Member-only story
Leverage your codebase with Snyk
Secure your code in an effective way
This article is part of a series of articles that talk about different stages of a development workflow.
Introduction
In the last couple of years, I got this feeling that cyber security was not predominant in my skillset. I believe that is important for a software engineer to keep in mind at least the very basics in order to “survive” out there. Not only is relevant to take into consideration topics such as performance, readability, scalability, portability when developing solutions. Securing your codebase, but also your workflows takes also an important role when creating software. I came across snyk in the last months and got so psyched about it! In this article, I will share my experience with snyk and how friendly it was.
Snyk in practice
Just to say that I am more of a cat guy. However, I think is nice to share how the logo (and the company) is so fond of dogs [1]. One of things that I first noticed when I started using this tool, is that you can easily assess if a dependency that you are using has vulnerabilities [2] without having a subscription plan or account. For instance, you can check a very famous library lodash.
Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritise, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. — Snyk platform
For the project I was working on, we introduced this tool to the team for several reasons: quickly assess libraries (as I explained above), but also introduce it in our CI/CD process.
Without further ado, let’s jump out into the code. Actually, we don’t need that as its so simple to use.
name: very_safe_application
on: [push]
jobs:
...other-jobs
security:
...other-props
steps:
...other-steps
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN_HERE }}
- name: Run Snyk to analyse your code
uses: snyk/actions/node@master
env:
SNYK_TOKEN: ${{…
