1:22 Introduction and Housekeeping

1:22 Hello and welcome to today's episode of Rawkode live. I'm your host Rawkode. Today, we are taking a look at Snyk, a set of tools to help you develop fast and stay secure. Before we begin, there's just a little bit of housekeeping. If you're not already subscribed to the YouTube, I would encourage you to do so now. Click the subscribe button, tick that bell, and you will get notifications for all the new episodes of Rawkode Live at the Rawkode Academy. We will do our best to provide the best cloud native resources across the vast cloud native landscape. It's scary to not walk the

1:53 path alone. Also, if you wanna be able to chat afterwards or even just now, jump into the Discord at Rawkode.chat. We've got over 400 members there talking all things cloud native, security, Kubernetes, and even rock music. Very cool. Alright. Now to catch us on our Snyk joining us today, I am joined by Matt Jarvis. Hey, How are you? Hey, David. I'm good. I'm hot here. I don't know what it's like in Scotland at the minute, in the Lake District it's boiling. You know what? It has been rather hot the last few days, which I know a

2:07 Guest Introduction (Matt Jarvis)

2:25 lot of people say is a good problem to have, but when you don't have AC, it gets pretty toasty in the house. Right? Yeah. We're not quite out to Portland kind of temperatures at the minute. True. Yeah. You know what it's like though in the North, like if it gets above about 12 degrees, it's like, well, this is shorts weather. Oh, yeah. Yeah. Yeah. I'm unlucky or lucky to have a window right here and anything above 12 degrees and it's called Tataph in Scotland where all of our local youths like to rip off their tops and walk around Shirtland which

2:54 is Quality. Wonderful. Yeah. But yeah, definitely been enjoying the weather. It's been a nice change for Scotland. Alright. Well, thanks for joining me today. I'm excited. Do you wanna for anyone that's not familiar with you, give us the the TLDR on you and tell us a little bit about you. Sure. So so yeah. I'm a senior developer advocate at Snyk. So I'm sure a lot of folks will be familiar with what developer advocates do, but we spend most of our time going around and talking to people about technology. Right? And waving our hands a lot. And

3:16 What is Snyk? High-Level Overview

3:34 so I've kind of been around the cloud native space for a pretty long time, I guess, kind of five, six years. And before that, I was in OpenStack, you know, around the OpenStack community. So been doing a lot of stuff with a lot of clouds for a lot of time. So yeah. Awesome. Well, you've already said it now, it's Snyk. The pronunciation is something that always threw me at the start and I think that was actually maybe watching one of your talks where I fairly clicked. Was like, oh, that makes so much sense. Why have I been saying Snyk

4:04 all this time? So Well, it doesn't help that there are various people in inside Snyk who pronounce it differently as well, but the official pronunciation is Snyk. Yeah. And for a security company, when that penny drops, you're like, that's a really name. I'm like, I get it now. So I like it. Yeah. It's actually an acronym for so now you know. Really? It's kinda where it came from. Yeah. Okay. That I did not know. So there's the first knowledge bomb already. What are we? One one and a half minutes to imagine. Do you wanna then

4:36 if our audience, let's assume they're not familiar with Snyk and the set of tools that they offer. Do you wanna give us the high level overview and then we'll jump into the hands on component of our show? Yeah. Of course. So Snyk are a security company, but, you know, kind of a new kind of security company. You know, we're really focused on developer first security and on building a kind of cloud native platform for for for security in the modern world. And so we have a set of tools that kind of all work together that do everything from

4:40 What is Snyk?

5:18 software composition analysis. So where you look at software where you're using open source modules, open source packages, and look for vulnerabilities in those packages through to container image scanning, through to infrastructure code, so things like Terraform and and Kubernetes YAML. And then we also have just released a product called Snykode, which does static application security testing. So looking at homegrown code that you've written and looking for vulnerable pathways in in that code. And but the all of these tools are really aimed at at developers using them. And I think that's what one of the fundamental things has changed

6:11 in terms of of of security, you know, over the last few years is, you know, we've got these these two kind of things going on. The first is that, you know, the the the velocity that we're deploying software at is is dramatically increased. Right? I mean, when I started out, you know, you the aim in in in most kind of IT environments was to deploy things as as as little as possible. Right? Just don't change anything. And and now we're really all about speed and deploying things super fast. So Yeah. You know, you can't you can no longer have this

6:47 kind of thing where you stick security at the end and say, you know, here's this final step that we're gonna do before we deploy something to production because, ideally, you wanna be deployed to production all the time. And then I suppose the second big thing that's driving these changes in security is the fact that developers are responsible for much more of the stack than they than they used to be. You know, if we look at I mean, you know, you may as well consider the container and your application the same thing. Right? Because when do you ever deploy

7:15 the application outside of the container? You know, never. And quite often, it's the same team building the container image that might even be creating the Kubernetes YAML to deploy it into Kubernetes. And, you know, all that stuff used to be some other team's, you know, kind of responsibility. And so, you know, when we consider those two things together, you kinda need to have a look at security in a different way because, you know, developers are really the people who need to be aware of the implications of of of the stuff that they're doing in in all of

7:50 those spaces. So that's the kind of 10,000 foot view, I guess. And I I think we'll probably get discuss this a bit more as we kind of explore how Snyk works and and, you know, how it's how it you'll see what the focus is when you look at it. Yeah. Definitely. I think there's some really great points in there. And, it kinda made me pause for thought for a minute, I was thinking back about my career and all that code that I've shipped to production. And if you'd asked me if it was secure, the answer would be I

8:09 Software Development and Security Challenges

8:20 don't know. I don't think I've ever really considered that with the code that I write. I mean, if I if I had I mean, if I think back to ten years, and I'm gonna try and correlate this to what you said about the way that things have changed lately is that ten years ago if I was shutting something to production, I would write it in a single language, you know, would have been PHP or Perl or whatever. There's no single framework. It'd be a monolithic application. I would deploy it once every three months probably. And if I was working for a company

8:46 that was particularly risk averse, we'd maybe get an audit every other year or something like that. And that was And they do they do a scan of the yeah. Yeah. Exactly. I mean, was the same same for me. But I mean, you know, presumably, was somebody else creating the virtual machine image that you deployed it onto. Right? And somebody else was organizing the network connectivity for it and they probably somebody else created the storage land that it, like, sat on. Yeah. Yeah. Definitely a a very a lot of segmentation on the different parts of the life cycle and the deployment and

9:19 all of that. Now I'm looking at how we do software today and micro service environments, polyglot languages or, you know, multiple languages across micro service architectures, deploying daily or even more than daily. And then just thinking about the security concerns that we have and how those are essentially multiplied or exponential, maybe even at the worst case and that kind of environment is scary. So Yeah. And I mean, I I think if you look at the real world of kind of of when people get owned, right, there's a there's it's almost always in in this era, a

9:53 combination of application level vulnerability. But what really causes this, the massive blast radius is you've misconfigured the environment. And that might be, you know, Kubernetes. That might be, you know, how you've done Terraform into AWS, you know, and once. So, you know, this it's interesting to see how, you know an attacker isn't really likely to get much from from owning one container, but once you get to, like you know, you get in there, you can expand the blast radius because somebody hasn't misconfigured something, they've exposed some secrets somewhere, you know, then you're into a whole different game.

10:30 Yeah. Definitely. Yeah. I can see that especially, you know, as our applications are distributed now, they all have their own APIs misconfigured any of those, getting authentication wrong in any of those, and you're just leaving doors open for nefarious people to jump in sneak in and then start moving laterally. So yeah. And now we never wanna write software again unless there's a tool chain Yeah. It's all about notebook now. Don't write anything. Yeah. Unless we've got tools out there to help us remove some of these common pain points and make ourselves worse. I think that's

11:01 why I'm really excited for today's lesson. Because I don't wanna stop writing code. I just I want a better confidence that my code is potentially secure. I mean, in fact, I even think in the last twelve months, like every major hack I think I've read about has been supply chain. And I think that's a growing concern for everyone now, especially as open source is a major component of everything that we're doing and been able to make sure that not only our code that we write is secure, but the code of the upstream dependencies that we have as well.

