This article will introduce the concept of security scanning in detail, explain what it entails, how it can be incorporated into the DevOps culture, and explain how Snyk, a popular security tool, fits into security scanning. You\u2019ll also see how to use Snyk in a CI\/CD pipeline.<\/p>\n\n\n\n
<\/a>What is Security Scanning<\/h2>\n\n\n\nSecurity scanning, also known as \u201cvulnerability scanning<\/a>,\u201d involves analyzing a system to determine whether it is susceptible to attacks. In this case, a system can be a network, hardware, a server, a piece of software, a bunch of code, an entire codebase, an application, or essentially anything that can be exposed to security threats.<\/p>\n\n\n\nIt should be taken seriously and conducted regularly to maintain system safety. Systems like servers will benefit from checking for server misconfigurations, weak permissions, unauthorized access, or suspicious activity from specific or ranges of IP addresses. Codebases will benefit from checking for insecure API usage, injection vulnerabilities, hard-coded secrets, XSS, SQL injection, and more.<\/p>\n\n\n\n
A significant shift is happening in the Cybersecurity space. If you do not have a plan or proactive measures to ensure your system is protected against Cyber-attacks, you’re on a dangerous path. Classified information could easily get into the wrong hands, you\u2019ll lose money, and you will experience reputational damage and operational disruptions.<\/p>\n\n\n\n
<\/a>What does Security Scanning in CI\/CD Entail<\/h3>\n\n\n\nNarrowing security scanning into CI\/CD<\/a>, which is a critical aspect of the DevOps culture, entails automatically ensuring the security of applications and infrastructure at every stage of development. Identifying vulnerabilities and addressing them continuously as new code and updates are deployed.<\/p>\n\n\n\nFor instance, in the development stage (CI), security scanning will involve running tests, checking for vulnerabilities, analyzing dependencies, and automatically checking for security best practices. While in the deployment stage (CD), security scanning will involve validating infrastructure as code (IaC) configurations, scanning container images, and checking that the deployment environment is securely configured and that it adheres to compliance standards.<\/p>\n\n\n\n
You\u2019ll need to use tools that\u2019ll help you detect security issues during different stages of your CI\/CD pipeline, such as during builds, before deployment, and on pull requests for cases where sensitive changes (new dependencies, configurations, etc) are introduced from contributors.<\/p>\n\n\n\n
<\/a>What is Snyk<\/h3>\n\n\n\nSynk<\/a> is a security tool that helps you identify and fix vulnerabilities in your code. It serves as an assistant so that you can focus on building the core functionalities while it seamlessly handles the security aspect. Synk has a free version, as well as paid for different use cases, which you can see on their pricing page<\/a>.<\/p>\n\n\n\nSnyk is categorized into Snyk code, Snyk open source, Snyk container, Snyk IaC, and Snyk AppRisk. Each of these categories works for specific use cases and does the following:<\/p>\n\n\n
\n\n- Snyk open source and Snyk code<\/strong>: Snyk open source<\/a> checks open source libraries and dependencies for known vulnerabilities. Snyk code<\/a> scans custom code and functions for security issues. You can grant Snyk access to your Git repository, whether it’s on GitHub, GitLab, or Bitbucket, to scan through; if it finds any security issue, it’ll create a pull request to fix it, which you can then review and merge if you choose to.<\/li>\n\n\n\n
- Snyk container<\/strong>: Snyk container<\/a> is for Snyk’s container registry integrations. It features a complementary tool called Snyk CLI<\/a> that you can use to scan container images for vulnerabilities before you deploy them. It also features source code management (SCM), whereby Snyk automatically detects Dockerfiles stored in Git repositories like GitHub, GitLab, or Bitbucket, scans the base image for vulnerabilities using Snyk open source, and recommends a secure or less vulnerable version.<\/li>\n\n\n\n
- Snyk IaC<\/strong>: For infrastructure engineers who provision cloud resources through code, Snyk IaC<\/a> can identify and fix misconfigurations in infrastructure code. You can have Snyk scan infrastructure code within Terraform, CloudFormation, Helm charts, and ARM templates.<\/li>\n\n\n\n
- Snyk AppRisk<\/strong>: This category is for application security (AppSec) teams that want to manage and reduce application risk at scale. Snyk AppRisk<\/a>, an application security posture management (ASPM) tool, provides insights into runtime behavior and spots application loopholes that attackers can exploit.<\/li>\n<\/ul>\n<\/div>\n\n\n
The IDE or text editor you use doesn’t matter; Snyk can be integrated into widely used IDEs and text editors like Vscode and Pycharm to provide real-time security checks and feedback directly in your development environment. Snyk can be used within CI\/CD platforms like GitHub actions, Bitbucket pipelines, Circle CI, Travis CI, GitLab CI, Jenkins, and many others<\/a> to automate security checks as part of your development lifecycle to help you catch and fix security issues early and reduce the risk of vulnerabilities making it to production.<\/p>\n\n\n\n<\/a>Performed security scanning without Snyk<\/h3>\n\n\n\nI have performed security scanning without Snyk, using npm audit<\/em><\/a> (a command that scans project dependencies), and it was tedious. With the npm audit, <\/em>I was able to generate a vulnerability report for my project and view their severity levels.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2024\/12\/word-image-104912-1.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Checking for vulnerabilities with npm audit<\/strong><\/p>\n\n\n\nUsing the npm audit fix<\/code> command, I was able to find and fix dependency vulnerabilities by upgrading to more secure ones, as recommended by the npm audit<\/code> command.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2024\/12\/word-image-104912-2.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Fixing vulnerabilities with npm audit fix<\/em><\/strong><\/p>\n\n\n\nWhile the npm audit<\/code> command helped, I just couldn\u2019t do enough; npm audit<\/code> only works for Node.js projects, which use npm<\/a> as their package manager. I also couldn\u2019t check my code for patterns that could cause security issues. And, in an era where programmers need to diversify when it comes to programming languages, npm audit<\/code> isn’t language agnostic, which is a feature that contributed to its limitation.<\/p>\n\n\n\nSuppose I’m working on a Python, Java, Ruby, C++ project or any other programming language. In that case, I need to incorporate separate tools for vulnerability scanning and security checks. For instance, in a Python project, I could use pip-audit<\/a>, for a Ruby project I could use bundle-audit<\/a>, and so on.<\/p>\n\n\n\nThese separate tools lack language-agnostic features, making managing security across diverse projects complex. Therefore, I don’t recommend using a language-specific tool for security scanning, but instead a robust, feature-rich, and sophisticated tool that integrates seamlessly with diverse ecosystems. Something that doesn’t just scan dependencies but can also scan custom code, that is, the one you wrote yourself.<\/p>\n\n\n\n
Snyk supports popular programming languages like Python, JavaScript, Elixir, Rust, TypeScript, Dart\/Flutter, and Go. The official documentation lists supported languages<\/a>.<\/p>\n\n\n\n<\/a>Performing security scanning with Snyk<\/h2>\n\n\n\nThe following sections will walk you through Snyk and how to use it to implement security scanning on a GitHub actions CI\/CD pipeline. You’ll use the Snyk container to scan an Nginx image, Synk open source to scan open source libraries for a Django application, and Snyk code to scan the same Django application. This tutorial’s Django project is managed using Poetry version 1.8.5.<\/p>\n\n\n\n
<\/a>Prerequisites<\/h3>\n\n\n\nTo follow along, you are required to have the following in place:<\/p>\n\n\n
\n\n- A text editor. This tutorial uses Visual Studio code<\/a>.<\/li>\n\n\n\n
- Snyk visual studio code extension<\/a> installed.<\/li>\n\n\n\n
- Docker engine installed on your machine.<\/li>\n\n\n\n
- A GitHub account.<\/li>\n<\/ul>\n<\/div>\n\n\n
<\/a>Scaffolding an application<\/h3>\n\n\n\nYou’ll begin by using the Snyk container to demonstrate how to implement Snyk in a CI\/CD pipeline. For the most part, you’ll use Snyk CLI to scan a Nginx container image. To begin, clone the following Git repository with this command:<\/p>\n\n\n\n
git clone git@github.com:mercybassey\/nginx-snyk-scaffolding.git\n<\/pre>\n\n\n\nThis will create a local copy of the repository on your machine. It contains a Dockerfile with a base image of nginx:1.17.0<\/code> exposed on port 80<\/code> and an index.html<\/code> file that says \u201cHello Snyk.\u201d<\/p>\n\n\n\n<\/a>Scanning for Vulnerabilities in a Container Image<\/h3>\n\n\n\nIf you installed the Snyk extension for VScode, then the Snyk CLI is installed automatically. To confirm this, execute the command below to check the Snyk version.<\/p>\n\n\n\n
snyk --version<\/pre>\n\n\n\nAuthenticate with the Snyk CLI using the following command:<\/p>\n\n\n\n
snyk auth<\/pre>\n\n\n\nThis will open up a page on your default web browser where you must log in or sign up with GitHub, Google, BitBucket, Azure AD, or Docker ID. This article uses GitHub as the login option:<\/p>\n\n\n\n![\"\"](\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2024\/12\/word-image-104912-3.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Signing up to Snyk.io with GitHub<\/strong><\/p>\n\n\n\nOnce you have successfully signed up and logged in, you must allow Snyk to authenticate your machine. Go ahead and authenticate. Once this process is successful, you should have the following image: ![](\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2024\/12\/word-image-104912-4.png\")
<\/p>\n\n\n\n
Authenticating with Snyk successfully<\/strong><\/p>\n\n\n\nHowever, you still need to retrieve your authentication token to integrate Snyk with GitHub actions. This makes it possible to authenticate your GitHub actions pipeline with your Snyk account. Snyk stores your authentication token in the following file ~\/.config\/configstore\/snyk.json;<\/code> run this command to view your authentication token:<\/p>\n\n\n\ncat ~\/.config\/configstore\/snyk.json<\/pre>\n\n\n\nThis will output your authentication token in the following format:<\/p>\n\n\n\n
cat ~\/.config\/configstore\/snyk.json<\/pre>\n\n\n\n{\n \"api\": \"fc37....\"\n}<\/pre>\n\n\n\nCopy it and add it to your GitHub repository as a secret. See the following guide on adding secrets in a GitHub repository for GitHub actions<\/a> if you don\u2019t know how to do so already.<\/p>\n\n\n\nAlternatively, you can use this command to get your auth token:<\/p>\n\n\n\n
snyk config get api<\/pre>\n\n\n\nHead to your working directory, create a .github\/workflows\/ci.yml<\/code> file, and paste in the following code, replacing <dockerhub-username><\/code> with your username on DockerHub:<\/p>\n\n\n\nNote: Naming your custom images using this format <dockerhub-username>\/<image-name><\/code> makes pushing to your DockerHub repository easy.<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile --severity-threshold=high\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}<\/pre>\n\n\n\nIn the workflow above, GitHub Actions will automatically build the Docker image and then run Snyk to scan for vulnerabilities in the base image specified in the Dockerfile using the --file<\/code> argument.<\/p>\n\n\n\nIf there\u2019s any issue with the base image, Snyk will report the vulnerabilities with high severity levels and above and recommend alternative base images, since it has access to the Dockerfile in this workflow.<\/p>\n\n\n\n
Execute the Git commands below sequentially to trigger this workflow:<\/p>\n\n\n\n
Replace <github-username><\/code> with your username on GitHub.<\/p>\n\n\n\ngit init\ngit commit -m \"first commit\"\ngit branch -M main\ngit remote add origin git@github.com:<github-username>\/nginx-snyk.git\ngit push -u origin main<\/pre>\n\n\n\nSince the base image specified in the Dockerfile is outdated, you should see a ton of vulnerabilities with high and critical severity levels in your CI, specifically at the job “Run Snyk to check for vulnerabilities.” Because you have set the severity threshold to high and above, low and medium severity vulnerabilities will not be reported and thus, not trigger a failure in the CI process, though it’ll still be recorded.<\/p>\n\n\n\n
