The following workshop is designed to show how Snyk integrates into SCM systems like GitHub and performs various application security scans, what fix/remediation advice is given to secure your applications during different stages of the SDLC, and how you can access them via different interfaces like the web UI, IDE and CLI.
- Free GitHub account - https://www.github.com
- Free Snyk account - https://app.snyk.io
We will cover the following topics, some live during today's session, and we'll let you explore the others on your own after the session.
Live - Hands-On Session
- Setting up the SCM integration between GitHub and Snyk
- Importing a repo into Snyk and scanning in via the SCM integration
- Opening a PR to fix a Snyk Open Source vulnerability
- Running Snyk in Codespaces to check out the IDE experience
Live - Demo
- Detecting and suggesting fixes for transitive dependencies via the IDE
- [Enterprise-only] Fix Code issues in the IDE using DeepCode AI Fix
- Prioritization using Risk scores
- [Enterprise-only] Using
Reachability
as an additional parameter to determine risk - [Enterprise-only] Reporting to provide visibility and facilitate collaboration between Security and Dev teams
- [Enterprise-only] Creating an inventory of code-based assets and setting up policies for security coverage
- [Enterprise-only] Run-time based risk factors to provide better risk assessment for prioritization
Offline
- Set up the Snyk Extension in the IDE
- Set up the Snyk CLI locally
- Include Snyk scans in your CI/CD pipelines
- Integrate 3rd party tools like Nightfall AI, GitLeaks, and TruffleHog using GitHub Actions to detect secrets
Note: It is assumed you're using a Mac for these steps, but it should also work on Windows or Linux with some minor modifications
Step 1 - Fork our sample repo into your own GitHub account
- Navigate to the following GitHub repo - https://github.com/boosef-snyk/JavaCoffeeShop
- Click on the "Fork" button
- Check the "Owner" field on the next page to ensure you are forking this repo to your personal GitHub account
- Click done
Step 2 - Configure GitHub Integration
NOTE: You may have already setup the GitHub integration on Snyk; in that case, go ahead and skip this step
Login to https://app.snyk.io
- Sign up if you haven't already using your existing Google / GitHub / Bitbucket / Azure AD / Docker account
- Use the guided flow to set up the GitHub integration and grant Snyk access to all your public repos
- In Step 3 of the guided flow, you can select and import only the forked repo into Snyk
- If you skipped the guided flow, navigate to Integrations -> Source Control -> GitHub
- Fill in your account credentials to connect your GitHub Account (if prompted).
- Now let's enable Code Scanning - you do that as follows:
- Select Settings -> Snyk Code -> set "Enable Snyk Code" -> Save Changes
- Similarly, let's enable IaC Scanning - you do that as follows:
- Select Settings -> Snyk IaC -> Enable "Detect Configuration files" -> Save Changes
Step 2a - Import JavaCoffeeShop Application
You can skip this if you followed the guided flow in the previous step.
- Now that Snyk is connected to your GitHub Account, import the repo into Snyk as a Project.
- Navigate to Projects menu option
- Click "Add Project" then select "GitHub"
- Click on the repo you forked
- The import should take about 3 minutes or so
Step 3 - Review SCM Integration Scan Results
- Once the import has completed, when you navigate to your Projects tab (from the sidebar), you should see something like this:
- Let's go ahead and click on pom.xml
- Here you will see all vulnerabilities including a dependency tree of where the vulnerabilities exist, with transitive dependencies also listed
Step 4 - Create a Pull Request to trigger a PR check
- Let's select an issue with a fix available (you should see a green button saying 'Fix this vulnerability')
- Search for "com.thoughtworks.xstream:xstream" and select the RCE vulnerability
- Click on the Fix this vulnerability button, and select the option to open a new PR on the next page (you'll need to scroll to the bottom of the page)
- This should take you to a new pull request that has been created in the JavaCoffeeShop repo
- Scroll to the bottom and you will see the
code/snyk
,security/snyk
, andlicense/snyk
checks running - congratulations, your SCM integration is working as expected!