11:30 I mean, I think if you look at most applications these days, it's it's extremely rare to not see this pattern, which is like a tiny amount of, like, code that you've actually written in the context of the entire application. And then, you know, I mean, god, you know, hundreds of thousands of lines of code that you've just pulled in from from NPM or from PyPI or from where I mean, that's how we write applications now. Right? I mean, it's it's great because we're not reinventing the wheel. I mean, you know, who would go out and write their own

12:03 HTTP library or something like that? You know, you just wouldn't now, would you? You just, you know, include whatever. Yeah. But, you know, there is the it's, you know, it can be a place where where you introduce vulnerability. So I think being aware of that and and having the mechanisms to to scan that stuff. I mean, you know, I came from the Python world where it's a bit simpler, I think. I I think if you look at a lot of a lot of of of ecosystems now, especially things like JavaScript, there's like a million different packages to do

12:38 all sorts of stuff. And then you've got the typo squatting stuff, right, where people will push a push a package with a tiny typo in it to to catch people from the repository. So it's a bit of a minefield just in just in that sense. Yeah. Definitely. Well, it's rare on this show but I'm I'm sold. I'm convinced. I now wanna see all the goodies. So so why don't I get my screen share up here? There we go. We are floating heads. We have the Snyk website and we're gonna try and do a few things today. We're gonna take a JavaScript project.

13:01 Getting Started with Snyk UI

13:15 We are gonna add it to the Snyk UI. We're gonna do a little bit of exploration there first and then we're gonna get hands on with some of the developer tools as well. So let's see. I need to log in. Oh, the beach ball, that's always a good sign. Okay. I hope I used GitHub. Did you ever get that? When you go to a website and you're like, I can't remember what I used. All time. Okay. So this is the Snyk UI. I logged in with GitHub. I've got my organization here. We're gonna add a

13:40 Adding a Repository to Snyk Web UI

13:53 project. Now, I'm not gonna say I I've cheated, but I've just farted on another project. I think it would be cool to analyze and and see all the things that are coming on here. So oh, I guess I could have used all our economic stuff. I'll just hide that. I fought n a n. Are you familiar with the the project at all? I don't think I am actually. It's a workflow automation tool written in JavaScript and TypeScript that has a really nice kinda UI for doing your workflows. I'm just gonna tick this here and hit go.

13:55 Importing a Project from GitHub

14:29 And I'll give that a few seconds and I'll just jump over to here and show you this. Really cool tool. I I keep like I try to automate as much of this show as possible and this gives you like this nice drag and drop node collection thing where you just say like, oh Oh, that looks shiny. I mean, GitHub fires an event going to this thing. So I figured let's let's play with that. In order Check out. Because Docker image scans, Docker image building is particularly slow, upfront I did do a build of the container image and push it just so that

15:01 we don't need to do that on my machine and watch that watch the build. That's that's just not fun. So I figured I'd save as that. Okay. So I guess I guess, you know, looking at this looking at this view, one of the key things, you know, like I was saying about this focus on on these are tools for developers to use, you know, to make it as easy as possible for you to to import stuff into your into into Snyk and have it scanned. So it's all really about frictionless. And if you look at the amount of

15:33 integrations there are, you know, you can you can, like, plug Snyk into, like, a ton of different source code management systems, ton of different CI tools, and and all sorts of thing all all sorts of container registries. And, you know, it's as simple as as you just showed their way. You just click the button and, you know, it's there. It's been scanned already. Right? Yeah. It is imported already. I can see it here. Wow. It's done quite a lot. So it's done a code analysis. It has scanned all of the Docker files from all the different so Debian one, Red

16:00 Dependency Security Alerts

16:12 Hat one, I guess the scratch or custom one, and it's found a package dot JSON. So at least I didn't know this before today, but NAN appears to be some sort of mono repository with a whole bunch of packages and it has scanned all of their JSON package dot JSON file. That's pretty nice right off the bat. I like that. What I don't like is the big scary numbers I've now seen. Let me see. Can you see that? Oh, I should probably zoom in a little bit right. There you go. Is this h, I guess, high severity?

16:39 Exploring Dependency Vulnerabilities

16:43 Like a hundred h is high severity. So if you I mean, perhaps if you click on one of those package dot jsons, we can kinda see what what what's going on there. Yeah. One that's actually got some some vulnerabilities in it. So what what the first thing to to note here is this dependencies tab. Right? So if you click on the dependencies tab, so what you're gonna see there is that that Snyk's not just analyzed, like, what packages you included, but it's built the entire dependency tree and analyzed all of them. And so you may have things that are I mean, actually,

17:25 it looks like at the top level, there aren't any vulnerabilities in those in those top level ones. So presumably, the phones there are all in the tree. Yeah. Okay. So and and this is where lots of vulnerabilities can hide, right, is in these indirect dependencies that you didn't actually know you're including. Right? And, I mean, I'm sure you're familiar particularly with node, where sometimes you can just get a ridiculous amount of packages all of a sudden get like get get included there. But it's built the it's built the whole tree and looked at the looked at the

17:55 vulnerability database for for every package, every version of every package that's that's been included there. So I'm I'm curious. Right? Like, it says we've got high, medium, and low severity. Like, is there a a one liner description for what that actually means to me as as a developer? Like, can I ignore? Or would you go back to if you go if you go back to issues, right, and we can talk through a bit about what about what that means. So what what so security vulnerabilities typically are are are there is an industry standard for how

18:30 things are scored. Right? The CVSS score. And the CVSS score is made up of a bunch of of sort of different elements that altogether add up to an overall score that says how severe that thing is. And, you know, those if I think if you click on that CVSS, you know, in that in that vulnerability we're looking at there, the CVSS thing, which is that that one there, will actually take you to the, yeah, to the c v so you can see all these different things like the attack vectors, the complexity required for the attack, what privileges you need. You

19:02 know, this is this is the kind of stuff that security folks are into. Right? And so the for for maybe people who aren't so familiar with how these things get get rated, CVSS is the kind of the basis for it. But what we do at Snyk is kind of enrich that as well. So, you know, from a developer perspective yeah. That's very true, Russell. Love that shows is is has a history of but if we if we go back to Snyk, David, and and you can see that that we also have this this priority score.

19:42 The see that low that that one we were just looking at there, it's got that score of four nine seven. And that's based on not just the CVSS score, but it's based on how how mature is the are the exploits available for it. So is there code out there that's real that somebody could use against it? But most importantly, and this is the kind of critical thing for for this idea of developer first security, is is there a fix? Right? Because when you look at these lists of vulnerabilities, and we'll see when we come to container

20:14 images, that sometimes you can just get these hundreds of vulnerabilities. And it's like, I'm a developer. What do I do about this? None of these things mean anything to me. Right? So am I gonna, like, go through all these things and see whether they are applicable in my environment? Blah blah blah. But, you know so you have to prioritize, and you have to just make a strategic decision to say which ones you're gonna fix. And so stuff that has a fix and it's severe and it's got exploit, that's clearly a no brainer. Right? Just fix it.