In this example, Snyk has identified 248 vulnerabilities, with 27 critical, 44 high, 52 medium, and 125 low.<\/p>\n\n\n\n
Base Image Vulnerabilities Severity nginx:1.17.0 248 27 critical, 44 high, 52 medium, 125 low<\/pre>\n\n\n\nYou should also see alternative base images that Snyk recommends, alongside the number of vulnerabilities detected and their levels.<\/p>\n\n\n\n
Recommendations for base image upgrade:\nMinor upgrades\nBase Image \t Vulnerabilities \t Severity\nnginx:1.26.2 \t\t91 \t\t 1 critical, 1 high, 1 medium, 88 low\nAlternative image types\nBase Image \t\tVulnerabilities Severity\nnginx:1.27.1-bookworm \t\t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:1.26.2-bookworm-perl \t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:stable-bookworm-perl \t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:1.27.1-bookworm-otel \t94 \t\t1 critical, 1 high, 1 medium, 91 low<\/pre>\n\n\n\nFrom the output above, Snyk recommends upgrading to nginx:1.26.2 or use the following alternatives - nginx:1.27.1-bookworm, nginx:1.26.2-bookworm-perl, nginx:stable-bookworm-perl or nginx:1.27.1-bookworm-otel<\/code> .<\/p>\n\n\n\n<\/a>Proceeding regardless of vulnerabilities<\/h3>\n\n\n\nBy design, Snyk will terminate a CI workflow if it finds any vulnerability, regardless of its severity level (low, medium, high, or critical). However, there's something you should note: there's no guarantee that official and latest Docker images have no vulnerabilities. There is always a possibility that even the most secure images may contain some vulnerabilities.<\/p>\n\n\n\n
In this case, Snyk will not recommend any alternatives; however, it will still record the vulnerabilities it finds, inform you that you are using the most secure base image, and halt the CI process. Therefore, you have to explicitly tell Snyk to continue even if vulnerabilities are detected.<\/p>\n\n\n\n
Head back to your project and use the nginx:1.27.1-bookworm<\/code> as the base image in your Dockerfile, and edit the CI to look like the following:<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n continue-on-error: true\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}<\/pre>\n\n\n\nFrom the CI above, the continue-on-error<\/code> setting in the step \u201cRun Snyk to check for vulnerabilities\u201d allows it to proceed even if it finds vulnerabilities.<\/p>\n\n\n\nCommit and push these changes to your GitHub repository to trigger the workflow. You should have the CI run to completion. ![](\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2024\/12\/word-image-104912-5.png\")
<\/p>\n\n\n\n
Viewing CI on GitHub<\/strong><\/p>\n\n\n\n<\/a>Viewing Snyk scan results with GitHub Code Scanning<\/h3>\n\n\n\nGitHub code scanning is a SaaS tool that is available on GitHub. While Snyk already outputs scan results in the CI workflow, it's not the most accessible format for tracking and review in terms of vulnerability presentation. With GitHub code scanning you can view Snyk scan results in the Security<\/strong> tab on your GitHub repository, where vulnerabilities are organized and displayed clearly and interactively.<\/p>\n\n\n\nBefore you proceed, you need to give GitHub Token for Actions read\/write<\/em> permissions at https:\/\/github.com\/<\/em><\/a><your-github-username>\/nginx-snyk-scaffolding\/settings\/actions.<\/em> You can read more about GitHub Token permission<\/a> in the official GitHub documentation.<\/p>\n\n\n\nOnce you have given GitHub Token for Actions read\/write<\/em> permissions, update your CI to have the following configuration settings:<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n continue-on-error: true\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile --severity-threshold=high\n json: true\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Convert Snyk JSON to SARIF\n uses: garethr\/snyk-to-sarif@master\n with:\n input: snyk.json\n output: snyk.sarif\n - name: Upload scan results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk.sarif<\/pre>\n\n\n\nFrom the file above, after Snyk has checked for vulnerabilities, the scan results will be saved in a snyk.json<\/code> file. Next, the \"Convert Snyk JSON to SARIF\" step will use the garethr\/snyk-to-sarif@master<\/code> action to convert it into a format that GitHub code scanning can parse (snyk.sarif<\/code>). Once this process is complete, the sarif<\/code> file<\/em> snyk.sarif<\/code> will be uploaded to GitHub code scanning.<\/p>\n\n\n\nNote, a SARIF file is a Static Analysis Results Interchange Format. A standard that lets analysis tools exchange results in a standard format.<\/em><\/p>\n\n\n\nPush your changes to trigger the workflow and head to the Security<\/strong> tab on your repository. You should see vulnerabilities with severity levels from high to critical.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2024\/12\/word-image-104912-6.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Viewing Snyk scan results on GitHub code scanning<\/strong><\/p>\n\n\n\n<\/a>Scanning Custom Code and Open Source Libraries<\/h3>\n\n\n\nRunning security checks automatically for both your code and the libraries used in your projects is always good practice before deploying them to production or building and deploying them to a container registry. Again, you can do this with Snyk code and Snyk open source.<\/p>\n\n\n\n
You\u2019ll use Snyk code and Snyk open source to check for Vulnerabilities for a Django project that uses Poetry as the package manager. Run the command below to clone this project to your machine:<\/p>\n\n\n\n
git clone git@github.com:mercybassey\/django-snyk-scaffolding.git<\/pre>\n\n\n\nRun the following command to install all dependencies:<\/p>\n\n\n\n
poetry install<\/pre>\n\n\n\nCreate a .<\/em>github\/workflows\/ci.yml<\/code> file and paste in the following code:<\/p>\n\n\n\nname: Django Project CI\/CD\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Set up Python\n uses: actions\/setup-python@v2\n with:\n python-version: '3.8'\n - name: Install Poetry\n run: |\n curl -sSL <https:\/\/install.python-poetry.org> | python3 -\n - name: Install dependencies\n run: |\n poetry install\n - name: Run Snyk Open Source Test\n continue-on-error: true\n uses: snyk\/actions\/python-3.8@master\n with:\n command: test\n args: --sarif-file-output=snyk-test.sarif\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Run Snyk Code Test\n continue-on-error: true\n uses: snyk\/actions\/python-3.8@master\n with:\n command: code test\n args: --sarif-file-output=snyk-code.sarif\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Upload Snyk Open Source Test Results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk-test.sarif\n - name: Upload Snyk Code Test Results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk-code.sarif<\/pre>\n\n\n\nThis workflow will set up Python \u201c3.8\u201d and use the Snyk Python action snyk\/actions\/python-3.8@master<\/code> to scan your code and open source dependencies using the snyk code test<\/code> and snyk test<\/code> commands, respectively.<\/p>\n\n\n\nCreate a new GitHub repository for this project, add the Snyk token as a secret, and give GitHub Token for Actions read\/write<\/em> permissions.<\/p>\n\n\n\nCommit and push your changes and wait for the CI to run to completion. Since the CI is configured to continue amidst Snyk vulnerability checks, you should have the following image indicating that the CI job ran to completion.<\/p>\n\n\n\n
You'll see a few vulnerability issues when you head to the Security tab on GitHub. This is Snyk doing its work, and if you look at the labels for each vulnerability issue, you'll see the ones related to Snyk open source and Synk code:<\/p>\n\n\n\n![\"\"](\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2024\/12\/word-image-104912-7.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Viewing Snyk open source on GitHub code scanning<\/strong><\/p>\n\n\n\nIf you scroll down, you will see just one related to the Snyk code, which is titled \"HardCoded secret.\"<\/p>\n\n\n\n
![](\"https:\/\/www.red-gate.com\/simple-talk\/wp-content\/uploads\/2024\/12\/word-image-104912-8.png\")
Viewing Snyk code scan results on GitHub code scanning<\/strong><\/p>\n\n\n\nSnyk open-source vulnerabilities can be fixed by upgrading dependencies to less vulnerable ones, and for Snyk code vulnerabilities, you'll have to fix them yourself. To resolve Snyk open-source vulnerabilities, you have two options:<\/p>\n\n\n
\n\n- Use the snyk fix<\/a> command to allow Snyk to automatically upgrade to its recommended open source libraries, or add a step in the CI that executes the snyk fix command for you automatically. However, this option is only available for Snyk enterprise users.<\/li>\n\n\n\n
- Manually upgrade to Snyk's recommended open-source libraries on your machine.<\/li>\n<\/ul>\n<\/div>\n\n\n
To resolve the vulnerability related to the Snyk code, you have to remove the hard-coded secret.<\/p>\n\n\n\n
<\/a>Resolving open source libraries for Snyk open source<\/h3>\n\n\n\nActivate the Poetry virtual shell and run a vulnerability check for Snyk open source with the following command:<\/p>\n\n\n\n
poetry shell\nsnyk test<\/pre>\n\n\n\nAs I write this article, Snyk asks me to upgrade to Django 4.2.16 and sqlparse 0.5.0. Depending on when you see this article, the recommended versions might be different.<\/p>\n\n\n\n
Issues to fix by upgrading dependencies:<\/strong><\/p>\n\n\n\n\t Upgrade django@4.2.3 to django@4.2.16 to fix<\/code><\/p>\n\n\n\n\t \u2717 Regular Expression Denial of Service (ReDoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-5932095>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t \u2717 Denial of Service (DoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-6041515>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t \u2717 Regular Expression Denial of Service (ReDoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-6370660>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t ....<\/code><\/p>\n\n\n\n\t Upgrade sqlparse@0.4.4 to sqlparse@0.5.0 to fix<\/code><\/p>\n\n\n\n \u2717 Uncontrolled Recursion [High Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-SQLPARSE-6615674>] in sqlparse@0.4.4<\/code><\/p>\n\n\n\n introduced by sqlparse@0.4.4 and 1 other path(s)<\/code><\/p>\n\n\n\nRun the command below to install django 4.2.16 and sqlparse 0.5.0:<\/p>\n\n\n\n
poetry add django@4.2.16\npoetry add sqlparse@0.5.0<\/pre>\n\n\n\nYou should see the following output once this is successful:<\/p>\n\n\n\n
Updating dependencies<\/code><\/p>\n\n\n\nResolving dependencies... (0.4s)<\/code><\/p>\n\n\n\nPackage operations: 0 installs, 2 updates, 0 removals<\/code><\/p>\n\n\n\n - Updating sqlparse (0.4.4 -> 0.5.0)<\/code><\/p>\n\n\n\n - Updating django (4.2.3 -> 4.2.16)<\/code><\/p>\n\n\n\nWriting lock file<\/code><\/p>\n\n\n\nWhen you run the snyk test<\/code> command again, you\u2019ll see the following, indicating all libraries are up-to-date and no vulnerabilities were found.<\/p>\n\n\n\n\u2714 Tested 7 dependencies for known issues, no vulnerable paths found<\/code><\/p>\n\n\n\n<\/a>Resolving Hard Coded Secrets for Snyk code<\/h3>\n\n\n\nRight now in my example, snyk code<\/code> found a vulnerability at django_project\/settings.py<\/code> where a secret is being hardcoded. To resolve this, you\u2019ll need to use environment variables.<\/p>\n\n\n\nFirst, in the root of the Django project, create a .env<\/code> file and populate it. Do this by replacing <secret-key><\/code> with the actual key from django_project\/settings.py<\/code>.<\/p>\n\n\n\nDJANGO_SECRET_KEY='<secret-key>'<\/pre>\n\n\n\nNext, edit the SECRET_KEY<\/code> variable in django_project\/settings.py<\/code> to hold the value os.getenv(\"DJANGO_SECRET_KEY\")<\/code>:<\/p>\n\n\n\nThis will load the value from the environment<\/code> variable using os.getenv:<\/p>\n\n\n\nimport os\n\nSECRET_KEY = os.getenv(\"DJANGO_SECRET_KEY\")<\/pre>\n\n\n\nThen, create a .gitignore<\/code> file in the project\u2019s root and add the .env file to exclude it from version control:<\/p>\n\n\n\n# .gitignore\n.env<\/pre>\n\n\n\nNow, run snyk code test<\/code> again to recheck the code. You should see the following results:<\/p>\n\n\n\n\u2714 Awesome! No issues were found.<\/code><\/p>\n\n\n\nAnd there you go, no more code security issues, at least those that have been identified so far!<\/p>\n\n\n\n
