Securing DevOps: A Simple Guide to Using Snyk for Free
What is Snyk..?
Snyk is a platform that allows you to scan, prioritize, and fix security vulnerabilities in your code, open-source dependencies, container images, and infrastructure as code configurations.
- Secure Your code: use Snyk Open Source to fix vulnerabilities in your open source dependencies and Snyk Code to fix vulnerabilities in your source code
- Secure your containers: use Snyk Container to fix vulnerabilities in container images and Kubernetes applications
- Secure your infrastructure: use Snyk Infrastructure as Code (IaC) to fix misconfigurations in Terraform, CloudFormation, Kubernetes and Azure Templates.
There are servral ways to run Snyk
- Web
- CLI
- IDEs
- API
What we are Covering today.?
In this blog, we demonstrate how to scan code and Docker images using Snyk to check their security status. This is a fully practical, demo-based guide that is also free of cost. What I am doing is entirely free, so you can also follow along and take a step ahead in DevSecOps. We use the CLI method to scan both our code and images.
So, lets start,
- Log in to your AWS account, launch an EC2 instance with Ubuntu in the free tier, and connect to it to perform updates.
apt-get update2. Go to ‘Snyk,’ create your account, then navigate to the dashboard. On the left-side menu bar, click on your account name. From there, click on ‘Account Settings’.
3. After entering, proceed to the ‘General’ tab. You will find the ‘Generate Auth Token’ option there; click on it and copy the token. Save the token in Notepad. In my case, I have already created that token.
4. Now, go back to AWS, and follow the command below to install the Snyk CLI:
curl https://static.snyk.io/cli/latest/snyk-linux -o snyk
chmod +x ./snyk
mv ./snyk /usr/local/bin/
5. Authenticate Snyk with the token you generated.
snyk auth <Token>
6. Next, clone the following repository for demonstration purposes
git clone https://github.com/shrihariharidass/devsecops-jenkins-k8s-tf-sast-sca-sonarcloud-snyk-repo.git
7. Navigate to the cloned repository
8. Return to the ‘Snyk Dashboard.’ On the right side, you will find the ‘Add Project’ option. Click on it, and choose ‘CLI,’ as we performed the above operation.
9. Scroll down a bit and navigate to the ‘Source Code’ tab. You will find a command there; copy that.
10. Proceed to the AWS console, navigate to the project folder, and paste the copied command. This will scan your code and provide you with the results.
11. You will observe the severity of issues in your code, and based on that, you can address and resolve the errors.
12. Additionally, if you want to scan the ‘Docker Image,’ you can use Snyk as follows:
apt-get update
apt-get install docker.io -y
docker pull ubuntusnyk container test <Image name>
Conclusion:
In a nutshell, Snyk is a handy and free tool for boosting security in DevSecOps. This blog shows you an easy way to scan code and Docker images for security. With Snyk’s free access and the straightforward CLI method, you can enhance your application security effortlessly. Take a step forward with Snyk and strengthen your DevSecOps practices.