20:43 Because if it just means upgrading that package, then, obviously, you don't really need to dig into what the actual vulnerability is. Just fix it. Because, you know, at some point, you're gonna have to make these trade offs between how much effort is it to understand all these things versus, you know, the the the effort to fix it. And so this prioritization is really important for us in terms of the how actionable things are from a developer perspective. Right? Because me as the developer, I just wanna fix things and move on. Right? Because this is the security stuff is

21:21 just, you know, is just taking up resource in my team, which could be better spent developing new features, shipping new software. Exactly. I've got bugs to introduce to my software. I don't have time to be fixing those issues. You've got new vulnerabilities to introduce. So that's it. So yeah. So so that that's kind of I think the question was I slightly went off around the piece there, but the question was about about sort of scoring of these things. So it's a combination of the CVSS score, and in the Snyk world, we kind of enrich that

21:55 by saying, you know, if there's a fix available, we're gonna highlight that because it's much it it's the kind of thing that you ought to be dealing with first. Yeah. So I've been kind of peeking at the UI as as well as you've been explaining that to me. There's just a lot of information here as well to really understand each of these which I think is great. The fact that it tells me how it was introduced, think is really nice. This one just tell me even where it's fixed. And then I like these toggles over here

22:07 Fixing Dependency Vulnerabilities via Automated PR

22:25 as well. Not fixable, which is probably not the best way for me to like I guess with those I'm just hoping that they're still in the proof of concept stage and then the ones that are fixable are here. So nice presentation of just all of the things that I need to be concerned about without attracting too much of my time, which I I like. So let's let's see what else we had on this. Is it just back? There we go. And it does that for all of my package JSON. Yeah. So I was gonna find another one

23:01 where we can do look at a where there's some fixable ones that you could do a fixed PR against Because that's the other thing in that in that view that you can do is automatically open a PR against in GitHub against that repository. The they'll upgrade that package to the to the appropriate to the appropriate version. Oh, we got a fixable one. Yeah. So if you click on that, see that big green button that says fix that vulnerability? Okay. So what have we got here? We've got seven eleven. That seems like quite a high score. Yeah. So then that's pretty high.

23:41 But but see that why that one is probably higher than that one we looked at before is because it's fixable. So having a fix available is gonna be it's gonna push that to the top of the pile so that your developers can go, hey. There's a fix there. All I need to do is upgrade that package to I think we're showing there if we upgraded it to Seven dot zero dot zero. Seven dot 0 dot zero. Okay. And that's what I I suspect, actually, when we that fixed PR because it's a because it's a indirect

24:13 dependency, I think it'll upgrade a few packages there in order to make sure they're all they've all they're all the right versions. But if you press the fixed vulnerability, hopefully, it should open a a PR in GitHub. So Okay. Right. So that's fine. So we can open the fixed PR there. And what it should do is is is open that in GitHub. So we can see it's open a nice informative PR there that's that's showing you exactly what why you needed to upgrade it. And I think if we go in files changed, it should show

25:02 that it's just gonna have the package dependency to the version. Alright. Let's see. There we go. Yeah. So there we go. And you you can have that turned on. So quite a lot of people have those turned on automatically so that they're they're they're it'll automatically open fixed PRs for for things that can be that can have a package upgrade. Well, that was a quite a pleasant experience. We found a high high vulnerability high risk vulnerability and then Snyk has been very kind as to give me the PR, upgrade the dependency and it's now merged.

25:48 That's awesome. Let's jump back here. So I guess that's going to I'm assuming Snyk knows that something has happened here and does the redo of the analysis is every time there's a push to my repository? Yeah. So did you just merge that? Yeah. So Could I do? This when you've turned on the GitHub integration, there is automatically a it's gonna it's gonna rescan on merge anyway because you had the on the GitHub repo when you imported, it adds the Snyk tests. So when that merge has gone through, it's retested it. Yeah. Cool. Let's go back to there is a button

26:33 here that I was curious about. Fix vulnerabilities. Does this try and fix everything? Or is it just gonna take me to Alright. Okay. Yeah. It should get it should yeah. So that's on the because that was against the Dockerfile project, wasn't it? So when you imported that project, it also looked at the Dockerfiles. And I think if you went back a screen, you'd see the little Docker icon there and where that was saying fix the Yeah. So this is against the against the docker. Actually, that against the image in in Docker Hub, or is that against the Docker file?

26:40 Exploring Dockerfile Vulnerabilities

27:12 Wants to upgrade the base image based on what I've seen on the last page. Yeah. Yeah. It wants to go from fourteen seventeen to fourteen seventeen. Yeah. So and again, the same the same sort of thing applies for for Docker images that we can do these automated fixed PRs against the Docker file. I think with Docker images are are a bit more of a of a complex one because a lot of Docker images have a lot of vulnerabilities in them. Right? And especially the generic the generic language images. You know? I mean, you can see

27:49 that node fourteen's got 600 plus vulnerabilities in it. And there's a reason for that. Right? It's because those generic language runtime images are solving for the generic case, aren't they? That's gotta work with every node app. So it's gonna have all the bells and whistles in it. It's gonna, you know, it's gonna be big. You know, I I think there's a there's clearly well, I mean, I've done whole conference talks about how you reduce vulnerability counts in in in Docker images, you know, but, obviously, using slim, you know, slim versions in production is gonna reduce your

28:30 vulnerability count. It's probably not a good idea to be deploying things in production that use those generic language run times because, you know, they're just solving for the big use case. They're great for trying things out because you know they're gonna work every time, but you probably don't wanna deploy that in production. I mean, I think if you click the show more upgrade types there on the left there, there should probably be some yeah. There you go. So the node slim images, you know, have much less vulnerabilities in them. Right. Okay. And I I guess that's just because

29:05 they have less less packages and the Yeah. Yeah. I mean, less less packages, clearly. And I mean, you know, so but there's, you know, the workflow that that people I mean, if you probably, for example, you you couldn't use that to build your application, that that slim image because it's not gonna have your build tools in there. Yeah. But, you know, the so this is where this idea of of multistage builds comes into play. Right? So if I'm in my in my build system, I probably do wanna be using maybe I do wanna use that node 14.15

29:37 base image to build my software, but then I wanna take that software out of that and put it into a slim image for deployment in a multistage build. So, yeah, probably too much too much to go into in in this session, but, you know, there are lots of folks who who talk very eloquently about the best practices for for for managing container images in production. Right? But, yeah, generic language run times are not usually a very good choice for from security perspective. It's one of those things that I think I know in the back of my head

30:13 Discussion: Choosing Docker Base Images

30:17 and I just have never really never really given enough attention to think, yeah, I probably should try and either build my own. It's just so easy to use these generic ones, isn't it? Because things just I mean, I I think that's always the path of least resistance is always a bit of the issue, isn't it? You know? And I mean, I I guess the flip side to that is the same with with tools that can help us. We don't want things that are gonna put loads of barriers in our way. So that's what we try

30:47 to do with Snyk is to say, well, look, here's the solution, you know, an easy solution that's not that doesn't loads of friction for you. So yeah. Alright. Let's see what else we've got on this UI then. I'll go back to the home page. This is all my vulnerabilities and project. So I think we probably had some more interesting things to look at in that in that particular project. Right? Yeah. We still got the code analysis that we haven't clicked on yet. I've got a good grasp of what the package JSON scanning does. That makes a lot of sense to

31:22 me. We looked at the Dockerfile, I got that that just nice convenience things. Also the Debian image, lots of vulnerabilities there, so basically coincides with what you're saying, don't do that. Like here's the nice custom bespoke one and you can see that. Look at that. Six seven. Sorry. Seven vulnerabilities. Much better than the hundred I mean, it's important to I think it's important for to to to kinda get your head around that in in container images, you're almost never gonna have zero vulnerabilities. I mean, it's just not that's not that shouldn't really be your goal

31:53 to have zero because unless you've unless you've, like, built a scratch image and all you put in it is, like, a compiled c binary or a go binary, It's just not realistic. So you kind of have to you have to set set, I guess, a strategy. Right? And, I mean, you know, I I kinda say, well, perhaps your strategy is, like, no no high vulnerabilities in production that have an exploit and nothing that has a fix. Yeah. That might be a good strategy. That'll probably get you down to, you know, very small numbers of vulnerabilities. But, yeah, aiming for zero is