- Once the tests complete running, you can click on the "Details" button next to them to view the scan report in the Snyk UI
Step 5 - Find and fix issues in the IDE
- We are going to use Codespaces for this section of the workshop. Click on the green 'Code' button and then 'Create codespace on main"
- It will take anywhere between 2-5 minutes for the codespace to spin up and be fully set up. When you see the Snyk logo on the Extensions bar on the left, and status messages popping up on the right side of your screen, it is ready. You will be asked to grant Workspace Trust, click on OK.
- While waiting, switch to your Snyk dashboard, first click on your name in the bottom left of the sidebar, and then 'Account Settings'
- Under 'General Settings' you should see a field under 'API Token' - create your API key and copy it
-
If your Codespace is now ready, open the Command Palette (same as in VS Code - Cmd + Shift + P on Mac; Ctrl + Shift + P on Windows) and type
Snyk
-
Click on "Snyk: Set Token" and paste the copied API key when prompted
- Make sure you click "Trust folders and continue" when prompted in the bottom RHS
- Make sure in the Snyk extension settings (click on) that the Authentication method is "Token authentication"
- You'll see the Snyk extension expand on the left if authentication is successful
- Click the "Rescan" button in the Snyk extension panel to start the scans - moving forward, scans will run automatically whenever you save changes. If you see the extension panel refresh and populate with results like in the image below, congratultions, you have set Snyk up in the IDE successfully!
Thanks for attending and completing the live portion of this workshop. :)
Now that you have an idea of how Snyk works, and you have the basic setup completed, you can continue learning about Snyk on your own by trying out the following:
Setting up Snyk in the IDE
- Instructions for installing the Snyk extension on your local IDE are available here
- If you're using VS Code, the steps involved will be almost identical to what we did during the lab using Codespaces
Setting up the Snyk CLI
- Follow the intructions here to install the Snyk CLI on your machine, complete authentication, and run scans locally using the commands provided in the documentation
Including Snyk scans in your pipelines using GitHub Actions
You can run all Snyk scans in your pipelines by first installing the CLI on your runner, and then running the same commands you previously used while using the CLI locally in the previous step
-
The repo you forked earlier has GitHub Actions workflows set up to run Snyk Open Source and Snyk Code scans as a part of your CI/CD pipelines.
- By default, GitHub disables the GitHub Action workflows in forked repositories. To enable GitHub Actions in the repo, click the Actions tab of your forked repository and click "I understand my workflows, go ahead and enable them."
-
If you use a different CI/CD tool, please refer to some of the sample files we have here
Integrating 3rd party tools with GitHub Actions to detect secrets
Nightfall AI
- Sign up for a free Nightfall API account to get your API key here
- The forked repo has Nightfall AI scans set up using GitHub Actions (yml here) - you can add commits / open PRs committing secrets to the main branch to test it out
- If you'd like to create your own policies / workflows, detailed setup instructions are available here
GitLeaks
- Gitleaks is an open source project and you can set up scans without creating an account
- The forked repo has Gitleaks scans set up using GitHub Actions (yml here) - you can add commits / open PRs committing secrets to the main branch to test it out
- If you'd like to create your own configuration, set up pre-commit hooks etc. detailed instructions are available here
TruffleHog
- TruffleHog is an open source project and you can set up scans without creating an account; there is also an Enterprise offering
- The forked repo has TruffleHog scans set up using GitHub Actions (yml here) - you can add commits / open PRs committing secrets to the main branch to test it out
- If you'd like to create your own configuration, set up secret scanning for other assets like S3 buckets, Docker Images, Elasticsearch clusters etc. detailed instructions are available here
- Snyk Official Documentation: https://docs.snyk.io
- Interactive Learning on Snyk Learn: https://learn.snyk.io/catalog/
Pas Apicella [pas at snyk.io] is a Principal Solution Engineer APJ at Snyk
Shilpa Raghunathan [shilpa.raghunathan at snyk.io] is a Staff Partner Solutions Engineer at Snyk
Suganthi Krishnavathi [suganthi.krishnavathi at snyk.io] is a Staff Solutions Engineer at Snyk