<\/a>Conclusion<\/h2>\n\n\n\nIn this article, you have learned what security scanning is, why you should implement security scanning in a CI\/CD workflow, and how to use Snyk for vulnerability scanning in a GitHub actions workflow. You have used Snyk container to scan and identify vulnerabilities in an Nginx container image, used Snyk open source to scan open source libraries within a Django application, and used Snyk code to scan custom code. Snyk is a robust tool, you can integrate Snyk with Kubernetes, Jira, and Slack. See the official Snyk documentation<\/a> to find more information about Snyk.<\/p>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Security is important regardless of your industry, whether it’s finance, retail, e-commerce, or the broader world of IT. A little security oversight can have catastrophic impacts, leading to loss of money and unauthorized access to classified information. It takes a lot of work to develop solutions that users trust. Therefore, you need to take security……<\/p>\n","protected":false},"author":341730,"featured_media":104922,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[46],"tags":[4619,159234],"coauthors":[158989],"class_list":["post-104912","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-and-compliance","tag-security","tag-snyk"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/341730"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=104912"}],"version-history":[{"count":14,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912\/revisions"}],"predecessor-version":[{"id":107319,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912\/revisions\/107319"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media\/104922"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=104912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=104912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=104912"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=104912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
It should be taken seriously and conducted regularly to maintain system safety. Systems like servers will benefit from checking for server misconfigurations, weak permissions, unauthorized access, or suspicious activity from specific or ranges of IP addresses. Codebases will benefit from checking for insecure API usage, injection vulnerabilities, hard-coded secrets, XSS, SQL injection, and more.<\/p>\n\n\n\n
A significant shift is happening in the Cybersecurity space. If you do not have a plan or proactive measures to ensure your system is protected against Cyber-attacks, you’re on a dangerous path. Classified information could easily get into the wrong hands, you\u2019ll lose money, and you will experience reputational damage and operational disruptions.<\/p>\n\n\n\n
<\/a>What does Security Scanning in CI\/CD Entail<\/h3>\n\n\n\nNarrowing security scanning into CI\/CD<\/a>, which is a critical aspect of the DevOps culture, entails automatically ensuring the security of applications and infrastructure at every stage of development. Identifying vulnerabilities and addressing them continuously as new code and updates are deployed.<\/p>\n\n\n\nFor instance, in the development stage (CI), security scanning will involve running tests, checking for vulnerabilities, analyzing dependencies, and automatically checking for security best practices. While in the deployment stage (CD), security scanning will involve validating infrastructure as code (IaC) configurations, scanning container images, and checking that the deployment environment is securely configured and that it adheres to compliance standards.<\/p>\n\n\n\n
You\u2019ll need to use tools that\u2019ll help you detect security issues during different stages of your CI\/CD pipeline, such as during builds, before deployment, and on pull requests for cases where sensitive changes (new dependencies, configurations, etc) are introduced from contributors.<\/p>\n\n\n\n
<\/a>What is Snyk<\/h3>\n\n\n\nSynk<\/a> is a security tool that helps you identify and fix vulnerabilities in your code. It serves as an assistant so that you can focus on building the core functionalities while it seamlessly handles the security aspect. Synk has a free version, as well as paid for different use cases, which you can see on their pricing page<\/a>.<\/p>\n\n\n\nSnyk is categorized into Snyk code, Snyk open source, Snyk container, Snyk IaC, and Snyk AppRisk. Each of these categories works for specific use cases and does the following:<\/p>\n\n\n
\n\n- Snyk open source and Snyk code<\/strong>: Snyk open source<\/a> checks open source libraries and dependencies for known vulnerabilities. Snyk code<\/a> scans custom code and functions for security issues. You can grant Snyk access to your Git repository, whether it’s on GitHub, GitLab, or Bitbucket, to scan through; if it finds any security issue, it’ll create a pull request to fix it, which you can then review and merge if you choose to.<\/li>\n\n\n\n
- Snyk container<\/strong>: Snyk container<\/a> is for Snyk’s container registry integrations. It features a complementary tool called Snyk CLI<\/a> that you can use to scan container images for vulnerabilities before you deploy them. It also features source code management (SCM), whereby Snyk automatically detects Dockerfiles stored in Git repositories like GitHub, GitLab, or Bitbucket, scans the base image for vulnerabilities using Snyk open source, and recommends a secure or less vulnerable version.<\/li>\n\n\n\n
- Snyk IaC<\/strong>: For infrastructure engineers who provision cloud resources through code, Snyk IaC<\/a> can identify and fix misconfigurations in infrastructure code. You can have Snyk scan infrastructure code within Terraform, CloudFormation, Helm charts, and ARM templates.<\/li>\n\n\n\n
- Snyk AppRisk<\/strong>: This category is for application security (AppSec) teams that want to manage and reduce application risk at scale. Snyk AppRisk<\/a>, an application security posture management (ASPM) tool, provides insights into runtime behavior and spots application loopholes that attackers can exploit.<\/li>\n<\/ul>\n<\/div>\n\n\n
The IDE or text editor you use doesn’t matter; Snyk can be integrated into widely used IDEs and text editors like Vscode and Pycharm to provide real-time security checks and feedback directly in your development environment. Snyk can be used within CI\/CD platforms like GitHub actions, Bitbucket pipelines, Circle CI, Travis CI, GitLab CI, Jenkins, and many others<\/a> to automate security checks as part of your development lifecycle to help you catch and fix security issues early and reduce the risk of vulnerabilities making it to production.<\/p>\n\n\n\n<\/a>Performed security scanning without Snyk<\/h3>\n\n\n\nI have performed security scanning without Snyk, using npm audit<\/em><\/a> (a command that scans project dependencies), and it was tedious. With the npm audit, <\/em>I was able to generate a vulnerability report for my project and view their severity levels.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Checking for vulnerabilities with npm audit<\/strong><\/p>\n\n\n\nUsing the npm audit fix<\/code> command, I was able to find and fix dependency vulnerabilities by upgrading to more secure ones, as recommended by the npm audit<\/code> command.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Fixing vulnerabilities with npm audit fix<\/em><\/strong><\/p>\n\n\n\nWhile the npm audit<\/code> command helped, I just couldn\u2019t do enough; npm audit<\/code> only works for Node.js projects, which use npm<\/a> as their package manager. I also couldn\u2019t check my code for patterns that could cause security issues. And, in an era where programmers need to diversify when it comes to programming languages, npm audit<\/code> isn’t language agnostic, which is a feature that contributed to its limitation.<\/p>\n\n\n\nSuppose I’m working on a Python, Java, Ruby, C++ project or any other programming language. In that case, I need to incorporate separate tools for vulnerability scanning and security checks. For instance, in a Python project, I could use pip-audit<\/a>, for a Ruby project I could use bundle-audit<\/a>, and so on.<\/p>\n\n\n\nThese separate tools lack language-agnostic features, making managing security across diverse projects complex. Therefore, I don’t recommend using a language-specific tool for security scanning, but instead a robust, feature-rich, and sophisticated tool that integrates seamlessly with diverse ecosystems. Something that doesn’t just scan dependencies but can also scan custom code, that is, the one you wrote yourself.<\/p>\n\n\n\n
Snyk supports popular programming languages like Python, JavaScript, Elixir, Rust, TypeScript, Dart\/Flutter, and Go. The official documentation lists supported languages<\/a>.<\/p>\n\n\n\n<\/a>Performing security scanning with Snyk<\/h2>\n\n\n\nThe following sections will walk you through Snyk and how to use it to implement security scanning on a GitHub actions CI\/CD pipeline. You’ll use the Snyk container to scan an Nginx image, Synk open source to scan open source libraries for a Django application, and Snyk code to scan the same Django application. This tutorial’s Django project is managed using Poetry version 1.8.5.<\/p>\n\n\n\n
<\/a>Prerequisites<\/h3>\n\n\n\nTo follow along, you are required to have the following in place:<\/p>\n\n\n
\n\n- A text editor. This tutorial uses Visual Studio code<\/a>.<\/li>\n\n\n\n
- Snyk visual studio code extension<\/a> installed.<\/li>\n\n\n\n
- Docker engine installed on your machine.<\/li>\n\n\n\n
- A GitHub account.<\/li>\n<\/ul>\n<\/div>\n\n\n
<\/a>Scaffolding an application<\/h3>\n\n\n\nYou’ll begin by using the Snyk container to demonstrate how to implement Snyk in a CI\/CD pipeline. For the most part, you’ll use Snyk CLI to scan a Nginx container image. To begin, clone the following Git repository with this command:<\/p>\n\n\n\n
git clone git@github.com:mercybassey\/nginx-snyk-scaffolding.git\n<\/pre>\n\n\n\nThis will create a local copy of the repository on your machine. It contains a Dockerfile with a base image of nginx:1.17.0<\/code> exposed on port 80<\/code> and an index.html<\/code> file that says \u201cHello Snyk.\u201d<\/p>\n\n\n\n<\/a>Scanning for Vulnerabilities in a Container Image<\/h3>\n\n\n\nIf you installed the Snyk extension for VScode, then the Snyk CLI is installed automatically. To confirm this, execute the command below to check the Snyk version.<\/p>\n\n\n\n
snyk --version<\/pre>\n\n\n\nAuthenticate with the Snyk CLI using the following command:<\/p>\n\n\n\n
snyk auth<\/pre>\n\n\n\nThis will open up a page on your default web browser where you must log in or sign up with GitHub, Google, BitBucket, Azure AD, or Docker ID. This article uses GitHub as the login option:<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Signing up to Snyk.io with GitHub<\/strong><\/p>\n\n\n\nOnce you have successfully signed up and logged in, you must allow Snyk to authenticate your machine. Go ahead and authenticate. Once this process is successful, you should have the following image: <\/p>\n\n\n\n
Authenticating with Snyk successfully<\/strong><\/p>\n\n\n\nHowever, you still need to retrieve your authentication token to integrate Snyk with GitHub actions. This makes it possible to authenticate your GitHub actions pipeline with your Snyk account. Snyk stores your authentication token in the following file ~\/.config\/configstore\/snyk.json;<\/code> run this command to view your authentication token:<\/p>\n\n\n\ncat ~\/.config\/configstore\/snyk.json<\/pre>\n\n\n\nThis will output your authentication token in the following format:<\/p>\n\n\n\n
cat ~\/.config\/configstore\/snyk.json<\/pre>\n\n\n\n{\n \"api\": \"fc37....\"\n}<\/pre>\n\n\n\nCopy it and add it to your GitHub repository as a secret. See the following guide on adding secrets in a GitHub repository for GitHub actions<\/a> if you don\u2019t know how to do so already.<\/p>\n\n\n\nAlternatively, you can use this command to get your auth token:<\/p>\n\n\n\n
snyk config get api<\/pre>\n\n\n\nHead to your working directory, create a .github\/workflows\/ci.yml<\/code> file, and paste in the following code, replacing <dockerhub-username><\/code> with your username on DockerHub:<\/p>\n\n\n\nNote: Naming your custom images using this format <dockerhub-username>\/<image-name><\/code> makes pushing to your DockerHub repository easy.<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile --severity-threshold=high\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}<\/pre>\n\n\n\nIn the workflow above, GitHub Actions will automatically build the Docker image and then run Snyk to scan for vulnerabilities in the base image specified in the Dockerfile using the --file<\/code> argument.<\/p>\n\n\n\nIf there\u2019s any issue with the base image, Snyk will report the vulnerabilities with high severity levels and above and recommend alternative base images, since it has access to the Dockerfile in this workflow.<\/p>\n\n\n\n
Execute the Git commands below sequentially to trigger this workflow:<\/p>\n\n\n\n