32:30 probably not realistic. Yeah. And it feels to me like I I don't know if it's quite half the battle, but I'm gonna say half the battle is just being aware of which vulnerabilities actually exist in my prod environment. Because I'm assuming, if I know the seven or 20 vulnerabilities I've got, I could maybe put things in place to make sure they're not exploitable in my environment even if there's not a ready fix available. It could just be blocking firewall ports or certain endpoints on your app or whatever. Yeah. Exactly. I mean, you know, I is always a bit about trade offs really,

33:02 isn't it? You know, it's about trade off between effort versus risk. And so, you know, you might decide that let's say, for example, you know, we only perhaps we only care about vulnerabilities that are exploitable over the network. And when we look at the CLI scanning, we can talk a bit about how you can actually, like, sort of filter results, you know, based on those CVSS things just to get say, only give me high things that are exploitable over the network. But you because you might decide that actually things that require a local shell I'm just not exploited. The risk of them

33:38 being exploited in my environment is minimal because I use distro list for everything, which doesn't have any shells or, you know, whatever. But, you know, there there's always there's always sort of trade offs of of decision making about how you decide whether something's exploitable in your environment or not. Awesome. Thank you for that. So do you wanna jump into what we look at code analysis? Yeah. So code analysis is a is is very cool. This is pretty new. This is about vulnerabilities in your own code. And I think if we when we look at if we have

34:03 Introducing Snyk Code (Application Code Analysis)

34:15 a look at Versus Code, you know, it probably shows, you know, some of the things that are really cool about about Snykode. So this this kind of analysis used to be super slow. And, you know, years ago, you used to have, like, you'd run these things overnight, you know, and they they turned turned up millions of of false positives and, you know, they were really just there. Like you said earlier, you know, oh, we do this once a quarter for audit and someone writes a report and then, you know, everybody ignores it or whatever. But

34:47 so Snykode actually uses machine learning. So it's got it's it's fast enough to to do in real time in your IDE. But what's really focused on is code errors. So in your own code, not code that you've brought in through a package or whatever. This is stuff you've written yourself. And so I what I really like is it shows you the flow of what's gonna happen. I don't know whether it does it in the UI actually, but in the in the so what happens if you click full details? I have to admit, I've not looked at

35:11 Snyk Code: Analyzing Code Flow (Data Flow)

35:17 this much inside the the web UI. Well, I'm just loving the description of these here. Like, this one is telling me that we can have exception flows. I'm assuming that's because we got, you know, random access or variable access to maps, which is obviously scary. This one I'm assume is telling me that I've got unsanitized input from HTTP, which I'm assuming the fail path comes from and we're throwing that straight into a function. And you know what? These are like, oh, you know, they work at the time. It shows you it shows you actually how oh, look. No. There

35:48 you go. So it'll show you in the code how that's got in there. So if you click through all those steps, it'll show you, you know, it's gone through and gone. Here's where this got it came in. Here's where it's flowing through. It's flowing through here. It's flowing through here. And then you use it like this. That is ridiculous. It's super cool. Oh, that is awesome. Yeah. And, I mean, it'll do that in the in the in in in the IDE, like, what you know, in as a live scan and show you exactly the code path by

36:24 which that that so presumably, we're talking about that file path that file path variable there. Right? Yeah. It's nice how you can see how it kinda it gets composed together. You can see here we're accessing the params on the HTTP request to get a name. 're then calling a function, passing it in, and then it leaks through until eventually we pass it into the send file. Yeah. It's neat, isn't it? And I think if you click on the fix analysis there, it should show you examples of how yeah. So there you go. So it's behind

36:59 the scenes, it's also got this massive learning database of of open source code. Right? So it actually show you how other projects have fixed the same problem. So you've got three, I think, example fixes there from different open source projects. So it's showing you examples of how, you know, not just, you know, how how you could fix it, but how others have fixed the same the same things. So I'll give you examples from the real world. Nice. It's neat. Right? Yeah. I didn't expect to get like just that one screen with the way the code

37:41 flows through. That was that was neat. I like that a lot. And you're saying that works in my Versus Code as well. Do want should we pop it open? Yeah. If you've got the Snyk plugin installed in your Versus Code, it should it should do it. Do you have a little Snyk icon somewhere? Yep. There we go. Yeah. You have. Right? So and and I assume you I think you need to auth via the CLI, but if you've had the CLI working, it should already be authed? No. I haven't actually installed the CLI. There's something I'll use. Oh, I think it's working

37:47 Snyk IDE Integration (VS Code Demo)

38:16 there anyway. Right? I'm I'm that's a bit small for my old eyes to see in this window, but It's the right I think yeah. So this is all coming from Snykode. Yeah. So so you can see these. And I think if you write yeah. So that's showing you the and if you right click, it should get you should get the the extra window that gives you yeah. There you go. So you you should have the same thing there where it's saying showing the flows. Let's see if can get the same one so it matches up.

38:52 There we go. There's the same one. Okay. Yeah. Nice. Yeah. So you get all that same stuff in your IDE, and that that will actually, you know it's it's fast enough that you can be getting that stuff while you while you're coding. I like that it's actually in my IDE. I'm actually getting a red squiggle from the vulnerability scanner. You know, it's like no. It's not an error, but it's definitely a high vulnerability thing that I probably wanna be aware of and then the description of the issue here. So that kind of integration is good because

39:31 then it's front and center with me all the time when I'm writing my code. Well, I mean, that yeah. And that's again, that's part of this developer first thing is, like, you know because, really, I mean, I don't know whether you've you've you've read things like I I assume that the the cloud native security white paper, but that the that CNCF six security did last year and Liz Rice's book on on cloud native security and things. You know, it's really about sort of integrating security all the way through our SDLC. Right? Because, you know, we're in

40:07 CICD pipeline kind of mode and and code continuously flowing. So what we need to do really is to integrate in all points in that in that process. And the first point is clearly developer eyeballs. Right? This is the place where it's cheapest to fix. And, you know, so providing tools that give developers easy insights into issues before they even get into into source code management is clearly gonna be your best your your best point to start at. So these kind of integrations are really, you know, sort of key for us is make it super easy to for developers to

40:46 get that information right in the ID, right in the CLI, you know, and and and so you can fix things super easily, super quickly. Nice. I like that. Very, cool. Okay. So I don't think we're gonna be able to fix 50 issues, But that number doesn't seem as scary to me as some of those Docker container image ones, so that's at least a positive. Lots of details. Very cool. Alright. Let's jump back over. Where were we? Projects. Is there anything else on the UI side of things that we should take a look at? So there's obviously a lot of functions. I

41:30 Container Image Scanning

41:32 mean, it's probably less interesting to this organization, but, you know, there's a lot of that stuff about how you would do things in a bigger organization. So being able to ignore things, being able to report on things. But I think we've we've sort of covered the the the developer, you know, kind of focused bits in the in the UI, I think. Mhmm. What about importing Docker images from Docker Hub? Okay. So is that do I add a new thing? Yep. No. Yeah. Oh, you so you haven't got yeah. So you'll need to add connect with with Docker Hub. If we

42:00 Connecting and Scanning Docker Hub Images

42:15 go down a little bit, there we go. I'll maybe move that over here. Yeah. Maybe take that off the screen temporarily. Where'd it go? One, two. There we go. Okay. Let me grab my token then from the Docker Hub. Talking new Snyk. And there we go. You hate it anyway. I'll see if and see if there we go. So now if you wanna scan your images on an ongoing basis that you've got in Docker Hub, It's as simple as it was importing from the from from GitHub. And this works with a whole bunch of different registries. Right?

