Canarys | IT Services

Blogs

Snyk IDE

Date:
Author:

Jaina Vinod Kumar

Tags:
, , , , , , , , , , , ,
Share

Snyk offers plugins and extensions for popular IDEs, helping you find and fix issues directly in the development environment:

  • Eclipse
  • JetBrains IDEs
  • Visual Studio
  • VS Code

The Latest version offers best experience for extensions.

How plugins work.

It scans your code to fix security issues and bad practices in the project. The result shows us clear info on what’s wrong, why it matters, and how to fix it. The issues are fixed right inside your IDE. This helps passing the security checks early which avoids costly fixes in the later development process.

These extensions depends on the Snyk CLI in the background to perform operations. It pulls data from the Snyk Vulnerability Database.

Let us look into VS Code Extension.

The IDE extensions are the part of the shift left strategy where you scan for the vulnerabilities right from the development/code cycle of the SDLC and help avoiding costly fixes in the later timeline.

The Snyk VS Code extension helps you scan your code, open-source dependencies, and Infrastructure as Code (IaC) directly from your editor itself, so we can rectify the issues before they are seen.

Characteristics

  • Inline issue detection – It looks for security issues directly in your code, with clear severity and type.
  • It offers Comprehensive scanning for open Source to find vulnerabilities and license issues in your dependencies, code Security to spot issues in your custom code, IAC Security to catch misconfigurations in Terraform, Kubernetes etc.,
  • Wide language & framework support – Snyk works with different kind of package managers, programming languages, and frameworks and keeps itself updated with new ones.

How to get Started

It’s available for installation from the VS Code Marketplace. It Works on Linux, Windows, and macOS (ARM64 and AMD64).

Once installed, it automatically brings in the Snyk CLI and Language Server for a smooth setup.

Post installation, the Snyk offers customizations in the extension to match users workflow.

The key settings include:

  • Authentication & Organization- we can use default OAuth2 or an API token.
  • Custom endpoint: Set if you’re on a private or non-default Snyk instance.
  • Organization: Choose which Snyk org to test against which is similar to –org= command in the CLI

Scan Settings

  • Severity filters: Shows issues by severity from low, Medium, High and Critical.

Open Source: This is used for scanning open-source dependencies and is enabled by default.

Environment & CLI

  • Env variables: Ensure paths like JAVA_HOME and PATH are set correctly for your platform (Windows, macOS, Linux).
  • CLI/Language Server paths: Customize if needed.
  • Auto-download: CLI and Language Server update automatically unless disabled.
  • You can mark specific folders as “trusted” via settings.json.

 .dcignore file

This is similar to .gitignore file. Used to ignore certain files and directories like node_modules. We can create it in any directory where the project resides.

Analyzing code with VS Code extension.

Code can be analyzed automatically (default way) and manually. Once the project is opened, Snyk Code IAC scans are triggered automatically. By clicking the play icon from the extension, the manual trigger scans the code.

Contact our DevSecOps specialists today to discuss how we can help you implement Snyk in your organization.

We’re a Snyk Partner. For licensing, demos, or implementation, reach out to devops@ecanarys.com

Leave a Reply

Your email address will not be published. Required fields are marked *

Reach Us

With Canarys,
Let’s Plan. Grow. Strive. Succeed.

Enquire Now

Copyright © 2024 Canarys Automations Limited. All Rights Reserved.