Replace <github-username><\/code> with your username on GitHub.<\/p>\n\n\n\ngit init\ngit commit -m \"first commit\"\ngit branch -M main\ngit remote add origin git@github.com:<github-username>\/nginx-snyk.git\ngit push -u origin main<\/pre>\n\n\n\nSince the base image specified in the Dockerfile is outdated, you should see a ton of vulnerabilities with high and critical severity levels in your CI, specifically at the job “Run Snyk to check for vulnerabilities.” Because you have set the severity threshold to high and above, low and medium severity vulnerabilities will not be reported and thus, not trigger a failure in the CI process, though it’ll still be recorded.<\/p>\n\n\n\n
In this example, Snyk has identified 248 vulnerabilities, with 27 critical, 44 high, 52 medium, and 125 low.<\/p>\n\n\n\n
Base Image Vulnerabilities Severity nginx:1.17.0 248 27 critical, 44 high, 52 medium, 125 low<\/pre>\n\n\n\nYou should also see alternative base images that Snyk recommends, alongside the number of vulnerabilities detected and their levels.<\/p>\n\n\n\n
Recommendations for base image upgrade:\nMinor upgrades\nBase Image \t Vulnerabilities \t Severity\nnginx:1.26.2 \t\t91 \t\t 1 critical, 1 high, 1 medium, 88 low\nAlternative image types\nBase Image \t\tVulnerabilities Severity\nnginx:1.27.1-bookworm \t\t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:1.26.2-bookworm-perl \t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:stable-bookworm-perl \t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:1.27.1-bookworm-otel \t94 \t\t1 critical, 1 high, 1 medium, 91 low<\/pre>\n\n\n\nFrom the output above, Snyk recommends upgrading to nginx:1.26.2 or use the following alternatives - nginx:1.27.1-bookworm, nginx:1.26.2-bookworm-perl, nginx:stable-bookworm-perl or nginx:1.27.1-bookworm-otel<\/code> .<\/p>\n\n\n\n<\/a>Proceeding regardless of vulnerabilities<\/h3>\n\n\n\nBy design, Snyk will terminate a CI workflow if it finds any vulnerability, regardless of its severity level (low, medium, high, or critical). However, there's something you should note: there's no guarantee that official and latest Docker images have no vulnerabilities. There is always a possibility that even the most secure images may contain some vulnerabilities.<\/p>\n\n\n\n
In this case, Snyk will not recommend any alternatives; however, it will still record the vulnerabilities it finds, inform you that you are using the most secure base image, and halt the CI process. Therefore, you have to explicitly tell Snyk to continue even if vulnerabilities are detected.<\/p>\n\n\n\n
Head back to your project and use the nginx:1.27.1-bookworm<\/code> as the base image in your Dockerfile, and edit the CI to look like the following:<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n continue-on-error: true\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}<\/pre>\n\n\n\nFrom the CI above, the continue-on-error<\/code> setting in the step \u201cRun Snyk to check for vulnerabilities\u201d allows it to proceed even if it finds vulnerabilities.<\/p>\n\n\n\nCommit and push these changes to your GitHub repository to trigger the workflow. You should have the CI run to completion. <\/p>\n\n\n\n
Viewing CI on GitHub<\/strong><\/p>\n\n\n\n<\/a>Viewing Snyk scan results with GitHub Code Scanning<\/h3>\n\n\n\nGitHub code scanning is a SaaS tool that is available on GitHub. While Snyk already outputs scan results in the CI workflow, it's not the most accessible format for tracking and review in terms of vulnerability presentation. With GitHub code scanning you can view Snyk scan results in the Security<\/strong> tab on your GitHub repository, where vulnerabilities are organized and displayed clearly and interactively.<\/p>\n\n\n\nBefore you proceed, you need to give GitHub Token for Actions read\/write<\/em> permissions at https:\/\/github.com\/<\/em><\/a><your-github-username>\/nginx-snyk-scaffolding\/settings\/actions.<\/em> You can read more about GitHub Token permission<\/a> in the official GitHub documentation.<\/p>\n\n\n\nOnce you have given GitHub Token for Actions read\/write<\/em> permissions, update your CI to have the following configuration settings:<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n continue-on-error: true\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile --severity-threshold=high\n json: true\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Convert Snyk JSON to SARIF\n uses: garethr\/snyk-to-sarif@master\n with:\n input: snyk.json\n output: snyk.sarif\n - name: Upload scan results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk.sarif<\/pre>\n\n\n\nFrom the file above, after Snyk has checked for vulnerabilities, the scan results will be saved in a snyk.json<\/code> file. Next, the \"Convert Snyk JSON to SARIF\" step will use the garethr\/snyk-to-sarif@master<\/code> action to convert it into a format that GitHub code scanning can parse (snyk.sarif<\/code>). Once this process is complete, the sarif<\/code> file<\/em> snyk.sarif<\/code> will be uploaded to GitHub code scanning.<\/p>\n\n\n\nNote, a SARIF file is a Static Analysis Results Interchange Format. A standard that lets analysis tools exchange results in a standard format.<\/em><\/p>\n\n\n\nPush your changes to trigger the workflow and head to the Security<\/strong> tab on your repository. You should see vulnerabilities with severity levels from high to critical.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Viewing Snyk scan results on GitHub code scanning<\/strong><\/p>\n\n\n\n<\/a>Scanning Custom Code and Open Source Libraries<\/h3>\n\n\n\nRunning security checks automatically for both your code and the libraries used in your projects is always good practice before deploying them to production or building and deploying them to a container registry. Again, you can do this with Snyk code and Snyk open source.<\/p>\n\n\n\n
You\u2019ll use Snyk code and Snyk open source to check for Vulnerabilities for a Django project that uses Poetry as the package manager. Run the command below to clone this project to your machine:<\/p>\n\n\n\n
git clone git@github.com:mercybassey\/django-snyk-scaffolding.git<\/pre>\n\n\n\nRun the following command to install all dependencies:<\/p>\n\n\n\n
poetry install<\/pre>\n\n\n\nCreate a .<\/em>github\/workflows\/ci.yml<\/code> file and paste in the following code:<\/p>\n\n\n\nname: Django Project CI\/CD\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Set up Python\n uses: actions\/setup-python@v2\n with:\n python-version: '3.8'\n - name: Install Poetry\n run: |\n curl -sSL <https:\/\/install.python-poetry.org> | python3 -\n - name: Install dependencies\n run: |\n poetry install\n - name: Run Snyk Open Source Test\n continue-on-error: true\n uses: snyk\/actions\/python-3.8@master\n with:\n command: test\n args: --sarif-file-output=snyk-test.sarif\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Run Snyk Code Test\n continue-on-error: true\n uses: snyk\/actions\/python-3.8@master\n with:\n command: code test\n args: --sarif-file-output=snyk-code.sarif\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Upload Snyk Open Source Test Results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk-test.sarif\n - name: Upload Snyk Code Test Results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk-code.sarif<\/pre>\n\n\n\nThis workflow will set up Python \u201c3.8\u201d and use the Snyk Python action snyk\/actions\/python-3.8@master<\/code> to scan your code and open source dependencies using the snyk code test<\/code> and snyk test<\/code> commands, respectively.<\/p>\n\n\n\nCreate a new GitHub repository for this project, add the Snyk token as a secret, and give GitHub Token for Actions read\/write<\/em> permissions.<\/p>\n\n\n\nCommit and push your changes and wait for the CI to run to completion. Since the CI is configured to continue amidst Snyk vulnerability checks, you should have the following image indicating that the CI job ran to completion.<\/p>\n\n\n\n
You'll see a few vulnerability issues when you head to the Security tab on GitHub. This is Snyk doing its work, and if you look at the labels for each vulnerability issue, you'll see the ones related to Snyk open source and Synk code:<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Viewing Snyk open source on GitHub code scanning<\/strong><\/p>\n\n\n\nIf you scroll down, you will see just one related to the Snyk code, which is titled \"HardCoded secret.\"<\/p>\n\n\n\n
Viewing Snyk code scan results on GitHub code scanning<\/strong><\/p>\n\n\n\nSnyk open-source vulnerabilities can be fixed by upgrading dependencies to less vulnerable ones, and for Snyk code vulnerabilities, you'll have to fix them yourself. To resolve Snyk open-source vulnerabilities, you have two options:<\/p>\n\n\n
\n\n- Use the snyk fix<\/a> command to allow Snyk to automatically upgrade to its recommended open source libraries, or add a step in the CI that executes the snyk fix command for you automatically. However, this option is only available for Snyk enterprise users.<\/li>\n\n\n\n
- Manually upgrade to Snyk's recommended open-source libraries on your machine.<\/li>\n<\/ul>\n<\/div>\n\n\n
To resolve the vulnerability related to the Snyk code, you have to remove the hard-coded secret.<\/p>\n\n\n\n
<\/a>Resolving open source libraries for Snyk open source<\/h3>\n\n\n\nActivate the Poetry virtual shell and run a vulnerability check for Snyk open source with the following command:<\/p>\n\n\n\n
poetry shell\nsnyk test<\/pre>\n\n\n\nAs I write this article, Snyk asks me to upgrade to Django 4.2.16 and sqlparse 0.5.0. Depending on when you see this article, the recommended versions might be different.<\/p>\n\n\n\n
Issues to fix by upgrading dependencies:<\/strong><\/p>\n\n\n\n\t Upgrade django@4.2.3 to django@4.2.16 to fix<\/code><\/p>\n\n\n\n\t \u2717 Regular Expression Denial of Service (ReDoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-5932095>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t \u2717 Denial of Service (DoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-6041515>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t \u2717 Regular Expression Denial of Service (ReDoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-6370660>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t ....<\/code><\/p>\n\n\n\n\t Upgrade sqlparse@0.4.4 to sqlparse@0.5.0 to fix<\/code><\/p>\n\n\n\n \u2717 Uncontrolled Recursion [High Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-SQLPARSE-6615674>] in sqlparse@0.4.4<\/code><\/p>\n\n\n\n introduced by sqlparse@0.4.4 and 1 other path(s)<\/code><\/p>\n\n\n\nRun the command below to install django 4.2.16 and sqlparse 0.5.0:<\/p>\n\n\n\n
poetry add django@4.2.16\npoetry add sqlparse@0.5.0<\/pre>\n\n\n\nYou should see the following output once this is successful:<\/p>\n\n\n\n
Updating dependencies<\/code><\/p>\n\n\n\nResolving dependencies... (0.4s)<\/code><\/p>\n\n\n\nPackage operations: 0 installs, 2 updates, 0 removals<\/code><\/p>\n\n\n\n - Updating sqlparse (0.4.4 -> 0.5.0)<\/code><\/p>\n\n\n\n - Updating django (4.2.3 -> 4.2.16)<\/code><\/p>\n\n\n\nWriting lock file<\/code><\/p>\n\n\n\nWhen you run the snyk test<\/code> command again, you\u2019ll see the following, indicating all libraries are up-to-date and no vulnerabilities were found.<\/p>\n\n\n\n\u2714 Tested 7 dependencies for known issues, no vulnerable paths found<\/code><\/p>\n\n\n\n<\/a>Resolving Hard Coded Secrets for Snyk code<\/h3>\n\n\n\nRight now in my example, snyk code<\/code> found a vulnerability at django_project\/settings.py<\/code> where a secret is being hardcoded. To resolve this, you\u2019ll need to use environment variables.<\/p>\n\n\n\nFirst, in the root of the Django project, create a .env<\/code> file and populate it. Do this by replacing <secret-key><\/code> with the actual key from django_project\/settings.py<\/code>.<\/p>\n\n\n\nDJANGO_SECRET_KEY='<secret-key>'<\/pre>\n\n\n\nNext, edit the SECRET_KEY<\/code> variable in django_project\/settings.py<\/code> to hold the value os.getenv(\"DJANGO_SECRET_KEY\")<\/code>:<\/p>\n\n\n\nThis will load the value from the environment<\/code> variable using os.getenv:<\/p>\n\n\n\nimport os\n\nSECRET_KEY = os.getenv(\"DJANGO_SECRET_KEY\")<\/pre>\n\n\n\nThen, create a .gitignore<\/code> file in the project\u2019s root and add the .env file to exclude it from version control:<\/p>\n\n\n\n# .gitignore\n.env<\/pre>\n\n\n\nNow, run snyk code test<\/code> again to recheck the code. You should see the following results:<\/p>\n\n\n\n\u2714 Awesome! No issues were found.<\/code><\/p>\n\n\n\nAnd there you go, no more code security issues, at least those that have been identified so far!<\/p>\n\n\n\n
