Snyk Securing Code, Dependencies, Containers and Infrastructure as Code

Table Of Contents

What is Snyk
Securing Code, Dependencies and Containers in CircleCI Pipelines
Securing Code, Dependencies in GitHub
Snyk in Action

What is Snyk

Please refer to the official documentation available at https://snyk.io/ 'So Now You Know'

Securing Code, Dependencies and Containers in CircleCI Pipelines

Snyk CI/CD Integration

Please refer to the official documentation available at https://docs.snyk.io/integrations/ci-cd-integrations

CircleCI integration

Please refer to the official documentation available at https://docs.snyk.io/integrations/ci-cd-integrations/circleci-integration-overview
Please refer to .circleci/config.yml for more information

Orb Declaration

orbs:
  snyk: snyk/[email protected]

Job Definition

  snyk-scan:
    parameters:
      archive:
        type: string
      image:
        type: string
    executor: docker-publisher
    steps:
      - setup_remote_docker:
          docker_layer_caching: true
      - attach_workspace:
          at: .
      - run:
          command: docker load -i <<parameters.archive>>
      - snyk/scan:
          severity-threshold: high
          docker-image-name: <<parameters.image>>
          fail-on-issues: true

Workflows Definition

workflows:

  network-device-inventory-development-workflow:
    jobs:
      - snyk-scan:
          name: snyk-scan-inventory
          archive: service.tar
          image: $CI_REGISTRY_USER/$SERVICE:latest

  network-device-inventory-release-workflow:
    jobs:
      - snyk-scan:
          name: snyk-scan-inventory
          archive: service.tar
          image: $CI_REGISTRY_USER/$SERVICE:latest
          filters:
            tags:
              only: /^v.*/
            branches:
              ignore: /.*/

Securing Code, Dependencies in GitHub

Please refer to the official documentation for GitHub Integration

Snyk in Action

Failed workflow(s) will not be displayed in Snyk (due to build/test failure or vulnerabilities discovery). fail-on-issues: true

In the screenshot below Snyk found 2 issues (02 active critical vulnerabilities for NGINX). The CI fail.

Run Snyk

Testing ********/*************:latest...

✗ Critical severity vulnerability found in pcre2/libpcre2-8-0
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE2-2808697
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > pcre2/[email protected]

✗ Critical severity vulnerability found in pcre2/libpcre2-8-0
  Description: Out-of-bounds Read
  Info: https://snyk.io/vuln/SNYK-DEBIAN11-PCRE2-2808704
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > pcre2/[email protected]



Organization:      lyes-s
Package manager:   deb
Project name:      docker-image|********/*************
Docker image:      ********/*************:latest
Platform:          linux/amd64
Base image:        nginx:1.22.0
Licenses:          enabled

Tested 143 dependencies for known issues, found 2 issues.

According to our scan, you are currently using the most secure version of the selected base image



Exited with code exit status 1

CircleCI received exit code 1

"The higher we soar the smaller we appear to those who cannot fly."

[Friedrich Nietzsche]

Table Of Contents

Provide feedback

Saved searches

Use saved searches to filter your results more quickly