Announcing Snyk for .NET, Go and PHP

The holiday season is around the corner, and we thought, why not give a modest gift of our own to Snyk’s growing community?

Snyk has always been committed to making it easy to use open-source code without compromising security. Today, we’re taking another leap forward and launching CLI support for .NET, Go and PHP!

The CLI gives you the flexibility to test your applications manually or at key steps in your CI process. It looks through your dependency tree to identify each dependency in use and its version, before testing them all. Source code management integrations will follow soon.

So, take a few minutes (it won’t take more), and secure your apps.

Quick Start

First, install or upgrade Snyk to the latest version and authenticate:

npm install -g snyk 
snyk auth

Snyk looks at the locally installed modules to resolve all dependencies, so you’d need to validate they’re already available.

For .NET, check to make sure that packages/(.NET) or obj/(.NET Core) folder has been populated via Visual Studio or dotnet restore.

For Golang, check to make sure that vendor/ was populated via dep ensure or govendor sync. In addition, the GOPATH environment variable must be set correctly.

For PHP, check to make sure that composer.lock file has been created by composer install.

Then, browse to your project’s folder and test for vulnerabilities:

snyk test

That would result in displaying all detected vulnerabilities, for example:

$ ✗ snyk test
✗ Medium severity vulnerability found on Microsoft.AspNetCore.All@2.0.0
- desc: Open Redirect
- info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCOREALL-600122
- from: dotnetcore@1.0.0 > Microsoft.AspNetCore.All@2.0.0

✗ Medium severity vulnerability found on Microsoft.AspNetCore.Server.HttpSys@2.0.0
- desc: Denial of Service (DoS)
- info: https://snyk.io/vuln/SNYK-DOTNET-MICROSOFTASPNETCORESERVERHTTPSYS-600125
- from: dotnetcore@1.0.0 > Microsoft.AspNetCore.All@2.0.0 > Microsoft.AspNetCore.Server.HttpSys@2.0.0

✗ High severity vulnerability found on System.Net.Http@4.3.0
- desc: Privilege Escalation
- info: https://snyk.io/vuln/SNYK-DOTNET-SYSTEMNETHTTP-60047
- from: dotnetcore@1.0.0 > System.Net.Http@4.3.0

To track a project for newly disclosed vulnerabilities through the Snyk UI, use the monitor command. You can use both snyk test and snyk monitor in your CI environments to bake security into your deployment pipeline.

snyk monitor

Securing Go

The Go ecosystem has a surprisingly large number of package managers but is starting to settle around the “official experiment” package manager dep, with an increasing number of projects adopting it. Still, a noticeable percentage of customers who volunteered to participate in our Go alpha requested support also for govendor. So, the Snyk CLI supports both mentioned package managers.

The Snyk CLI will examine all your imports—direct and transient—matching them with the locked versions saved in your Gopkg.lock or vendor/vendor.json.

Stay tuned for a few follow-up posts dedicated for Golang, sharing what we learned about the Go packages ecosystem and the various challenges we faced during the development of the Go support in Snyk.

Securing .NET

We scan .NET and .NET Core projects, examining NuGet dependencies for known vulnerabilities. We process packages.config files for .NET projects, and obj/project.assets.json files for .NET Core projects.

We also support .sln files to automate your open source security across all projects in a solution.

Interestingly, as we were developing our .NET support, we were surprised to discover the high importance of scanning .NET for open source vulnerabilities, as the default .NET Core v2 application depends on Microsoft.AspNetCore.All/2.0.0 which introduces over 10 vulnerabilities! So check your projects today.

Securing PHP

Snyk supports testing and monitoring PHP projects that have their dependencies managed by composer.

We scan PHP projects by examining your composer.lock file to compare the specific versions of every direct and deep dependency in your project against our Composer vulnerability database.

Try it out!

We’ve been working hard on this launch, gathering feedback from our alpha users and making refinements along the way. We’re thrilled to now open the CLI up to everyone.

As always, Snyk is free for open-source use—no matter how many open-source projects you have. Open source is a huge boon for development, and we’re happy to play our part in making it as secure as possible.

If you have any feedback, please let us know. We’re always eager to make Snyk even better. Likewise, if there are any languages or package managers that you would like Snyk to support, let us know which ones. Not only does it help us prioritize, but we love being able to give early access to developers eager to test and provide feedback.