43:29 ECR, Quave, who else? Google, blah blah blah. Pretty much everybody. Yeah. There was quite a lot of options there, wasn't there? And it seems to work with pretty much all the major source code repositories. Yeah. Some of them Some of them like Yes. We're working on on on on more of them. Some of them, you know, are are a sort of paid upgrade because it tends to be more enterprise customers who are using those ones. But Yeah. All the major CIs, all the editors. Wow. That's a lot of integration. But it it seems to me it doesn't

44:18 really matter what stack your organization is using. It's gonna be covered. Yeah. And, I mean, in in a lot of cases, you know, if it's not there and, I mean, you'd have to be pretty far off the beaten track for this not to be like a first class integration. But a lot of times, you can integrate just with the CLI anyway. Right? Especially if you're in a if you're doing CI stuff, for example, you know, you can write CI string CLI strings that are gonna be able to glue together almost anything. So, yeah, it's integrations are kinda key part of

44:50 of making it super easy for folks to use. I'm curious about this Kubernetes one here. Does that scan, like, my deployments for maybe anti patterns over exposing too many ports, like or if I just made that up? To be a container. No, because so at the minute, we're not doing we're not doing deployed environment scanning for configuration in Kubernetes. It's definitely something we're we're looking at. If you if you just scroll up slightly, one thing that is coming soon is is and in some ways, we'd probably do the a similar thing with Kubernetes, but is we're

45:30 we've got this this thing to scan deployed AWS environments. So Oh, yeah. You know, rather as well as just being able to look at Terraform before you've actually spun something up, we can actually, like, query your configured AWS environment and say, well, there's x, you know, security issues there. And that'd be super cool to do with Kubernetes as well. Right? It's to be able to look and say, you know, let's look at the deployed environment and see whether there are issues. In terms of this scanning for Kubernetes that that is in there in the UI that you're seeing, that is

46:08 image scanning. So deployed deployed containers and when you so new containers and containers that are already running in your Kubernetes cluster. So you get a similar thing, you know, if I enable the the Kubernetes integration. I get, like I can see all the images that are running in my cluster, and I can choose to scan them in the same way that I can from Docker Hub. Okay. Yeah. That that definitely makes a lot of sense then. I like that as well. Oh, there's my image. So this is now added Yes, Kyle. My Docker Hub image that

46:42 I built just before we went live. Let's see what we've got here. Okay. So this is so what does the I'm curious then. What does it mean when it scans a container image? Like, is it looking at the Docker file and saying, this image has this, looking at the commands or is it actually pulling the image and inspecting what's inside of it? It's pulling the image and looking at what's inside it. And so it'll be identifying so there are two there are two things going on here that you can link the Dockerfile as well and get so if you

46:57 Exploring Docker Image Scan Results (Layers)

47:27 have the Dockerfile in a GitHub repository, for example, you can link the two things together, which gives you will give you deeper insights into how you might fix things. So that base image recommendation stuff that we looked at from the Dockerfile, that's difficult to do just by looking at the image. But if you combine those two things, you'll get both. So you can say this image in Docker Hub and this Docker file in GitHub are the same thing, and it'll give you the base image recommendations. But what you could see here that's kinda neat is it'll show you what the in

48:01 which layers the those particular vulnerabilities have been introduced in. So we can see that APK tools one is coming I'm assuming this is now based image, and that's being introduced sort of by the base image. But if we look at the busy box one, it looks like that's been that's been added into the image by by another layer in the Dockerfile. Yeah. Correct. Yeah. There's a whole bunch of stuff happening. It's detected that from the from the built image. Yeah. Yeah. Yeah. But it does tell me there's a fix if I upgrade my BusyBox SSL client. So

48:47 Yeah. It's handy. So and you could see on there, you can filter on the left by image layers there. So you've got six that are in the user instructions and Oh, yeah. And one that's in the base image. So I'm assuming again, my eyes are slightly struggling there, but I'm assuming probably that rebuilding that. If that's fixed, where is it installing open SSL, limit SSL? So it's doing an APK update at as I build dependencies Python build. But yeah. So it looks like it's adding a whole bunch of It might actually be that. It might actually be yeah. If you rebuilt that

49:34 image, it might actually fix those. Oh, I I think these are probably penned somehow just because I know Oh, maybe. Yeah. I built this recently, like only an hour ago. No. Okay. Yeah. Yeah. Yeah. I'm not sure. In fact, this is the version that we oh, no. That's version I and there's a version k. Yeah. There's maybe something here. It's not quite shipped to Alpine yet. Yeah. But that that's an interesting point about about Docker images in general. And one of the reasons for monitoring them on an ongoing basis as well as, like, scanning them when you're when you're

50:04 Discussion: Ongoing Monitoring of Docker Images

50:15 making them. Right? So when I if I build a Docker image locally before I push it to the registry, I'm gonna scan it and see whether it's vulnerable. I might make some changes, scan it again, you know, and I finally got my my image where I want it, and I push it to my my registry. But, you know, what happens in, like, three months' time? I mean, I know I've got things in my own Docker Hub that I have to say I haven't rebuilt for years. And, you know, so that that scans ongoing over time. And, I mean, you've imported this

50:46 one into into Snyk, and that'll be scanned every twenty four hours. So it's kind of important to make sure that you scan these things on an ongoing basis because new vulnerabilities happen all the time. Right? And, you know, I I think we had to we we surveyed some we did a big survey last year, I think, and, you know, it was like one of the questions was, how do you find out about vulnerabilities for container images you've already got in production? I think it was something like 25% of people said they didn't know. It's like,

51:18 okay. Yeah. I think I I fall You might wanna be worried about a minute to that camp where yeah. I I just guess I I'm I'm fortunate that I don't run a lot of stuff in production that's not being used by thousands of customers or anything like that, know. I I'm a developer advocate like you. Like, we spend half our time just hacking on stuff and throwing out. Exactly. Yeah. Yeah. Yeah. So I know I noticed we had a quick question in the chat there saying, can you scan like this on the free tier? Yeah. Everything I think everything that that we've

51:40 Snyk Free Tier Features

51:50 looked at so far is is all available in the free tier. That's very cool. I can imagine that would be quite easy. Like, I don't know. I feel like if I did have stuff in production and I I had all of this stuff, I would just be on a mission to get those numbers as low as possible all the time. I I think I'd end up making a game of it and just be like, hey. How many of these are going think it's interesting when you do start to we see we actually see that quite a lot, right,

52:18 is that that a lot of the adoption of tools like Snyk is is you know, rather than being it used to the way security used to work was, like, you know, you'd have some tool would be bought by the chief security officer and just given, you know, you will use this. And what what we actually find is that that developers are start are choosing to use this quite often than one small team will start because they want to make sure that their stuff is secure. They know that that, you know, they're in control of a lot more

52:52 stuff now than they used to be. And they we do see that it kinda gets a bit gamified, know, that people are like, oh, I wanna get those numbers down, you know. Yeah. You could have, like, company hackathons where you owe me up once a month for something and just order some pizza, some beers, and just, like, like, let's go squash some of these vulnerabilities. And that would be a whole lot of Yeah. I mean, I I I think I was talking to to some of the folks in Cloud Native Nordics, and they were saying that

53:21 that, you know, teams get quite into the idea of of having the lowest or whatever. Because, you know, until you have this information, you just don't know, do you? You're like, I know. Yeah. I think just to bring in that visibility front and center and the IDE and the pool request, having the UI like this so anyone can go check it out. You know, once you have those numbers, you can then start to build work on remediation and track that number coming down like, you know, the worst thing I could do is be obvious and the

53:50 number continues to rise and rise and rise. And eventually, when I was And that's that's all in the in the UI as well. It might not be in the you know, some of that's more a kinda enterprise y features, the reporting and things. But, you know, it'll show you that number of vulnerabilities over time across all your projects for a particular project. You know, that that sort of that information's all all there for you as well. I think one of the one of the interesting things as well was about GitHub. If you did you can you pull up

54:26 pull up the that repository that we just imported, the get the the pull request that you merged, David. Because you should see the what happens in GitHub as well, the the automatic scan. Yep. Rawkode and it's in. So if you look to that PR, you should see the Snyk scan were were actually ran when you when the the PR was are we gonna see it there? If you scroll down, it should say that it's I don't know. Perhaps it's not there. Then maybe we need to enable something? Yeah. Possibly. But, you know, you'll get the check-in in

55:17 GitHub, you know, when every time you push a push a a PR, you should you you can have a a Snyk scan at that point. So, you know, it won't it won't be you can't merge it until that scan's passed and all that kind of good stuff, basically. Nice. So there's there's kinda something else I think is really cool about this. It's like so far we've been looking at this any end project. We've looked at it from a code point of view to get out, which is JavaScript and TypeScript and the image. But but I actually added

55:51 Getting Started with Snyk CLI

55:51 other non JavaScript stuff to this. So it's like I don't need to write in JavaScript, Node and TypeScript to get the benefits of the Snyk tool. Like this is my a Go project that I work on and it's also got scans and vulnerabilities. So what what's the language support like for Snyk? Pretty wide and getting wide all the time. So on some some of the go Snyk code is obviously less wide at the minute. But in in Snyk opens what we call the open source, which is the the package scanning stuff, Python, .net, go what else? Let me look it up.