<\/a>Conclusion<\/h2>\n\n\n\nIn this article, you have learned what security scanning is, why you should implement security scanning in a CI\/CD workflow, and how to use Snyk for vulnerability scanning in a GitHub actions workflow. You have used Snyk container to scan and identify vulnerabilities in an Nginx container image, used Snyk open source to scan open source libraries within a Django application, and used Snyk code to scan custom code. Snyk is a robust tool, you can integrate Snyk with Kubernetes, Jira, and Slack. See the official Snyk documentation<\/a> to find more information about Snyk.<\/p>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Security is important regardless of your industry, whether it’s finance, retail, e-commerce, or the broader world of IT. A little security oversight can have catastrophic impacts, leading to loss of money and unauthorized access to classified information. It takes a lot of work to develop solutions that users trust. Therefore, you need to take security……<\/p>\n","protected":false},"author":341730,"featured_media":104922,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[46],"tags":[4619,159234],"coauthors":[158989],"class_list":["post-104912","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-and-compliance","tag-security","tag-snyk"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/341730"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=104912"}],"version-history":[{"count":14,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912\/revisions"}],"predecessor-version":[{"id":107319,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912\/revisions\/107319"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media\/104922"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=104912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=104912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=104912"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=104912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
For instance, in the development stage (CI), security scanning will involve running tests, checking for vulnerabilities, analyzing dependencies, and automatically checking for security best practices. While in the deployment stage (CD), security scanning will involve validating infrastructure as code (IaC) configurations, scanning container images, and checking that the deployment environment is securely configured and that it adheres to compliance standards.<\/p>\n\n\n\n
You\u2019ll need to use tools that\u2019ll help you detect security issues during different stages of your CI\/CD pipeline, such as during builds, before deployment, and on pull requests for cases where sensitive changes (new dependencies, configurations, etc) are introduced from contributors.<\/p>\n\n\n\n
<\/a>What is Snyk<\/h3>\n\n\n\nSynk<\/a> is a security tool that helps you identify and fix vulnerabilities in your code. It serves as an assistant so that you can focus on building the core functionalities while it seamlessly handles the security aspect. Synk has a free version, as well as paid for different use cases, which you can see on their pricing page<\/a>.<\/p>\n\n\n\nSnyk is categorized into Snyk code, Snyk open source, Snyk container, Snyk IaC, and Snyk AppRisk. Each of these categories works for specific use cases and does the following:<\/p>\n\n\n
\n\n- Snyk open source and Snyk code<\/strong>: Snyk open source<\/a> checks open source libraries and dependencies for known vulnerabilities. Snyk code<\/a> scans custom code and functions for security issues. You can grant Snyk access to your Git repository, whether it’s on GitHub, GitLab, or Bitbucket, to scan through; if it finds any security issue, it’ll create a pull request to fix it, which you can then review and merge if you choose to.<\/li>\n\n\n\n
- Snyk container<\/strong>: Snyk container<\/a> is for Snyk’s container registry integrations. It features a complementary tool called Snyk CLI<\/a> that you can use to scan container images for vulnerabilities before you deploy them. It also features source code management (SCM), whereby Snyk automatically detects Dockerfiles stored in Git repositories like GitHub, GitLab, or Bitbucket, scans the base image for vulnerabilities using Snyk open source, and recommends a secure or less vulnerable version.<\/li>\n\n\n\n
- Snyk IaC<\/strong>: For infrastructure engineers who provision cloud resources through code, Snyk IaC<\/a> can identify and fix misconfigurations in infrastructure code. You can have Snyk scan infrastructure code within Terraform, CloudFormation, Helm charts, and ARM templates.<\/li>\n\n\n\n
- Snyk AppRisk<\/strong>: This category is for application security (AppSec) teams that want to manage and reduce application risk at scale. Snyk AppRisk<\/a>, an application security posture management (ASPM) tool, provides insights into runtime behavior and spots application loopholes that attackers can exploit.<\/li>\n<\/ul>\n<\/div>\n\n\n
The IDE or text editor you use doesn’t matter; Snyk can be integrated into widely used IDEs and text editors like Vscode and Pycharm to provide real-time security checks and feedback directly in your development environment. Snyk can be used within CI\/CD platforms like GitHub actions, Bitbucket pipelines, Circle CI, Travis CI, GitLab CI, Jenkins, and many others<\/a> to automate security checks as part of your development lifecycle to help you catch and fix security issues early and reduce the risk of vulnerabilities making it to production.<\/p>\n\n\n\n<\/a>Performed security scanning without Snyk<\/h3>\n\n\n\nI have performed security scanning without Snyk, using npm audit<\/em><\/a> (a command that scans project dependencies), and it was tedious. With the npm audit, <\/em>I was able to generate a vulnerability report for my project and view their severity levels.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Checking for vulnerabilities with npm audit<\/strong><\/p>\n\n\n\nUsing the npm audit fix<\/code> command, I was able to find and fix dependency vulnerabilities by upgrading to more secure ones, as recommended by the npm audit<\/code> command.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Fixing vulnerabilities with npm audit fix<\/em><\/strong><\/p>\n\n\n\nWhile the npm audit<\/code> command helped, I just couldn\u2019t do enough; npm audit<\/code> only works for Node.js projects, which use npm<\/a> as their package manager. I also couldn\u2019t check my code for patterns that could cause security issues. And, in an era where programmers need to diversify when it comes to programming languages, npm audit<\/code> isn’t language agnostic, which is a feature that contributed to its limitation.<\/p>\n\n\n\nSuppose I’m working on a Python, Java, Ruby, C++ project or any other programming language. In that case, I need to incorporate separate tools for vulnerability scanning and security checks. For instance, in a Python project, I could use pip-audit<\/a>, for a Ruby project I could use bundle-audit<\/a>, and so on.<\/p>\n\n\n\nThese separate tools lack language-agnostic features, making managing security across diverse projects complex. Therefore, I don’t recommend using a language-specific tool for security scanning, but instead a robust, feature-rich, and sophisticated tool that integrates seamlessly with diverse ecosystems. Something that doesn’t just scan dependencies but can also scan custom code, that is, the one you wrote yourself.<\/p>\n\n\n\n
Snyk supports popular programming languages like Python, JavaScript, Elixir, Rust, TypeScript, Dart\/Flutter, and Go. The official documentation lists supported languages<\/a>.<\/p>\n\n\n\n<\/a>Performing security scanning with Snyk<\/h2>\n\n\n\nThe following sections will walk you through Snyk and how to use it to implement security scanning on a GitHub actions CI\/CD pipeline. You’ll use the Snyk container to scan an Nginx image, Synk open source to scan open source libraries for a Django application, and Snyk code to scan the same Django application. This tutorial’s Django project is managed using Poetry version 1.8.5.<\/p>\n\n\n\n
<\/a>Prerequisites<\/h3>\n\n\n\nTo follow along, you are required to have the following in place:<\/p>\n\n\n
\n\n- A text editor. This tutorial uses Visual Studio code<\/a>.<\/li>\n\n\n\n
- Snyk visual studio code extension<\/a> installed.<\/li>\n\n\n\n
- Docker engine installed on your machine.<\/li>\n\n\n\n
- A GitHub account.<\/li>\n<\/ul>\n<\/div>\n\n\n
<\/a>Scaffolding an application<\/h3>\n\n\n\nYou’ll begin by using the Snyk container to demonstrate how to implement Snyk in a CI\/CD pipeline. For the most part, you’ll use Snyk CLI to scan a Nginx container image. To begin, clone the following Git repository with this command:<\/p>\n\n\n\n
git clone git@github.com:mercybassey\/nginx-snyk-scaffolding.git\n<\/pre>\n\n\n\nThis will create a local copy of the repository on your machine. It contains a Dockerfile with a base image of nginx:1.17.0<\/code> exposed on port 80<\/code> and an index.html<\/code> file that says \u201cHello Snyk.\u201d<\/p>\n\n\n\n<\/a>Scanning for Vulnerabilities in a Container Image<\/h3>\n\n\n\nIf you installed the Snyk extension for VScode, then the Snyk CLI is installed automatically. To confirm this, execute the command below to check the Snyk version.<\/p>\n\n\n\n
snyk --version<\/pre>\n\n\n\nAuthenticate with the Snyk CLI using the following command:<\/p>\n\n\n\n
snyk auth<\/pre>\n\n\n\nThis will open up a page on your default web browser where you must log in or sign up with GitHub, Google, BitBucket, Azure AD, or Docker ID. This article uses GitHub as the login option:<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Signing up to Snyk.io with GitHub<\/strong><\/p>\n\n\n\nOnce you have successfully signed up and logged in, you must allow Snyk to authenticate your machine. Go ahead and authenticate. Once this process is successful, you should have the following image: <\/p>\n\n\n\n
Authenticating with Snyk successfully<\/strong><\/p>\n\n\n\nHowever, you still need to retrieve your authentication token to integrate Snyk with GitHub actions. This makes it possible to authenticate your GitHub actions pipeline with your Snyk account. Snyk stores your authentication token in the following file ~\/.config\/configstore\/snyk.json;<\/code> run this command to view your authentication token:<\/p>\n\n\n\ncat ~\/.config\/configstore\/snyk.json<\/pre>\n\n\n\nThis will output your authentication token in the following format:<\/p>\n\n\n\n
cat ~\/.config\/configstore\/snyk.json<\/pre>\n\n\n\n{\n \"api\": \"fc37....\"\n}<\/pre>\n\n\n\nCopy it and add it to your GitHub repository as a secret. See the following guide on adding secrets in a GitHub repository for GitHub actions<\/a> if you don\u2019t know how to do so already.<\/p>\n\n\n\nAlternatively, you can use this command to get your auth token:<\/p>\n\n\n\n
snyk config get api<\/pre>\n\n\n\nHead to your working directory, create a .github\/workflows\/ci.yml<\/code> file, and paste in the following code, replacing <dockerhub-username><\/code> with your username on DockerHub:<\/p>\n\n\n\nNote: Naming your custom images using this format <dockerhub-username>\/<image-name><\/code> makes pushing to your DockerHub repository easy.<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile --severity-threshold=high\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}<\/pre>\n\n\n\nIn the workflow above, GitHub Actions will automatically build the Docker image and then run Snyk to scan for vulnerabilities in the base image specified in the Dockerfile using the --file<\/code> argument.<\/p>\n\n\n\nIf there\u2019s any issue with the base image, Snyk will report the vulnerabilities with high severity levels and above and recommend alternative base images, since it has access to the Dockerfile in this workflow.<\/p>\n\n\n\n
Execute the Git commands below sequentially to trigger this workflow:<\/p>\n\n\n\n
Replace <github-username><\/code> with your username on GitHub.<\/p>\n\n\n\ngit init\ngit commit -m \"first commit\"\ngit branch -M main\ngit remote add origin git@github.com:<github-username>\/nginx-snyk.git\ngit push -u origin main<\/pre>\n\n\n\nSince the base image specified in the Dockerfile is outdated, you should see a ton of vulnerabilities with high and critical severity levels in your CI, specifically at the job “Run Snyk to check for vulnerabilities.” Because you have set the severity threshold to high and above, low and medium severity vulnerabilities will not be reported and thus, not trigger a failure in the CI process, though it’ll still be recorded.<\/p>\n\n\n\n
In this example, Snyk has identified 248 vulnerabilities, with 27 critical, 44 high, 52 medium, and 125 low.<\/p>\n\n\n\n
Base Image Vulnerabilities Severity nginx:1.17.0 248 27 critical, 44 high, 52 medium, 125 low<\/pre>\n\n\n\nYou should also see alternative base images that Snyk recommends, alongside the number of vulnerabilities detected and their levels.<\/p>\n\n\n\n
