DevSecOps: Static Application Security Testing SAST using Snyk in Jenkins
Security in an important step in the DevSecOps philosophy. Every code that gets built should be checked for security-related vulnerabilities. In today’s world, security is no longer an after thought; it should be accounted for from the beginning. Like testing, security has now evolved to conform to the Shift-Left paradigm of modern software development. It has assumed a lot of importance given that most applications built now are cloud-based.
Static Application Security Testing or SAST is perhaps the first step in the DevSecOps pipeline. It is the analysis and testing of the static code in software projects. SAST reports give a detailed analysis of the code and a list of all the bugs that might not be obvious but are making an application vulnerable.
In this article, we will go through an open source SAST tool called Snyk and learn 2 ways of integration it into your project. In addition to providing a list of bugs, Snyk also provides ways to fix those bugs. It uses a strong and rich database of vulnerabilities that it uses and constantly upgrades. It is a very popular SAST tool in companies like Google, Intuit, Salesforce and MongoDB.
Please note Snyk also provides an enterprise-paid version, however we will use the open source version for this assignment.
There are 2 ways to integrate Snyk in your application.
Method 1 (Simplest) : Configure the webapp in Snyk dashboard
Visit Snyk.io and login to your account (or create a new account)
Once you click Continue and authorize Snyk to access your github account, you will get the following screen showing all your repositories.
You may select the project(s). I chose a sample app — springbootwebapp.
Once you have selected your project(s), you will be directed to the Snyk dashboard that displays the vulnerabilities of your project.
Here you can notice that SAST analysis report from Snyk shows 85- High, 26- Medium and 2-Low vulnerabilities in the chosen application. Now you may choose to work on these vulnerabilities.
Method 2 : Use Snyk plugin in the Jenkins CD/CI pipeline
- A working Jenkins setup on your machine
Please refer — How to install Jenkins on Windows 10 article for installation steps.
Step 1: Install the Snyk and Maven plugins in Jenkins from the manage plugins
Step 2: Configure Maven and Snyk installations in the Global Tool Configuration of Jenkins
Go to Jenkins Dashboard > Manage Jenkins > Global Tool Configurations
Step 3: Configure the Snyk Credential
Go to Jenkins Dashboard > Manage Jenkins > Manage Credentials
You will need API key and Organization name from the Snyk portal
Step 4: Create Maven pipeline
Create a Maven Project pipeline and configure it as per the settings below
In the Post Steps, select Invoke Snyk Security task and provide your token
Step 5: Save and run the Build Now
At this stage the build should run and a snyk report should be uploaded to the snyk portal
Visit the SAST Report for springbootwebapp project on the Snyk portal to study the vulnerabilities.
In this article, we looked at what is SAST analysis, one of the SAST tool — Snyk and 2 ways to integrate it into your Jenkins pipeline.
If you liked the article, do consider giving a few claps and share your experiences with SAST tools in the comments section.
You can also follow me on LinkedIn.