56:46 A whole bunch of libraries that of languages that that I never use. But Let me pull up the website. I think there's a list there too. Yeah. .Net, Java, JavaScript, Go, PHP, Node. Yeah. A lot. Nice. Where is it? I'm sure I've seen that earlier. Yeah. There's like a there's a bar somewhere of Yeah. Oh, there we go. Java, JavaScript, Takespeare, Python. Okay. That was more than that. I've seen it earlier. I can't remember where I saw it. Yeah. The others if you go That's integrations. Right? I think it's there across the bottom, isn't it? Yeah. The these ones in gray. Yeah.

58:04 Yeah. JavaScript.netJava. What are you? Is that one of you just Elixir, isn't it? Elixir is the one in the Oh Ruby. Drop. Yep. We've Ruby, jQuery, npm, PHP. Oh, that's the postgres elephant. Right? No. I can't remember. There we go. Go for Ruby, Python. Yeah. Okay. Yeah. Lots of stuff there. So Yeah. What languages you're working with, what tools you're working with. Snyk just seems to be And we're and we're we're launching more and more all the time. Yeah. Very cool. And a very generous feature. Thing that that that will be added to that is so

58:46 we just acquired a company called FOS ID, who look for snippets of open source code within you know, for, like, say someone's been copy pasting open source code into your proprietary product. I would never have. So at some point, that will start a pit surfacing in Snyk as well is snippet stuff. So identifying snippets which may have come from other other projects. Very handy. A comment on a chat suggested that maybe Scala, the three bars. And I'm glad you said that, Russell, because I thought that too. And it just wasn't brave enough to go for the guess.

59:00 Snyk CLI

59:29 And we got a comment from b mad who says, I'll be using this service to shame other team members and appear smarter than I really am. Go for it, man. That's that's an awesome use case. I would encourage everybody to Cool. Is there anything else that we should cover? If I if I've forgotten anything? We could take a look at the CLI scanning quickly. We haven't had a look at the CLI yet, have we? No. Let's do that. So I mean, I actually end up using the CLI more miles more than than I use the

1:00:02 the UI. Alright. Let's see. Install. Can I just brew install this? Or is there a binary? Yeah. If you've got an MPM, you can just do MPM install minus g. I'll just copy this link here. I think we should be good. Oh, no. I'm I'm in there. Okay. Snyk. Snyk. Tap. Snyk. Although, not sure what would have been faster. NPM installed s g or brew and snow. Both are particularly slow for me all the time. Just pick my poison I normally do it with NPM, but So I have no idea. I I'm hoping brew is gonna work now. It it's in

1:00:50 our docks. It must someone must have tested it. Yeah. I'm sure it'll be good. Yeah. I think if it gets this far, it means it's yeah. There we go. Okay. So let's see what happens here. Come on homebrew. And I'll just drag my window up so people can actually see the line that I'm typing. There. It says a %, but it's still making me wait. That's rude. There we go. Does that mean I've got a sneak command? Yeah. So you're that all so the first thing you need to do is auth. So you need your

1:01:53 token thingy from from your user. So Okay. Let me move my window out the way. I've already flashed more tokens on the show than I would like. So Yeah. So go into your account settings and API token. I don't see it. Is it service accounts? Yeah. No. In in so if you go up to your where your account section at the top right of the screen Yeah. Account settings Yes. And it should be in the first thing under general. It should be API token. Oh, I must be missing it. It might be really silly. Hold on. I'll bring it back onto the

1:03:06 screen. So, yeah, it won't it won't appear anyway unless you click it. So yeah. So no. No. Not not those settings. Your personal settings. So go to right top right hand corner there, account settings. That's it. There we Alright. Don't click it. Alright. I'll move it back over here. Don't click on screen. I'll bring that back. I've got my terminal here. Yeah. Terminal off screen as well. And then you do sneak off. The author then paste my token. Oh, actually, you don't need the the API token. You know, you can just do it through the browser. So if you ran Snyk

1:03:59 auth, it should have opened the browser, yeah, and given you a given you a thing saying, do you want to authenticate the CLI? Did you get that? Oh, I posted a token. So I believe that I'm now Alright. Although I've just realized that my auto complete I move off screen again for one second. I'm gonna run a different Snyk command. Yeah. So just just click just click that authenticate button there, David, and that'll do it. That'll do it for you. Oh, no. But I You need the you don't need the API token anymore. Yeah. I already pasted the API token, so

1:04:35 if I push, like, I was worried that when I do a sneak, they all complete would commence. I've just done a quick sneak dash dash help to hide that. Oh, okay. Even though I can just regen the token right after the stream, but I'll try and avoid displaying it to the world. So okay. We're there and that that's the that's the folder. That's the git checkout of the the thing we've been looking at Yeah. Today, isn't it? So if you just run Snyk test from there, it should it'll do the open source the packages test,

1:05:06 I hope. Alright. Because you've got multiple so what it's saying there is because it found multiple package dot JSONs because that's a meta repository. So what we wanna do is actually to use minus minus all projects. Yeah. What's up in there? I feel to it. And the run dash d. Let's see what the debug says. No, Russell. No token flashing today. Right. Okay. So you've got because it's node, you've gotta do NPM install first in that in that directory. I was I'm trying to work out if I could do a find package dot JSON run command. Yeah. So you can you can

1:06:09 just I mean, to to save you building that pack building that that thing, we can just test that single one there. I think if you do minus minus file, is it? To to specify the Why don't we do the more interesting? I think the core had a whole bunch of stuff in it. So we're we can let's run our NPM install here. Hopefully, that doesn't take too long, and then I'll try this sneak test on this directory. Because this time, the browser one. Yeah. I'm sure core was the one that had a whole bunch of stuff in it.

1:06:44 I suspect Yeah. See one of them one of them was interesting, wasn't it? It didn't have any vulnerabilities. Yeah. Of course, of course, I picked that one. Yeah. It's the packages. It's the CLI one that was that had some stuff in it. Alright. Alright. Cancel. Cancel. Cancel. A good thing that note installs are super fast. Right? Sarcasm. Let's see. I I guess you get to tell me a story for the next twenty minutes. What have you got? I'm sure it would take yeah. Look at that. Oh, there we go. It is going. Just had to get started first. And I

1:07:00 Kubernetes YAML Scanning

1:07:34 hadn't had a coffee yet. Yeah. That's all. Get up to speed. So you said that you So we should look at we should also look at so why don't we look at some Kubernetes YAML while while that's have you got you got an you got something with some Kubernetes YAML in it so we can take a look at scanning that? I've got YAML. I've always got YAML. Let's see. Let's see if I've got my That's not interesting. Let's go to the Rawkode one. I have opt Kubernetes. I've got a deployment. I've got a postgres stateful set and I've got a service. Is

1:07:43 Scanning Infrastructure as Code (Kubernetes YAML)