Recommendations for base image upgrade:\nMinor upgrades\nBase Image \t Vulnerabilities \t Severity\nnginx:1.26.2 \t\t91 \t\t 1 critical, 1 high, 1 medium, 88 low\nAlternative image types\nBase Image \t\tVulnerabilities Severity\nnginx:1.27.1-bookworm \t\t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:1.26.2-bookworm-perl \t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:stable-bookworm-perl \t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:1.27.1-bookworm-otel \t94 \t\t1 critical, 1 high, 1 medium, 91 low<\/pre>\n\n\n\nFrom the output above, Snyk recommends upgrading to nginx:1.26.2 or use the following alternatives - nginx:1.27.1-bookworm, nginx:1.26.2-bookworm-perl, nginx:stable-bookworm-perl or nginx:1.27.1-bookworm-otel<\/code> .<\/p>\n\n\n\n<\/a>Proceeding regardless of vulnerabilities<\/h3>\n\n\n\nBy design, Snyk will terminate a CI workflow if it finds any vulnerability, regardless of its severity level (low, medium, high, or critical). However, there's something you should note: there's no guarantee that official and latest Docker images have no vulnerabilities. There is always a possibility that even the most secure images may contain some vulnerabilities.<\/p>\n\n\n\n
In this case, Snyk will not recommend any alternatives; however, it will still record the vulnerabilities it finds, inform you that you are using the most secure base image, and halt the CI process. Therefore, you have to explicitly tell Snyk to continue even if vulnerabilities are detected.<\/p>\n\n\n\n
Head back to your project and use the nginx:1.27.1-bookworm<\/code> as the base image in your Dockerfile, and edit the CI to look like the following:<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n continue-on-error: true\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}<\/pre>\n\n\n\nFrom the CI above, the continue-on-error<\/code> setting in the step \u201cRun Snyk to check for vulnerabilities\u201d allows it to proceed even if it finds vulnerabilities.<\/p>\n\n\n\nCommit and push these changes to your GitHub repository to trigger the workflow. You should have the CI run to completion. <\/p>\n\n\n\n
Viewing CI on GitHub<\/strong><\/p>\n\n\n\n<\/a>Viewing Snyk scan results with GitHub Code Scanning<\/h3>\n\n\n\nGitHub code scanning is a SaaS tool that is available on GitHub. While Snyk already outputs scan results in the CI workflow, it's not the most accessible format for tracking and review in terms of vulnerability presentation. With GitHub code scanning you can view Snyk scan results in the Security<\/strong> tab on your GitHub repository, where vulnerabilities are organized and displayed clearly and interactively.<\/p>\n\n\n\nBefore you proceed, you need to give GitHub Token for Actions read\/write<\/em> permissions at https:\/\/github.com\/<\/em><\/a><your-github-username>\/nginx-snyk-scaffolding\/settings\/actions.<\/em> You can read more about GitHub Token permission<\/a> in the official GitHub documentation.<\/p>\n\n\n\nOnce you have given GitHub Token for Actions read\/write<\/em> permissions, update your CI to have the following configuration settings:<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n continue-on-error: true\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile --severity-threshold=high\n json: true\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Convert Snyk JSON to SARIF\n uses: garethr\/snyk-to-sarif@master\n with:\n input: snyk.json\n output: snyk.sarif\n - name: Upload scan results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk.sarif<\/pre>\n\n\n\nFrom the file above, after Snyk has checked for vulnerabilities, the scan results will be saved in a snyk.json<\/code> file. Next, the \"Convert Snyk JSON to SARIF\" step will use the garethr\/snyk-to-sarif@master<\/code> action to convert it into a format that GitHub code scanning can parse (snyk.sarif<\/code>). Once this process is complete, the sarif<\/code> file<\/em> snyk.sarif<\/code> will be uploaded to GitHub code scanning.<\/p>\n\n\n\nNote, a SARIF file is a Static Analysis Results Interchange Format. A standard that lets analysis tools exchange results in a standard format.<\/em><\/p>\n\n\n\nPush your changes to trigger the workflow and head to the Security<\/strong> tab on your repository. You should see vulnerabilities with severity levels from high to critical.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Viewing Snyk scan results on GitHub code scanning<\/strong><\/p>\n\n\n\n<\/a>Scanning Custom Code and Open Source Libraries<\/h3>\n\n\n\nRunning security checks automatically for both your code and the libraries used in your projects is always good practice before deploying them to production or building and deploying them to a container registry. Again, you can do this with Snyk code and Snyk open source.<\/p>\n\n\n\n
You\u2019ll use Snyk code and Snyk open source to check for Vulnerabilities for a Django project that uses Poetry as the package manager. Run the command below to clone this project to your machine:<\/p>\n\n\n\n
git clone git@github.com:mercybassey\/django-snyk-scaffolding.git<\/pre>\n\n\n\nRun the following command to install all dependencies:<\/p>\n\n\n\n
poetry install<\/pre>\n\n\n\nCreate a .<\/em>github\/workflows\/ci.yml<\/code> file and paste in the following code:<\/p>\n\n\n\nname: Django Project CI\/CD\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Set up Python\n uses: actions\/setup-python@v2\n with:\n python-version: '3.8'\n - name: Install Poetry\n run: |\n curl -sSL <https:\/\/install.python-poetry.org> | python3 -\n - name: Install dependencies\n run: |\n poetry install\n - name: Run Snyk Open Source Test\n continue-on-error: true\n uses: snyk\/actions\/python-3.8@master\n with:\n command: test\n args: --sarif-file-output=snyk-test.sarif\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Run Snyk Code Test\n continue-on-error: true\n uses: snyk\/actions\/python-3.8@master\n with:\n command: code test\n args: --sarif-file-output=snyk-code.sarif\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Upload Snyk Open Source Test Results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk-test.sarif\n - name: Upload Snyk Code Test Results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk-code.sarif<\/pre>\n\n\n\nThis workflow will set up Python \u201c3.8\u201d and use the Snyk Python action snyk\/actions\/python-3.8@master<\/code> to scan your code and open source dependencies using the snyk code test<\/code> and snyk test<\/code> commands, respectively.<\/p>\n\n\n\nCreate a new GitHub repository for this project, add the Snyk token as a secret, and give GitHub Token for Actions read\/write<\/em> permissions.<\/p>\n\n\n\nCommit and push your changes and wait for the CI to run to completion. Since the CI is configured to continue amidst Snyk vulnerability checks, you should have the following image indicating that the CI job ran to completion.<\/p>\n\n\n\n
You'll see a few vulnerability issues when you head to the Security tab on GitHub. This is Snyk doing its work, and if you look at the labels for each vulnerability issue, you'll see the ones related to Snyk open source and Synk code:<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Viewing Snyk open source on GitHub code scanning<\/strong><\/p>\n\n\n\nIf you scroll down, you will see just one related to the Snyk code, which is titled \"HardCoded secret.\"<\/p>\n\n\n\n
Viewing Snyk code scan results on GitHub code scanning<\/strong><\/p>\n\n\n\nSnyk open-source vulnerabilities can be fixed by upgrading dependencies to less vulnerable ones, and for Snyk code vulnerabilities, you'll have to fix them yourself. To resolve Snyk open-source vulnerabilities, you have two options:<\/p>\n\n\n
\n\n- Use the snyk fix<\/a> command to allow Snyk to automatically upgrade to its recommended open source libraries, or add a step in the CI that executes the snyk fix command for you automatically. However, this option is only available for Snyk enterprise users.<\/li>\n\n\n\n
- Manually upgrade to Snyk's recommended open-source libraries on your machine.<\/li>\n<\/ul>\n<\/div>\n\n\n
To resolve the vulnerability related to the Snyk code, you have to remove the hard-coded secret.<\/p>\n\n\n\n
<\/a>Resolving open source libraries for Snyk open source<\/h3>\n\n\n\nActivate the Poetry virtual shell and run a vulnerability check for Snyk open source with the following command:<\/p>\n\n\n\n
poetry shell\nsnyk test<\/pre>\n\n\n\nAs I write this article, Snyk asks me to upgrade to Django 4.2.16 and sqlparse 0.5.0. Depending on when you see this article, the recommended versions might be different.<\/p>\n\n\n\n
Issues to fix by upgrading dependencies:<\/strong><\/p>\n\n\n\n\t Upgrade django@4.2.3 to django@4.2.16 to fix<\/code><\/p>\n\n\n\n\t \u2717 Regular Expression Denial of Service (ReDoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-5932095>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t \u2717 Denial of Service (DoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-6041515>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t \u2717 Regular Expression Denial of Service (ReDoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-6370660>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t ....<\/code><\/p>\n\n\n\n\t Upgrade sqlparse@0.4.4 to sqlparse@0.5.0 to fix<\/code><\/p>\n\n\n\n \u2717 Uncontrolled Recursion [High Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-SQLPARSE-6615674>] in sqlparse@0.4.4<\/code><\/p>\n\n\n\n introduced by sqlparse@0.4.4 and 1 other path(s)<\/code><\/p>\n\n\n\nRun the command below to install django 4.2.16 and sqlparse 0.5.0:<\/p>\n\n\n\n
poetry add django@4.2.16\npoetry add sqlparse@0.5.0<\/pre>\n\n\n\nYou should see the following output once this is successful:<\/p>\n\n\n\n
Updating dependencies<\/code><\/p>\n\n\n\nResolving dependencies... (0.4s)<\/code><\/p>\n\n\n\nPackage operations: 0 installs, 2 updates, 0 removals<\/code><\/p>\n\n\n\n - Updating sqlparse (0.4.4 -> 0.5.0)<\/code><\/p>\n\n\n\n - Updating django (4.2.3 -> 4.2.16)<\/code><\/p>\n\n\n\nWriting lock file<\/code><\/p>\n\n\n\nWhen you run the snyk test<\/code> command again, you\u2019ll see the following, indicating all libraries are up-to-date and no vulnerabilities were found.<\/p>\n\n\n\n\u2714 Tested 7 dependencies for known issues, no vulnerable paths found<\/code><\/p>\n\n\n\n<\/a>Resolving Hard Coded Secrets for Snyk code<\/h3>\n\n\n\nRight now in my example, snyk code<\/code> found a vulnerability at django_project\/settings.py<\/code> where a secret is being hardcoded. To resolve this, you\u2019ll need to use environment variables.<\/p>\n\n\n\nFirst, in the root of the Django project, create a .env<\/code> file and populate it. Do this by replacing <secret-key><\/code> with the actual key from django_project\/settings.py<\/code>.<\/p>\n\n\n\nDJANGO_SECRET_KEY='<secret-key>'<\/pre>\n\n\n\nNext, edit the SECRET_KEY<\/code> variable in django_project\/settings.py<\/code> to hold the value os.getenv(\"DJANGO_SECRET_KEY\")<\/code>:<\/p>\n\n\n\nThis will load the value from the environment<\/code> variable using os.getenv:<\/p>\n\n\n\nimport os\n\nSECRET_KEY = os.getenv(\"DJANGO_SECRET_KEY\")<\/pre>\n\n\n\nThen, create a .gitignore<\/code> file in the project\u2019s root and add the .env file to exclude it from version control:<\/p>\n\n\n\n# .gitignore\n.env<\/pre>\n\n\n\nNow, run snyk code test<\/code> again to recheck the code. You should see the following results:<\/p>\n\n\n\n\u2714 Awesome! No issues were found.<\/code><\/p>\n\n\n\nAnd there you go, no more code security issues, at least those that have been identified so far!<\/p>\n\n\n\n
<\/a>Conclusion<\/h2>\n\n\n\nIn this article, you have learned what security scanning is, why you should implement security scanning in a CI\/CD workflow, and how to use Snyk for vulnerability scanning in a GitHub actions workflow. You have used Snyk container to scan and identify vulnerabilities in an Nginx container image, used Snyk open source to scan open source libraries within a Django application, and used Snyk code to scan custom code. Snyk is a robust tool, you can integrate Snyk with Kubernetes, Jira, and Slack. See the official Snyk documentation<\/a> to find more information about Snyk.<\/p>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
