Skip to main content

Adding Container and IaC security to the Snyk plugin for Jetbrains

著者:
Georgi Mitev

Georgi Mitev

wordpress-sync/feature-snyk-jetbrains

2022年3月3日

0 分で読めます

We’re excited to announce that infrastructure as code (IaC) and container security are joining code and open source dependency security in the free Snyk plugin for JetBrains IDEs.

As of today, developers using JetBrains IDEs can secure their entire application with a click of a button. Snyk Security for JetBrains increases code security and reduces time spent on manual code reviews by empowering developers to find and fix issues within their JetBrains IDEs.

This is especially important for development and security teams trying to shift security left, into the hands of developers. Snyk makes it easy to find and fix security issues early on in development by building security natively into Jetbrains IDEs, giving developers fix guidance in-line with code, resulting in more secure code, containers, and configurations at the time of creation.

As noted in our previous article, Secure Coding with Snyk’s JetBrains IDE plugin, the Snyk plugin all Jetbrains IDEs plugin for custom code, open source dependencies, container, and IaC security issues.

Snyk plugin for JetBrains

JetBrains’ family of IDEs is highly regarded as one focused on developer productivity, with plugins available for every aspect of software development — from code quality and accuracy to tools to code security.

Snyk’s JetBrains plugin touches on all aspects of securing your application including:

  • Security vulnerabilities in open source dependencies (Snyk Open Source).

  • Security vulnerabilities and code quality issues in first party code (Snyk Code).

  • Configuration issues in your infrastructure as code such as Terraform, AWS CloudFormation, Kubernetes, and Azure Resource Manager (ARM)  (Snyk IaC)

  • Security vulnerabilities in your container images found in Kubernetes workload files (Snyk Container)

In addition to open source, code, container, and IaC security testing, you’ll be able to access Snyk Advisor insights to assess code quality when diving into the manifest files.

Getting started is simple.

  1. Install the Snyk Jetbrains plugin

  2. Connect your free Snyk account

  3. Start securing your code in your Jetbrains IDE

Finding and fixing IaC misconfigurations

IaC security within the Snyk Jetbrains plugin identifies configuration issues in your Terraform, Kubernetes, AWS CloudFormation, and Azure Resource Manager (ARM) code with every scan. Based on Snyk’s CLI, the scan is fast and friendly for local development. Privacy is never a concern as configuration files are never sent back to or uploaded to Snyk’s servers.

Let’s do a quick scan and get a close-up of what an IaC scan is providing us with:

Click on any of the IaC issues within the results tree to be led directly to the line of code where the issue is found. To help you focus on the riskiest issues first, as each issue is annotated with a severity icon — high, medium, and low — for simple prioritization.

wordpress-sync/blog-jetbrains-iac-container-vuln-iac

Finally, for quickly understanding and fixing the underlying issue Snyk’s plugin tells you:

  • Description: what the misconfiguration is

  • Impact: how the misconfiguration could potentially be exploited

  • Path: which path in the tree the issue occurs.

  • Remediation: how to fix the issue.

  • References: where you can investigate deeper from a variety of sources.

  • Ignore: If the issue needs to be ignored, you got you covered as well — there is a button to do so in the top right corner.

Millions of fixes have been applied from Snyk’s remediation advice swiftly and accurately. However, if you notice something that is not clear, feel free to contact us and we will be happy to look into it.

Now, with the IaC misconfiguration issues fixed, let’s have a look at the container images’ vulnerabilities.

Finding and fixing container images

Container security within the plugin scans Kubernetes configuration files and searches for container images. Vulnerabilities are found fast using the extracted container images and comparative analysis against the latest information from the Snyk Intel Vulnerability Database.

The end result is a list of security vulnerabilities report for the images you are planning to run in your clusters, with upgrade advice for base images where appropriate:

wordpress-sync/blog-jetbrains-iac-container-vuln-cont

You have the ability to go over each of the security vulnerabilities your image might be vulnerable to. In addition, I want to draw your attention to a couple of important functionalities:

  • Notice the colorful comparison table above with various severity levels (critical, high, etc.). Nicely sorted by severity, it provides the difference in vulnerabilities between the current image and the recommended by Snyk image with the same characteristics. This helps you to make a decision if you want to upgrade your image to the recommended one and increase the level of confidence in the image you are running in production.

  • If you want to upgrade the image, we’ve made it possible too, in the JetBrains’ way through the quick-fix functionality:

Additionally, a deeper integration with JetBrains annotations mechanism surfaces IaC and container issues in the problems tab for better visibility and experience.

Install the Snyk plugin in JetBrains

First, pull up JetBrains and navigate to Preferences > Plugins from within your IDE.

wordpress-sync/blog-jetbrains-iac-container-install
Navigate from Preferences to Plugins and search for “Snyk”.

Search for “Snyk”  in the JetBrains Marketplace, and click Install. After a few seconds, the Snyk plugin’s panel window should appear in your sidebar.

wordpress-sync/blog-jetbrains-iac-container-panel
The Snyk panel in your sidebar.

You will know the plugin is installed when you see Patch the dog’s friendly face!

Connect the JetBrains IDE with Snyk

The next step is to authenticate and connect Snyk to your IDE. 

Click the Test code now button which will lead you to Snyk’s web application and prompt you to authenticate and login in to your free account with Snyk. You can create your Snyk account here or login to an existing account in this window.

Return to the IDE after authenticating, and a scan will have automatically started:

wordpress-sync/blog-jetbrains-iac-container-scan
Scanning a project for vulnerabilities.

Next up for the Snyk JetBrains IDE plugin

With the addition of Snyk IaC and Snyk Container, we are making it possible to have access to all of the power of Snyk and use it with just a click of a button! You can scan open source dependencies, first-party code, the container images you are running in production, and the infrastructure as code you use to run the images in production.

Snyk is a developer security organization and IDEs are one of the ways we are shifting security on the left. In 2021, we built a good foundation to enable you to use Snyk within your favorite IDE. In 2022, we will bring you the full power of using Snyk and secure your application within your IDE in the most developer-friendly way. So stay tuned and see you soon!

wordpress-sync/feature-snyk-jetbrains

CI/CDパイプラインをレベルアップする方法

プロダクションにプッシュする前に、これらの8つのヒントでパイプ内のセキュリティ問題をキャッチする方法を確認してみましょう⭐️