1:08:18 that enough? Yeah. Yeah. Yeah. Yeah. So Does that mean I can run Snyk test here? So you want Snyk I c test? Like that? Yep. Should be. Yep. Let me just Yeah. There we go. That should so what that's gonna do Oh, nice. Yeah. There we go. Right? So so if we scroll up a bit and this obviously works the same in the in the UI. So that's gonna show you security issues within that Kubernetes YAML. So what have we got? Oh, so you haven't got allow privilege escalation set to false in a security context

1:09:17 setting. You aren't setting runners on route and not dropping all the default capabilities, etcetera. So we'll we'll See, that's fun when I was looking at someone else's code, but now it's analyzing my YAML and feeling attacked. Yeah. I should be. I should do better there. But now I know. Now I've got a sneak IAC test and I can actually fix these things. Yeah. I mean, again, a lot of this visibility, isn't it? You know, mean, there there's there's clearly you know, there might be scenarios where well, I mean, allow privilege escalation set to true is hard

1:10:02 one to justify, but, you know, there are clearly scenarios where you might want to do all these other things. Well, yeah. The these are throwaway clusters and deployments for clustered. So Yeah. That's actually a good scenario. Yeah. But I love that. Can do that stuff. Very cool. So the IAC tooling, obviously, will scan Kubernetes, YAML, scan Helm charts, scan Terraform as well. Really lots and lots of rule sets about Terraform. So for AWS, for Google, for Azure, and, you know, we'll detect security issues in in all of those things. And, this is, you know, this is kind of important

1:10:49 for people to to think about, isn't it? Because it's not just about your container image. It's like how are you deploying it, especially in in Kubernetes. And you you almost need to consider the the deployment of the application as part of the application, don't you? Because, you know, it it's all part of the same thing. So your application can be as secure as you like, but if you're spawning that container as root with, like, you know, no AppArmor or or whatever, then you you kind of you you're undoing all the all the good work that you may

1:11:23 have done in in developing this app to start with. Right. Well, let's let's be honest. Right? AppArmor and SE Linux, nobody actually knows how they work. Right? I mean It is black magic. Although I've been doing this talk with with my friend Camille Potrich about about kernel privilege escalation in in Kubernetes. Like, what happens in in on bare metal and what happens in in in Kubernetes. And so he's been explaining to me in a bit more depth what some of these things in the kernel actually do. And, you know, with privilege with kernel hacks, you

1:12:02 know, fair enough, they're pretty rare. But the AppArmor and SELinux are about the only things that really give you any protection in in scenarios like that where you've got really serious kernel bugs that can be exploited from a local shell. Yeah. I I must say I'm I'm guilty of SC and four zero and turning off SC limits, but maybe I need to I need to change their hours. I mean, to be honest, I've been quite far away from bare metal for a long time. I mean, I used to run a public cloud platform, an open set public cloud

1:12:40 platform. So I was a lot more you know, that was the kind of stuff that kept me up at night. It was, you know, virtual machine escaping. And, thankfully, again, incredibly rare in the real world, but so we were always we had automated checks for things like, in our case, AppArmor because we were in a Bunty shop. But, yeah, I'm I'm far away from the metal now, David. So unlike yourself. I've got nothing but metal these days. It's a whole lot of fun, I've gotta say. We got a question. I'm not sure if I fully understand this. I'm gonna throw it

1:13:14 to you and see what happens. But Russell is asking if the IAC could perhaps scan like Azure API gateways. Is that No. That's that's kind of outside of the scope of what of what Snyk does. I'm assuming, Russell, what you're talking about is, like, I forget the terminology for this, but but scanning for for for configuration on API gateways and things like that in in running in the running scenario. Yeah? Let us know, Russell, and we'll we'll circle back to that. Yeah. So let's let's let's take a bet then. Do you think the note the note install is finished?

1:13:51 Snyk CLI Test Output and Wizard

1:13:54 Yes. There you go. Okay. So if we were doing a sneak test on our CLI Yeah. Let's see what happens. I got another comment, nothing but mail these days. Okay? I think it's still gonna oh, no. There we go. Okay. So we can see that all those same vulnerabilities have been picked up by the by the CLI there Yep. Which is cool. If you how are they fix is that the one that had a fixable one in it? I I don't know. I'm I'm too busy trying to work out what Snyk Wizard is, but I think Snyk Wizard and you'll you'll

1:14:34 see what's what this will depend on whether there is a fixable any of those were the fixable ones. And is it gonna So this is basically gonna guide you to fixing yeah. It's gonna guide you to fixing it locally in the same way that, you know, we sort of do fix PRs. This will we'll do it locally for you. I think it's doing some number crunching at the moment. Something else that kinda caught my eye that maybe you can shed some light on is telling me if I create a dot sneak policy file. Is that how I would do it ignores

1:15:05 Discussion on Snyk Policy Files (Ignoring Issues)

1:15:17 as code or something? Yeah. I I I I have to admit, this was one of the things that I had to I was looking at myself in the documentation just before the show, and I didn't get to what how this works. I've never done it. I think yeah. It's a it's a obviously, a way of of creating policies for what what what you're doing on an ongoing basis. So I I will look up what those mean, and I will share with you at some point in the future. Awesome. And b mad says they're gonna start selling

1:16:00 t shirts. I fully endorse this. In fact, similar designs and I'll add them to the Rawkode store. And Russell got excited when you said Azure and assumed all of us there. Maybe in time, Russell. Snyk is a fast moving open source project. New stuff coming all the time. Yeah. So so the policies can are things like ignores, David. I think it's actually more things you can do than just ignores, but I I it's one of those features that I've I've never used it from the CLI. Mhmm. Yeah. I can imagine doing it there or I think I'm not sure what's I think

1:16:38 it's still analyzing. I mean, my computer is doing a lot on these streams that I've actually it has been slowing down more and more. So hopefully it's just because of that and it won't take too long. I am putting it through a lot these days. And I have left Docker for Mac running which is always a bad idea, so let me me close that. That virtual machine just seems to draw a power like mad. Yeah. I know what you mean. But I like the the flow of this, like, being able to Well, that would be

1:17:18 fine. Get those little reds Yeah. So we only have one option there for for remediating that one because it doesn't have a fix, I don't think. So it's it's saying that you're going to ignore it and give you a reason for ignoring it. And if you I think if you click through these, they'll they'll they'll go through them one by one and give you what your what your options are for for what to do. Okay. There you So for this one yeah. So, again, there isn't any upgrades or or a patch for that. The patch the patch stuff's kind of interesting.

1:17:59 So for sometimes where because we've got a big security team, you know, obviously doing security research, Where there might where there aren't sometimes where there aren't upstream fixes as in an upgrade pathway, we will actually release a patch that you can patch in place. So for some, you'll see for some vulnerabilities, there'll be a sneak patch available, which will just patch it whilst they're waiting for upstream to fix it. Oh, yeah. So don't think they're able fix No. But that that would give you the, you know, the automated way of fixing it if you didn't just

1:18:41 wanna edit the file yourself. The other interesting thing about the the CLI is there's a couple of different ways that you can output the data. So there's a an interchange format called Serif that's very common in security, but it will also output in JSON. So what that means is that then you can do all sorts of of funky stuff with with JQ for filtering. So, you know, I I was playing around the other day with saying you know, we talked earlier about saying, perhaps I only care about vulnerabilities that have a network attack path. So

1:18:46 Snyk CLI JSON Output and Filtering

1:19:20 if we do do you wanna just do a scan quickly in JSON, and I'll show you what the output looks like. I think it's just minus minus JSON, is it? I don't know. I just I was just guessing. Let's try. Yes. It's just minus minus JSON. Yeah. There we go. So if we if you scroll up a bit there, what what so, obviously, there's a ton of different information there, but the one I was interested in was the CVSS score. Why is that oh, so can you see that string on there? CVSS v three, the the up up about four

1:20:07 yeah. See there. So all of those things respond correspond to that. It's a programmatic way of of representing that CVSS scoring that we looked at earlier. So there, see the AVN? That means that there is a net that's network exploitable. So you can filter on these things. You can build a really complex if you like that sort of thing, you know, I'm sure most of us familiar with familiar with j q? Oh, yeah. Yeah. David? Yeah. So and the the interesting complexity of building complex g q filter strings. But yeah. So you could build you could build you know, if you were