Security is important regardless of your industry, whether it’s finance, retail, e-commerce, or the broader world of IT. A little security oversight can have catastrophic impacts, leading to loss of money and unauthorized access to classified information. It takes a lot of work to develop solutions that users trust. Therefore, you need to take security……<\/p>\n","protected":false},"author":341730,"featured_media":104922,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[46],"tags":[4619,159234],"coauthors":[158989],"class_list":["post-104912","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-and-compliance","tag-security","tag-snyk"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/341730"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=104912"}],"version-history":[{"count":14,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912\/revisions"}],"predecessor-version":[{"id":107319,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912\/revisions\/107319"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media\/104922"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=104912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=104912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=104912"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=104912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Snyk is categorized into Snyk code, Snyk open source, Snyk container, Snyk IaC, and Snyk AppRisk. Each of these categories works for specific use cases and does the following:<\/p>\n\n\n
- \n
- Snyk open source and Snyk code<\/strong>: Snyk open source<\/a> checks open source libraries and dependencies for known vulnerabilities. Snyk code<\/a> scans custom code and functions for security issues. You can grant Snyk access to your Git repository, whether it’s on GitHub, GitLab, or Bitbucket, to scan through; if it finds any security issue, it’ll create a pull request to fix it, which you can then review and merge if you choose to.<\/li>\n\n\n\n
- Snyk container<\/strong>: Snyk container<\/a> is for Snyk’s container registry integrations. It features a complementary tool called Snyk CLI<\/a> that you can use to scan container images for vulnerabilities before you deploy them. It also features source code management (SCM), whereby Snyk automatically detects Dockerfiles stored in Git repositories like GitHub, GitLab, or Bitbucket, scans the base image for vulnerabilities using Snyk open source, and recommends a secure or less vulnerable version.<\/li>\n\n\n\n
- Snyk IaC<\/strong>: For infrastructure engineers who provision cloud resources through code, Snyk IaC<\/a> can identify and fix misconfigurations in infrastructure code. You can have Snyk scan infrastructure code within Terraform, CloudFormation, Helm charts, and ARM templates.<\/li>\n\n\n\n
- Snyk AppRisk<\/strong>: This category is for application security (AppSec) teams that want to manage and reduce application risk at scale. Snyk AppRisk<\/a>, an application security posture management (ASPM) tool, provides insights into runtime behavior and spots application loopholes that attackers can exploit.<\/li>\n<\/ul>\n<\/div>\n\n\n
The IDE or text editor you use doesn’t matter; Snyk can be integrated into widely used IDEs and text editors like Vscode and Pycharm to provide real-time security checks and feedback directly in your development environment. Snyk can be used within CI\/CD platforms like GitHub actions, Bitbucket pipelines, Circle CI, Travis CI, GitLab CI, Jenkins, and many others<\/a> to automate security checks as part of your development lifecycle to help you catch and fix security issues early and reduce the risk of vulnerabilities making it to production.<\/p>\n\n\n\n
<\/a>Performed security scanning without Snyk<\/h3>\n\n\n\n
I have performed security scanning without Snyk, using npm audit<\/em><\/a> (a command that scans project dependencies), and it was tedious. With the npm audit, <\/em>I was able to generate a vulnerability report for my project and view their severity levels.<\/p>\n\n\n\n
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Checking for vulnerabilities with npm audit<\/strong><\/p>\n\n\n\n
Using the
npm audit fix<\/code> command, I was able to find and fix dependency vulnerabilities by upgrading to more secure ones, as recommended by thenpm audit<\/code> command.<\/p>\n\n\n\n<\/figure>\n\n\n\n<\/p>\n\n\n\n
Fixing vulnerabilities with npm audit fix<\/em><\/strong><\/p>\n\n\n\n
While the
npm audit<\/code> command helped, I just couldn\u2019t do enough;npm audit<\/code> only works for Node.js projects, which use npm<\/a> as their package manager. I also couldn\u2019t check my code for patterns that could cause security issues. And, in an era where programmers need to diversify when it comes to programming languages,npm audit<\/code> isn’t language agnostic, which is a feature that contributed to its limitation.<\/p>\n\n\n\nSuppose I’m working on a Python, Java, Ruby, C++ project or any other programming language. In that case, I need to incorporate separate tools for vulnerability scanning and security checks. For instance, in a Python project, I could use pip-audit<\/a>, for a Ruby project I could use bundle-audit<\/a>, and so on.<\/p>\n\n\n\n
These separate tools lack language-agnostic features, making managing security across diverse projects complex. Therefore, I don’t recommend using a language-specific tool for security scanning, but instead a robust, feature-rich, and sophisticated tool that integrates seamlessly with diverse ecosystems. Something that doesn’t just scan dependencies but can also scan custom code, that is, the one you wrote yourself.<\/p>\n\n\n\n
Snyk supports popular programming languages like Python, JavaScript, Elixir, Rust, TypeScript, Dart\/Flutter, and Go. The official documentation lists supported languages<\/a>.<\/p>\n\n\n\n
<\/a>Performing security scanning with Snyk<\/h2>\n\n\n\n
The following sections will walk you through Snyk and how to use it to implement security scanning on a GitHub actions CI\/CD pipeline. You’ll use the Snyk container to scan an Nginx image, Synk open source to scan open source libraries for a Django application, and Snyk code to scan the same Django application. This tutorial’s Django project is managed using Poetry version 1.8.5.<\/p>\n\n\n\n
<\/a>Prerequisites<\/h3>\n\n\n\n
To follow along, you are required to have the following in place:<\/p>\n\n\n
\n- \n
- A text editor. This tutorial uses Visual Studio code<\/a>.<\/li>\n\n\n\n
- Snyk visual studio code extension<\/a> installed.<\/li>\n\n\n\n
- Docker engine installed on your machine.<\/li>\n\n\n\n
- A GitHub account.<\/li>\n<\/ul>\n<\/div>\n\n\n
<\/a>Scaffolding an application<\/h3>\n\n\n\n
You’ll begin by using the Snyk container to demonstrate how to implement Snyk in a CI\/CD pipeline. For the most part, you’ll use Snyk CLI to scan a Nginx container image. To begin, clone the following Git repository with this command:<\/p>\n\n\n\n
git clone git@github.com:mercybassey\/nginx-snyk-scaffolding.git\n<\/pre>\n\n\n\n
This will create a local copy of the repository on your machine. It contains a Dockerfile with a base image of
nginx:1.17.0<\/code> exposed on port80<\/code> and anindex.html<\/code> file that says \u201cHello Snyk.\u201d<\/p>\n\n\n\n<\/a>Scanning for Vulnerabilities in a Container Image<\/h3>\n\n\n\n
If you installed the Snyk extension for VScode, then the Snyk CLI is installed automatically. To confirm this, execute the command below to check the Snyk version.<\/p>\n\n\n\n
snyk --version<\/pre>\n\n\n\n
Authenticate with the Snyk CLI using the following command:<\/p>\n\n\n\n
snyk auth<\/pre>\n\n\n\n
This will open up a page on your default web browser where you must log in or sign up with GitHub, Google, BitBucket, Azure AD, or Docker ID. This article uses GitHub as the login option:<\/p>\n\n\n\n
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Signing up to Snyk.io with GitHub<\/strong><\/p>\n\n\n\n
Once you have successfully signed up and logged in, you must allow Snyk to authenticate your machine. Go ahead and authenticate. Once this process is successful, you should have the following image:
<\/p>\n\n\n\nAuthenticating with Snyk successfully<\/strong><\/p>\n\n\n\n
However, you still need to retrieve your authentication token to integrate Snyk with GitHub actions. This makes it possible to authenticate your GitHub actions pipeline with your Snyk account. Snyk stores your authentication token in the following file
~\/.config\/configstore\/snyk.json;<\/code> run this command to view your authentication token:<\/p>\n\n\n\ncat ~\/.config\/configstore\/snyk.json<\/pre>\n\n\n\n
This will output your authentication token in the following format:<\/p>\n\n\n\n
cat ~\/.config\/configstore\/snyk.json<\/pre>\n\n\n\n
{\n \"api\": \"fc37....\"\n}<\/pre>\n\n\n\nCopy it and add it to your GitHub repository as a secret. See the following guide on adding secrets in a GitHub repository for GitHub actions<\/a> if you don\u2019t know how to do so already.<\/p>\n\n\n\n
Alternatively, you can use this command to get your auth token:<\/p>\n\n\n\n
snyk config get api<\/pre>\n\n\n\n
Head to your working directory, create a
.github\/workflows\/ci.yml<\/code> file, and paste in the following code, replacing<dockerhub-username><\/code> with your username on DockerHub:<\/p>\n\n\n\nNote: Naming your custom images using this format
<dockerhub-username>\/<image-name><\/code> makes pushing to your DockerHub repository easy.<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile --severity-threshold=high\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}<\/pre>\n\n\n\nIn the workflow above, GitHub Actions will automatically build the Docker image and then run Snyk to scan for vulnerabilities in the base image specified in the Dockerfile using the
--file<\/code> argument.<\/p>\n\n\n\nIf there\u2019s any issue with the base image, Snyk will report the vulnerabilities with high severity levels and above and recommend alternative base images, since it has access to the Dockerfile in this workflow.<\/p>\n\n\n\n
Execute the Git commands below sequentially to trigger this workflow:<\/p>\n\n\n\n
Replace
<github-username><\/code> with your username on GitHub.<\/p>\n\n\n\ngit init\ngit commit -m \"first commit\"\ngit branch -M main\ngit remote add origin git@github.com:<github-username>\/nginx-snyk.git\ngit push -u origin main<\/pre>\n\n\n\n
Since the base image specified in the Dockerfile is outdated, you should see a ton of vulnerabilities with high and critical severity levels in your CI, specifically at the job “Run Snyk to check for vulnerabilities.” Because you have set the severity threshold to high and above, low and medium severity vulnerabilities will not be reported and thus, not trigger a failure in the CI process, though it’ll still be recorded.<\/p>\n\n\n\n
In this example, Snyk has identified 248 vulnerabilities, with 27 critical, 44 high, 52 medium, and 125 low.<\/p>\n\n\n\n
Base Image Vulnerabilities Severity nginx:1.17.0 248 27 critical, 44 high, 52 medium, 125 low<\/pre>\n\n\n\nYou should also see alternative base images that Snyk recommends, alongside the number of vulnerabilities detected and their levels.<\/p>\n\n\n\n
Recommendations for base image upgrade:\nMinor upgrades\nBase Image \t Vulnerabilities \t Severity\nnginx:1.26.2 \t\t91 \t\t 1 critical, 1 high, 1 medium, 88 low\nAlternative image types\nBase Image \t\tVulnerabilities Severity\nnginx:1.27.1-bookworm \t\t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:1.26.2-bookworm-perl \t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:stable-bookworm-perl \t91 \t\t1 critical, 1 high, 1 medium, 88 low\nnginx:1.27.1-bookworm-otel \t94 \t\t1 critical, 1 high, 1 medium, 91 low<\/pre>\n\n\n\n
From the output above, Snyk recommends upgrading to nginx:1.26.2 or use the following alternatives -
nginx:1.27.1-bookworm, nginx:1.26.2-bookworm-perl, nginx:stable-bookworm-perl or nginx:1.27.1-bookworm-otel<\/code> .<\/p>\n\n\n\n<\/a>Proceeding regardless of vulnerabilities<\/h3>\n\n\n\n
By design, Snyk will terminate a CI workflow if it finds any vulnerability, regardless of its severity level (low, medium, high, or critical). However, there's something you should note: there's no guarantee that official and latest Docker images have no vulnerabilities. There is always a possibility that even the most secure images may contain some vulnerabilities.<\/p>\n\n\n\n
In this case, Snyk will not recommend any alternatives; however, it will still record the vulnerabilities it finds, inform you that you are using the most secure base image, and halt the CI process. Therefore, you have to explicitly tell Snyk to continue even if vulnerabilities are detected.<\/p>\n\n\n\n
Head back to your project and use the
nginx:1.27.1-bookworm<\/code> as the base image in your Dockerfile, and edit the CI to look like the following:<\/p>\n\n\n\nname: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n continue-on-error: true\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}<\/pre>\n\n\n\nFrom the CI above, the
continue-on-error<\/code> setting in the step \u201cRun Snyk to check for vulnerabilities\u201d allows it to proceed even if it finds vulnerabilities.<\/p>\n\n\n\nCommit and push these changes to your GitHub repository to trigger the workflow. You should have the CI run to completion.
