Documentation

Runtime Protection

Snyk Runtime Protection is currently in Beta. It is available for NodeJS and Java applications. Please reach out to runtime@snyk.io if you’d like Beta access.

Snyk Runtime Protection provides application security monitoring in your application’s runtime environment. Instrument your application with a Snyk runtime agent to track your application dependencies.

Snyk Runtime Protection highlights exploitable vulnerabilities in your application dependencies. With this data, you can focus your remediation efforts where they matter the most.

A vulnerability with runtime information inside

A vulnerability that is called in runtime. The vulnerable functions are listed.

The Snyk runtime agent inspects every dependency of your application. It creates an execution hook on vulnerable functions in relevant dependencies. Using these hooks, the agent detects actual use of vulnerable functions. The agent sends this data in beacons to Snyk, adding to the Snyk project data.

Configure the runtime agent with an ID of a project monitored by Snyk. You can find the ID via the projects API, or by inspecting the settings page of your project.

Getting started with NodeJS

To start using Snyk Runtime Protection for your NodeJS applications, add the @snyk/nodejs-runtime-agent dependency to your project by running:

npm install @snyk/nodejs-runtime-agent

in your project folder, and configure it as soon as possible in your application’s start sequence. Here’s an example of such a flow:

require('@snyk/nodejs-runtime-agent')({
  projectId: '0462e42b-c92f-4b48-bac8-81eb3ff7f43e',
});

const express = require('express');
...

Make sure to have require('@snyk/nodejs-runtime-agent') prior to any other require statement.

Getting started with Java

To start using Snyk Runtime Protection for your Java applications, download the agent and unzip the archive.

  • Copy snyk-java-runtime-agent.jar alongside your application.
  • Create a snyk-agent.properties file at the location of the agent jar file, containing the project ID of your Snyk project like so: projectId=0462e42b-c92f-4b48-bac8-81eb3ff7f43e
  • Add the agent as a command-line argument to the Java command used to start your application, for example: java -javaagent:path/to/snyk-java-runtime-agent.jar -jar my-app.jar
    • If you are using Apache Maven, add -javaagent:path/to/snyk-java-runtime-agent.jar to your MAVEN_OPTS environment variable.
    • If you are using JavaEE containers such as GlassFish, locate the JVM Options and add -javaagent:path/to/snyk-java-runtime-agent.jar as an option.

If you have successfully added the agent, you should see logging like the following on stderr very early after JVM startup:

snyk-agent initialisation: startup
snyk-agent initialisation: trying: /opt/app-1/agent/snyk-agent.properties
snyk-agent initialisation: switching logging to: /opt/app-1/agent/snyk-logs/agent-log-2001-02-03T04:05:06.log