1:20:51 in a CI pipeline and you wanted to do Snyk test, but you wanted to ignore certain kinds of vulnerabilities, you can set Snyk you can set what the the failure is gonna be for a start. So you could say, like, you know, I don't want to fail. I don't wanna return non zero on everything. And then you can make a j q query that says filter for, you know, things that only have a a network. I had a one I was playing with the other day that did kinda do the job. I have to dig

1:21:27 it out. Oh, so it's not top level. It's Yeah. You have to do where was that? I put it in a blog. Wait one second. Dot filter dot ignore. Oh, wait. That's not gonna be right. Oh, there we go. Filtered with ignore or ignored? I don't remember now. And then that one Yeah. I I had had it's vulnerability to see is the the top level thing. I've got nowhere to paste anything here, am I? I'll tell you what. I don't have to run the test every time. Why don't we write it to you? Know you you know

1:22:16 where I'm going with this though is that there is there is you could build pretty complex filters using the JSON output. Yeah. Let's see. So no. Need to learn how to spell vulnerabilities. Vulnerabilities. Yeah. We yeah. Open open close square brackets. Okay. So mines are ignored, which means I think they live under filtered. So let's try that. Yeah. And then there was a ignored key. I shouldn't have opened this can of worm, should I? Live j q is not You don't have to be here all day. Oh, that that breaks my heart. Cannot index an array with a string.

1:23:12 That's a thing. JQ is always one of those things that It's like a whole new programming language, isn't it? Like Yeah. I have to do tons of googling every time I get it out. But Well, I'm sure it's something like piping it to contains and then looking for AV Yeah. You do. You do. So yeah. If I had a if I had somewhere copy pasting my test one to you, I would do it. But Okay. So you can do a select. You can do a select. So you pipe that pipe that to select, and then you

1:23:45 select on the on the thing you wanted, the the element, and then you you can filter. Yeah. I guess people just have to learn about that CVSS. It's just a way of basically a way of building complex stuff on the CLI. Nice. You know, if you if you had a need to do that for any reason, integration, whatever. Alright. I like it. Anything else you wanna show before I flick those back over to to chatty mode? Yeah. So it would be nice to show you this other really cool free thing that we're that we're doing called adviser.

1:24:20 Introducing Snyk Advisor (Open Source Package Health)

1:24:28 And so if you go to snake.i0/adviser, I think it yeah. Slash adviser. So this is this is something else we built that because, you know, we've got all this data, you know, data on security vulnerabilities, data on open source projects. So, there's been a lot of talk recently, and I and we we talked about it right at the start, right, about supply chain security. How do I pick an open source project? You know? And in the like I said, in the Python world, things used to be fairly simple. Right? If I wanted to do something with HTTP,

1:25:00 Exploring Snyk Advisor

1:25:12 I used requests. That's it. But in newer ecosystems, you can often have lots of choice about a particular package. So how do you choose which package to use? And it's not just, like, about what vulnerabilities are in it because as we all know when we work in open source, you know, there are other metrics that are kind of important to open source things. Right? Like, how how many different contributions are there? Is it maintained? You know? Is there a community around it? Mhmm. So we built this adviser tool to combine all these data sources. So if you

1:25:49 have a look at the if you go to PyPy, it's probably easiest, and we can actually look at something like requests, you know, which is a a super well maintained thing. If you do a search there for requests, it's clearly there's some weird type of squatting things going on here in in PyPy with these these things that I don't know what they are. But if we look at the main request package, you'll see kinda how adviser works. What we get here then is this overall health score for a particular package, which includes how popular it is, how well maintained it

1:26:27 is. Security is obviously one part of it as well, like, how how secure is it? But it's this whole kind of package, you know, thing for how do I choose which package to use. And I think it's super cool. We're adding more ecosystems to this, you know, in the next few months. It's kind of in beta at the minute, But it's a way for people to be able to, like, you know, have a view onto which package should I use for my project. And so at the minute, it mainly supports node and PyPI. But like I say, we're

1:27:05 NPM and and PyPI, but we're adding ecosystems to it. And, yeah, I'm gonna hopefully do some conference talks about it as well because I really like it. Yeah. Very handy tool. I'm gonna have to look up lodash now though. Yeah. So I don't know what that lodash.js 1 is. It's quite sneaky, isn't it? Like, lodash.js will send their name and then they've added on the dash security, like annotation on the tag version. I mean, I don't know whether it is typos quote or whether it's a genuine package that someone's uploaded. But, you know, we're clearly not scoring

1:27:39 it very highly for some reason or other. Seems oh, that was suspicious to me. But there you go. I mean, may not be suspicious. It may be that's a one dude who's contributing to it. In which case, you probably still shouldn't use it either. Right? Because that dude gets hit by a bus and then you're in trouble. Okay. Let's try a Docker one too. Since we got a comment saying Docker is available also from b mad. We'll take a quick look. Yeah. Docker's in I haven't actually looked too much into how the what the Docker support

1:28:00 Docker Image Advisor & Docker CLI Scan

1:28:10 is like in there at the minute. Yeah. So it's a bit more limited, the the amount of information on on Docker images. I know this has been actively actively developed. Docker's really new. It's worth saying as well that you get Docker you get all sorts of Docker goodness built into Docker as well these days. The Docker Hub built in scanning, if you if you actually have, like, a proper Docker Hub account, you get free Snyk scanning built in. And the Docker CLIs all have Snyk scanning built in for free, I think, for for all platforms now. So you can

1:28:50 do Docker scan, and it's exactly the same as Snyk scan. So you don't even need to move outside of the docker CLI. Very cool. Very, very handy tool. I agree that that's available for everyone. So Snyk.i0/adviser. Never pick your next package without it. I think that's my takeaway there. Yeah. Yeah. Pick your open source packages like you'd pick a hotel. It did offer me an alternative when we were on the PIPE one for request. It did actually say like here's alternative packages like this. That was quite cool. We did. Yeah. Yeah. I offered another http package.

1:29:09 Conclusion and Recap

1:29:34 Oh, a I Yeah. Where you should be. There we go. Also leaning in there. Awesome. Well, that was a very complete tour of Snyk. There there's a lot. Right? Yeah. Yeah. There's there's more as well. I mean, like, there's all sorts of bits that, you know you know what it's like being DevRel. You know, you sort of use bits of the thing and you don't use other bits of the thing, you know. And often the people in the real world who are using these things in anger get to go in different directions from the direction that

1:30:09 we go in. Yeah. Definitely. I was gonna try and summarize everything we've seen, but I think maybe we're all angry. So we added a repository on Snyk.io and we got a whole bunch of vulnerability information from the code and from our Docker containers that were linked and the Docker files. We then brought that kind of UI experience into developer land looking at the Versus code integration, the really cool, you know, squiggles in front of my code front and center as I'm writing that was a really nice application. Yeah. I've seen what bad practices I'm doing. Like, I'm not

1:30:47 sanitizing HTTP inputs and such. That was really really nice. We then brought it to the command line using Snyk test. We also seen the infrastructure as code for Kubernetes. I love that that's available for Terraform too. I'm definitely gonna have to check that out. And then towards the end, we brought in the Snyk Advisor and we were looking at how we can actually understand the health of the open source libraries that we're consuming as well. An awful lot for people to go and kick their tires on, play with, and enjoy. Yep. Sign up for a free account. Most

1:31:17 of this, I think almost everything that we've looked at is all available for free anyway. So have at it. Awesome. Well, thank you very much for your time today, Matt. It's been an absolute pleasure going through all this work. Thanks for having me. I enjoyed it. It's been great. And I hopefully will see you at an event or conference soon. Yeah. And we can see you in person. But have a have a wonderful day and thank you again for joining me. Thanks all.