<\/p>\n\n\n\nViewing CI on GitHub<\/strong><\/p>\n\n\n\n
<\/a>Viewing Snyk scan results with GitHub Code Scanning<\/h3>\n\n\n\n
GitHub code scanning is a SaaS tool that is available on GitHub. While Snyk already outputs scan results in the CI workflow, it's not the most accessible format for tracking and review in terms of vulnerability presentation. With GitHub code scanning you can view Snyk scan results in the Security<\/strong> tab on your GitHub repository, where vulnerabilities are organized and displayed clearly and interactively.<\/p>\n\n\n\n
Before you proceed, you need to give GitHub Token for Actions read\/write<\/em> permissions at https:\/\/github.com\/<\/em><\/a><your-github-username>\/nginx-snyk-scaffolding\/settings\/actions.<\/em> You can read more about GitHub Token permission<\/a> in the official GitHub documentation.<\/p>\n\n\n\n
Once you have given GitHub Token for Actions read\/write<\/em> permissions, update your CI to have the following configuration settings:<\/p>\n\n\n\n
name: Snyk Container Scan\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Build Docker image\n run: docker build -t <dockerhub-username>\/custom-nginx .\n - name: Run Snyk to check for vulnerabilities\n continue-on-error: true\n uses: snyk\/actions\/docker@master\n with:\n image: <dockerhub-username>\/custom-nginx\n args: --file=Dockerfile --severity-threshold=high\n json: true\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Convert Snyk JSON to SARIF\n uses: garethr\/snyk-to-sarif@master\n with:\n input: snyk.json\n output: snyk.sarif\n - name: Upload scan results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk.sarif<\/pre>\n\n\n\nFrom the file above, after Snyk has checked for vulnerabilities, the scan results will be saved in a
snyk.json<\/code> file. Next, the \"Convert Snyk JSON to SARIF\" step will use thegarethr\/snyk-to-sarif@master<\/code> action to convert it into a format that GitHub code scanning can parse (snyk.sarif<\/code>). Once this process is complete, thesarif<\/code> file<\/em>snyk.sarif<\/code> will be uploaded to GitHub code scanning.<\/p>\n\n\n\nNote, a SARIF file is a Static Analysis Results Interchange Format. A standard that lets analysis tools exchange results in a standard format.<\/em><\/p>\n\n\n\n
Push your changes to trigger the workflow and head to the Security<\/strong> tab on your repository. You should see vulnerabilities with severity levels from high to critical.<\/p>\n\n\n\n
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Viewing Snyk scan results on GitHub code scanning<\/strong><\/p>\n\n\n\n
<\/a>Scanning Custom Code and Open Source Libraries<\/h3>\n\n\n\n
Running security checks automatically for both your code and the libraries used in your projects is always good practice before deploying them to production or building and deploying them to a container registry. Again, you can do this with Snyk code and Snyk open source.<\/p>\n\n\n\n
You\u2019ll use Snyk code and Snyk open source to check for Vulnerabilities for a Django project that uses Poetry as the package manager. Run the command below to clone this project to your machine:<\/p>\n\n\n\n
git clone git@github.com:mercybassey\/django-snyk-scaffolding.git<\/pre>\n\n\n\n
Run the following command to install all dependencies:<\/p>\n\n\n\n
poetry install<\/pre>\n\n\n\n
Create a .<\/em>
github\/workflows\/ci.yml<\/code> file and paste in the following code:<\/p>\n\n\n\nname: Django Project CI\/CD\non:\n push:\n branches:\n - main\njobs:\n snyk:\n runs-on: ubuntu-24.04\n steps:\n - name: Check out repository\n uses: actions\/checkout@v2\n - name: Set up Python\n uses: actions\/setup-python@v2\n with:\n python-version: '3.8'\n - name: Install Poetry\n run: |\n curl -sSL <https:\/\/install.python-poetry.org> | python3 -\n - name: Install dependencies\n run: |\n poetry install\n - name: Run Snyk Open Source Test\n continue-on-error: true\n uses: snyk\/actions\/python-3.8@master\n with:\n command: test\n args: --sarif-file-output=snyk-test.sarif\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Run Snyk Code Test\n continue-on-error: true\n uses: snyk\/actions\/python-3.8@master\n with:\n command: code test\n args: --sarif-file-output=snyk-code.sarif\n env:\n SNYK_TOKEN: ${{ secrets.SNYK_AUTH_TOKEN }}\n - name: Upload Snyk Open Source Test Results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk-test.sarif\n - name: Upload Snyk Code Test Results to GitHub Code Scanning\n uses: github\/codeql-action\/upload-sarif@v3\n with:\n sarif_file: snyk-code.sarif<\/pre>\n\n\n\nThis workflow will set up Python \u201c3.8\u201d and use the Snyk Python action
snyk\/actions\/python-3.8@master<\/code> to scan your code and open source dependencies using thesnyk code test<\/code> andsnyk test<\/code> commands, respectively.<\/p>\n\n\n\nCreate a new GitHub repository for this project, add the Snyk token as a secret, and give GitHub Token for Actions read\/write<\/em> permissions.<\/p>\n\n\n\n
Commit and push your changes and wait for the CI to run to completion. Since the CI is configured to continue amidst Snyk vulnerability checks, you should have the following image indicating that the CI job ran to completion.<\/p>\n\n\n\n
You'll see a few vulnerability issues when you head to the Security tab on GitHub. This is Snyk doing its work, and if you look at the labels for each vulnerability issue, you'll see the ones related to Snyk open source and Synk code:<\/p>\n\n\n\n
<\/figure>\n\n\n\n<\/p>\n\n\n\n
Viewing Snyk open source on GitHub code scanning<\/strong><\/p>\n\n\n\n
If you scroll down, you will see just one related to the Snyk code, which is titled \"HardCoded secret.\"<\/p>\n\n\n\n
Viewing Snyk code scan results on GitHub code scanning<\/strong><\/p>\n\n\n\nSnyk open-source vulnerabilities can be fixed by upgrading dependencies to less vulnerable ones, and for Snyk code vulnerabilities, you'll have to fix them yourself. To resolve Snyk open-source vulnerabilities, you have two options:<\/p>\n\n\n
\n- \n
- Use the snyk fix<\/a> command to allow Snyk to automatically upgrade to its recommended open source libraries, or add a step in the CI that executes the snyk fix command for you automatically. However, this option is only available for Snyk enterprise users.<\/li>\n\n\n\n
- Manually upgrade to Snyk's recommended open-source libraries on your machine.<\/li>\n<\/ul>\n<\/div>\n\n\n
To resolve the vulnerability related to the Snyk code, you have to remove the hard-coded secret.<\/p>\n\n\n\n
<\/a>Resolving open source libraries for Snyk open source<\/h3>\n\n\n\n
Activate the Poetry virtual shell and run a vulnerability check for Snyk open source with the following command:<\/p>\n\n\n\n
poetry shell\nsnyk test<\/pre>\n\n\n\n
As I write this article, Snyk asks me to upgrade to Django 4.2.16 and sqlparse 0.5.0. Depending on when you see this article, the recommended versions might be different.<\/p>\n\n\n\n
Issues to fix by upgrading dependencies:<\/strong><\/p>\n\n\n\n
\t Upgrade django@4.2.3 to django@4.2.16 to fix<\/code><\/p>\n\n\n\n\t \u2717 Regular Expression Denial of Service (ReDoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-5932095>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t \u2717 Denial of Service (DoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-6041515>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t \u2717 Regular Expression Denial of Service (ReDoS) [Medium Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-DJANGO-6370660>] in django@4.2.3<\/code><\/p>\n\n\n\n\t introduced by django@4.2.3<\/code><\/p>\n\n\n\n\t ....<\/code><\/p>\n\n\n\n\t Upgrade sqlparse@0.4.4 to sqlparse@0.5.0 to fix<\/code><\/p>\n\n\n\n\u2717 Uncontrolled Recursion [High Severity][<https:\/\/security.snyk.io\/vuln\/SNYK-PYTHON-SQLPARSE-6615674>] in sqlparse@0.4.4<\/code><\/p>\n\n\n\nintroduced by sqlparse@0.4.4 and 1 other path(s)<\/code><\/p>\n\n\n\nRun the command below to install django 4.2.16 and sqlparse 0.5.0:<\/p>\n\n\n\n
poetry add django@4.2.16\npoetry add sqlparse@0.5.0<\/pre>\n\n\n\n
You should see the following output once this is successful:<\/p>\n\n\n\n
Updating dependencies<\/code><\/p>\n\n\n\nResolving dependencies... (0.4s)<\/code><\/p>\n\n\n\nPackage operations: 0 installs, 2 updates, 0 removals<\/code><\/p>\n\n\n\n- Updating sqlparse (0.4.4 -> 0.5.0)<\/code><\/p>\n\n\n\n- Updating django (4.2.3 -> 4.2.16)<\/code><\/p>\n\n\n\nWriting lock file<\/code><\/p>\n\n\n\nWhen you run the
snyk test<\/code> command again, you\u2019ll see the following, indicating all libraries are up-to-date and no vulnerabilities were found.<\/p>\n\n\n\n\u2714 Tested 7 dependencies for known issues, no vulnerable paths found<\/code><\/p>\n\n\n\n<\/a>Resolving Hard Coded Secrets for Snyk code<\/h3>\n\n\n\n
Right now in my example,
snyk code<\/code> found a vulnerability atdjango_project\/settings.py<\/code> where a secret is being hardcoded. To resolve this, you\u2019ll need to use environment variables.<\/p>\n\n\n\nFirst, in the root of the Django project, create a
.env<\/code> file and populate it. Do this by replacing<secret-key><\/code> with the actual key fromdjango_project\/settings.py<\/code>.<\/p>\n\n\n\nDJANGO_SECRET_KEY='<secret-key>'<\/pre>\n\n\n\n
Next, edit the
SECRET_KEY<\/code> variable indjango_project\/settings.py<\/code> to hold the valueos.getenv(\"DJANGO_SECRET_KEY\")<\/code>:<\/p>\n\n\n\nThis will load the value from the
environment<\/code> variable using os.getenv:<\/p>\n\n\n\nimport os\n\nSECRET_KEY = os.getenv(\"DJANGO_SECRET_KEY\")<\/pre>\n\n\n\n
Then, create a
.gitignore<\/code> file in the project\u2019s root and add the .env file to exclude it from version control:<\/p>\n\n\n\n# .gitignore\n.env<\/pre>\n\n\n\n
Now, run
snyk code test<\/code> again to recheck the code. You should see the following results:<\/p>\n\n\n\n\u2714 Awesome! No issues were found.<\/code><\/p>\n\n\n\nAnd there you go, no more code security issues, at least those that have been identified so far!<\/p>\n\n\n\n
<\/a>Conclusion<\/h2>\n\n\n\n
In this article, you have learned what security scanning is, why you should implement security scanning in a CI\/CD workflow, and how to use Snyk for vulnerability scanning in a GitHub actions workflow. You have used Snyk container to scan and identify vulnerabilities in an Nginx container image, used Snyk open source to scan open source libraries within a Django application, and used Snyk code to scan custom code. Snyk is a robust tool, you can integrate Snyk with Kubernetes, Jira, and Slack. See the official Snyk documentation<\/a> to find more information about Snyk.<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Security is important regardless of your industry, whether it’s finance, retail, e-commerce, or the broader world of IT. A little security oversight can have catastrophic impacts, leading to loss of money and unauthorized access to classified information. It takes a lot of work to develop solutions that users trust. Therefore, you need to take security……<\/p>\n","protected":false},"author":341730,"featured_media":104922,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[46],"tags":[4619,159234],"coauthors":[158989],"class_list":["post-104912","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-and-compliance","tag-security","tag-snyk"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/users\/341730"}],"replies":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/comments?post=104912"}],"version-history":[{"count":14,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912\/revisions"}],"predecessor-version":[{"id":107319,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/posts\/104912\/revisions\/107319"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media\/104922"}],"wp:attachment":[{"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/media?parent=104912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/categories?post=104912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/tags?post=104912"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.red-gate.com\/simple-talk\/wp-json\/wp\/v2\/coauthors?post=104912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Manually upgrade to Snyk's recommended open-source libraries on your machine.<\/li>\n<\/ul>\n<\/div>\n\n\n
- Snyk visual studio code extension<\/a> installed.<\/li>\n\n\n\n
- Snyk container<\/strong>: Snyk container<\/a> is for Snyk’s container registry integrations. It features a complementary tool called Snyk CLI<\/a> that you can use to scan container images for vulnerabilities before you deploy them. It also features source code management (SCM), whereby Snyk automatically detects Dockerfiles stored in Git repositories like GitHub, GitLab, or Bitbucket, scans the base image for vulnerabilities using Snyk open source, and recommends a secure or less vulnerable version.<\/li>\n\n\n\n