Update: Snyk has just released container image scanning to its cli and web application. In this post, we are only looking at the application code scanning since npm does not support container image scanning. We will follow up this post when we have thoroughly tested the Snyk container scanning and compared it to other options.
A nifty feature of Snyk is their ‘precision patches’ which allows fixing of vulnerabilities which can’t be upgraded out of. One of the main advantages of Snyk, is their tight integration with modern git-based source control (like github, gitlab and bitbucket). With these integrations Snyk can seamlessly scan every commit and pull requests, efficiently flagging pull requests that introduce new vulnerabilities. This is part of the “shift left” movement of security, to give developers security feedback earlier in the lifecycle, increasing developer engagement in security. A “Fix Pull Request” can be initiated to automate fixes via upgrades and precision patches. Snyk is free for open source projects and has a free plan with limited usage for private code. Paid plans include unlimited scanning, as well as enterprise needed features such as SSO, reporting, user management, support for on-prem source code (like GitHub Enterprise), JIRA integration, Docker image scanning, etc. On top of the rich source control integration and CLI, Snyk provides APIs and access control mechanisms, which could be used to implement custom automation and integration scenarios.
Another important enterprise-grade feature of Snyk is the ability to audit software licenses. For example, if developers are releasing proprietary software without publishing sources, they cannot use GPL-compatible licenses. Snyk automates license compliance based on customer specified rules, and can produce an open source license usage report to satisfy your legal team’s compliance needs.
Snyk sees package vulnerability detection as a continuous process. Whenever a new issue is discovered, or remediation for a known issue becomes available, Snyk will notify the affected customers via email or slack or via a pull request sent directly to the affected repo. The latter has the added value, that if a fix is available for the vulnerability it will be included in the pull request itself!
With support for multiple development stacks, enterprise features, free licenses as well as paid professional support, Snyk seems like a great tool for software developers working on many types of projects.