12  - info: https://snyk.io/vuln/npm:ms:20151024
13  - from: myapp@0.0.0 > mongoose@4.1.12 > ms@0.1.0
14Upgrade to mongoose@4.2.4
15❯ Patch (modifies files locally, updates policy)
16Set to ignore for 30 days
17Skip

Once you’re vulnerability free, you can use snyk test in your CI/CD systems to avoid shipping with vulnerabilities and snyk protect to patch the vulnerabilities you chose. Using snyk monitor will remember which dependencies you use, so we can notify you when a newly disclosed vulnerability affects them. You can read the full details about Snyk and its commands in our docs.

screenshot-monitor-email

Lastly, if you’re the creator of an open source package, use Snyk to ensure you’re not distributing vulnerabilities to your users. Upgrade dependencies to fix such issues where possible, and use snyk protect to patch them postinstall when you can’t. Once your package has no security issues, put a badge on your README showing it has no known security holes. This will show your users you care about security, and tell them that they should care too.

Snyk is in beta, and we encourage all of you to try it out. If you use it, please share your feedback with us on @snyksec or by emailing support@snyk.io. Try it out, and help make building and consuming open source secure!