You can build security into your CI/CD pipeline without slowing down development, and in fact, you can often speed it up.
Let’s see Snyk in action. Imagine a developer pushing code to GitHub.
name: CI
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.9
uses: actions/setup-python@v2
with:
python-version: 3.9
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Run Snyk
uses: snyk/actions/python@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
command: monitor
This GitHub Actions workflow does a few things: checks out the code, sets up Python, installs dependencies, and then crucially, runs Snyk. The snyk/actions/python@master action is Snyk’s way of integrating into your CI/CD. When it runs command: monitor, Snyk analyzes your project for vulnerabilities in its dependencies and infrastructure-as-code configurations.
The "shift left" idea means moving security checks as early as possible in the development lifecycle. Instead of a separate security team finding vulnerabilities after code is written and deployed, Snyk finds them while developers are writing it, or at the latest, during the build process. This is profoundly different from traditional security models where security was an afterthought, often discovered late in the SDLC or even in production.
Here’s how it works internally: Snyk has a massive, continuously updated database of vulnerabilities (CVEs) and misconfigurations. When you run a Snyk scan, it compares the libraries, packages, and IaC files in your project against this database. For dependencies, it looks at the exact versions you’re using. For IaC, it parses your Terraform, CloudFormation, or Kubernetes manifests.
The levers you control are primarily configuration and policy. In the GitHub Actions example, SNYK_TOKEN is your authentication. The command: monitor tells Snyk to not just find vulnerabilities but also to push this data to the Snyk platform for continuous monitoring and reporting. You can also specify command: test for a quick pass/fail in CI, or command: iac test for infrastructure-as-code scans. Beyond that, you configure Snyk through its web UI: setting up integrations with your Git repositories, defining security policies (e.g., "fail the build if a critical vulnerability is found"), and managing users and teams.
Most people understand that Snyk finds vulnerabilities in dependencies. What they often miss is Snyk’s deep understanding of the exploitability of those vulnerabilities. It doesn’t just report every CVE; it prioritizes based on factors like whether the vulnerable code path is actually reachable in your application, or if there’s a known exploit available. This means you get a much more actionable list of findings, allowing your team to focus on what truly matters rather than getting lost in a sea of low-priority alerts.
The next thing you’ll want to explore is how to automatically remediate these findings.