Snyk brings developer-first AppSec approach to C/C++

Snyk is known for its developer-first application security solutions for many ecosystems like Java, JavaScript, Python, and more. Snyk enables developers to not only find issues but quickly apply fixes, revolutionizing security and supporting its integration at the earliest stages of the SDLC.

In 2022, we released the first round of support for C/C++ open source packages, and today we’re excited to announce the Open Beta of C/C++ for Snyk Code and licenses for Snyk Open Source.

Dev teams are feeling the pain

The C/C++ ecosystem has over 40 years of history. With famous projects like Linux or Apache Open Office, C++ has been at the forefront of the open source revolution. But where Java, C# or JavaScript addressed "dependency hell" — or managing the ever-growing amount of dependencies to open source libraries — C++ lacks a general approach, so much so that dependency management became one of the dominant pains for modern C++ developers.

Last year, we took the first step to support the C/C++ community with the ability to find open source libraries in C/C++ applications without a package manager. During this time, we learned a lot from our customers and proved that this strong and thriving development community needs more than just a package manager integration to account for the complexities and depth of the ecosystem.

C/C++ apps are up against the same secure coding challenges and vulnerable components that any other modern development language faces today. However, this ecosystem has years of technical debt, unique vulnerability types, and pre-date package managers — meaning developers must embed open source libraries directly into their code.

When scanning for statically detectable security issues, these projects have typically been compiled, slowing down or breaking development workflows. C/C++ is often combined with many other languages, and the abstractions these apps use blur the real data flow.

All of this complexity leaves some critical gaps that make developers and security teams very unhappy, such as:

Low developer productivity due to other tools that:

• are slow and break developer workflows

• provide hard-to-understand messages

• have vulnerability alerts that aren’t actionable

• lack of proper data flow analysis

• have steep learning curves

Low ROI, high risk, as existing C/C++ security tools are inferior because they are: 

• expensive

• require code to be compiled 

• niche and specialized

• hard to set up and maintain

• difficult to integrate with build pipelines

• ultimately leave apps vulnerable

Lack of visibility to open source dependencies or the associated vulnerabilities and license terms because: 

• there are no standardized package managers

• most developers embed copies of open source libraries

What is Snyk doing to help?

Snyk is leading the industry in providing fast, actionable fixes for developers, and now C/C++ dev teams are getting that same experience. Building off what we started last year, Snyk now finds AppSec issues buried deep within C/C++ code and checks licenses against organization-wide policies to ensure compliance.

It also identifies even more open source packages, including most of the ones found in popular package managers like Conan, without needing a manifest file.

And, of course, Snyk easily embeds into your existing tools like IDEs, so developers can quickly find and fix issues before committing code changes.

C/C++ support for Snyk Code 

The static analysis ruleset we are launching today will primarily benefit developers who build desktop, server, and web apps. But as we add more rules, other types of apps, like embedded and automotive apps, will be supported over time. Snyk Code easily embeds into the existing tool landscape as it provides IDE plugins and scans the source code directly, so no compiler run is needed.

Today we’re launching C/C++ into open beta, and throughout the beta period, we’ll be continually improving our coverage and capabilities. Our code security research process starts by scanning hundreds of thousands of open source repos and combining AI and ML analysis with human security experts to create our Snyk Code knowledge base. The C/C++ ecosystem will be no different. Results will continuously improve over time as more projects are scanned.

C/C++ support is in beta and needs to be activated in the Snyk Settings / Preview section of the Snyk Web UI. During this beta period, we need your feedback. Please contact us via an in-app support ticket to let us know how the rules are working for you — we’re happy to make any necessary adjustments. In the coming months, Snyk will use its industry-unique human-guided machine-learning process on top of the symbolic AI to add and refine the C/C++ knowledge base and expand its coverage of known C/C++ issues.

C/C++ licenses for Snyk Open Source

In addition to identifying open source packages and providing remediation advice, Snyk Open Source will now provide visibility into C/C++ open source licenses and check them against the organization-wide policies set up by security and legal teams to ensure compliance. Developers will get real-time guidance on acceptable licenses based on their companies' policies.

From the CLI, use snyk test --unmanaged in your project's main directory.

When you add the additional parameter --unmanaged in the Project Settings of the Snyk Plugin — or extension for CLion, Visual Studio Code, or any other supported IDE — you can use this functionality directly from your IDE.

Welcome to the modern world C/C++

With Snyk AppSec support for C/C++, we’re making it easy for developers to find and fix security issues through intuitive, easy-to-use integrations while giving security teams the full visibility they need — all from a platform that’s backed by industry-leading security intelligence.

Which leads to… 

Happy, productive developers, thanks to:

• seamless integrations into developer workflows

• easy-to-understand and actionable messages

• data flow analysis on top of the original code

“85% of developers who use Snyk recommend it to others, citing considerable time savings and ease of use.”

Easy fixes in less time, with Snyk’s modern developer-first approach that:

• automatically and continuously scan code in minutes and even seconds

• scans source code, preventing the need to compile

• has security gates throughout the SDLC, e.g., scan every PR Check

Full visibility of C/C++ security issues with capabilities like: 

• industry-leading C/C++ open source database with packages, licenses, and vulnerabilities

• identify unmanaged open source packages (no package manager) with file signature fingerprinting

• centralized organization-wide reporting for all platform products and easy filtering

To see the demo first hand, check out the on-demand recording from SnykLaunch.