DevSecOps: Static Application Security Testing SAST using Snyk in Jenkins

DevSecOps using Snyk and Jenkins

Introduction

Security in an important step in the DevSecOps philosophy. Every code that gets built should be checked for security-related vulnerabilities. In today’s world, security is no longer an after thought; it should be accounted for from the beginning. Like testing, security has now evolved to conform to the Shift-Left paradigm of modern software development. It has assumed a lot of importance given that most applications built now are cloud-based.

Static Application Security Testing or SAST is perhaps the first step in the DevSecOps pipeline. It is the analysis and testing of the static code in software projects. SAST reports give a detailed analysis of the code and a list of all the bugs that might not be obvious but are making an application vulnerable.

In this article, we will go through an open source SAST tool called Snyk and learn 2 ways of integration it into your project. In addition to providing a list of bugs, Snyk also provides ways to fix those bugs. It uses a strong and rich database of vulnerabilities that it uses and constantly upgrades. It is a very popular SAST tool in companies like Google, Intuit, Salesforce and MongoDB.

Please note Snyk also provides an enterprise-paid version, however we will use the open source version for this assignment.

There are 2 ways to integrate Snyk in your application.

Method 1 (Simplest) : Configure the webapp in Snyk dashboard

Visit Snyk.io and login to your account (or create a new account)

Connectors — Select where the source code is located

Select GitHub

Github Repositories selection

Once you click Continue and authorize Snyk to access your github account, you will get the following screen showing all your repositories.

You may select the project(s). I chose a sample app — springbootwebapp.

Repositories from Github

Once you have selected your project(s), you will be directed to the Snyk dashboard that displays the vulnerabilities of your project.

Snyk dashboard shows the vulnerabilities

Here you can notice that SAST analysis report from Snyk shows 85- High, 26- Medium and 2-Low vulnerabilities in the chosen application. Now you may choose to work on these vulnerabilities.

Method 2 : Use Snyk plugin in the Jenkins CD/CI pipeline

Pre-requisites

  • A working Jenkins setup on your machine

Please refer — How to install Jenkins on Windows 10 article for installation steps.

Step 1: Install the Snyk and Maven plugins in Jenkins from the manage plugins

Step 2: Configure Maven and Snyk installations in the Global Tool Configuration of Jenkins

Go to Jenkins Dashboard > Manage Jenkins > Global Tool Configurations

Maven Config in Global Tool Configuration
Snyk Config in Global Tool Configuration

Step 3: Configure the Snyk Credential

Go to Jenkins Dashboard > Manage Jenkins > Manage Credentials

Personal Snyk Token in Credentials

You will need API key and Organization name from the Snyk portal

Step 4: Create Maven pipeline

Create a Maven Project pipeline and configure it as per the settings below

In the Post Steps, select Invoke Snyk Security task and provide your token

Step 5: Save and run the Build Now

At this stage the build should run and a snyk report should be uploaded to the snyk portal

Jenkins build console output

Visit the SAST Report for springbootwebapp project on the Snyk portal to study the vulnerabilities.

SAST Report

Conclusion

In this article, we looked at what is SAST analysis, one of the SAST tool — Snyk and 2 ways to integrate it into your Jenkins pipeline.

If you liked the article, do consider giving a few claps and share your experiences with SAST tools in the comments section.

You can also follow me on LinkedIn.

Engineer and Water Color Artist @toashishagarwal