Snyk

This add-on is operated by Snyk

Continuously find, fix and prevent known vulnerabilities in your apps

Snyk

Last updated October 03, 2017

Snyk is an add-on that helps you find and fix known security vulnerabilities in your Heroku app’s open-source dependencies.

When you provision Snyk, your Heroku app is added to the Snyk dashboard. Snyk automatically takes an inventory of your open-source dependencies and continuously monitors for new vulnerabilities that affect them. Snyk notifies you in real time whenever a vulnerability is identified, enabling you to respond quickly.

Snyk’s security reports include curated content that explains the nature of each identified vulnerability. Vulnerabilities are categorized by severity to help you prioritize your work to resolve them. When available, security reports also provide recommended steps for resolving vulnerabilities, along with patches that can be applied if a vulnerability cannot be resolved with a version upgrade.

In addition to providing continuous monitoring, Snyk scans every app deployment and immediately reports any new vulnerabilities that are introduced.

Advanced Snyk features include:

  • Open-source license monitoring. Snyk sets you up with a default policy that flags licenses in your dependencies that violate your legal requirements. You can tailor this policy to meet your specific needs.

  • Vulnerability insights. Snyk’s advanced reports provide valuable business insights into your vulnerabilities across your entire Heroku deployment. These include your vulnerabilities over time, your vulnerability window, and how quickly you are responding to new threats.

  • Early vulnerability notifications. For the most security-cautious organizations, Snyk provides early notifications for vulnerabilities that we control the disclosure on. For these vulnerabilities, you are notified before the vulnerability is disclosed publicly, giving you enough lead time to resolve the vulnerability before potential attackers are made aware of it.

Provisioning the add-on

If you have already provisioned Snyk for one of your Heroku apps and you want to add it to another, see Attaching the add-on instead.

Snyk can be attached to a Heroku application via the CLI:

A list of all plans available can be found here.

$ heroku addons:create snyk --app YOUR_APP_NAME_HERE
Creating snyk on ⬢ YOUR_APP_NAME_HERE... free
Welcome to Snyk
Created snyk-globular-63403

Attaching the add-on to additional apps

After you provision the Snyk add-on for one of your Heroku apps, you can attach it to additional apps. This way, all of your apps are aggregated into the same Snyk dashboard.

To attach Snyk to another Heroku app, specify the add-on instance name that was generated when you provisioned it. In the following example, the instance name is snyk-globular-63403:

$ heroku addons:attach snyk-globular-63403 --app OTHER_APP_NAME
Attaching snyk-globular-63403 to ⬢ OTHER_APP_NAME... done
Setting SNYK config vars and restarting ⬢ OTHER_APP_NAME... done

Language-specific support

Snyk for Node.js

Snyk supports (and auto-detects) Node.js projects that use npm (package.json). Support for yarn (yarn.lock) is coming soon.

Snyk for Ruby

Snyk supports (and auto-detects) Ruby projects that use gem (Gemfile + Gemfile.lock).

Snyk for Java

Snyk supports (and auto-detects) Java projects that use mvn (pom.xml). Support for gradle (gradle.build) is coming soon.

Snyk for Gradle (coming soon)

Support (and auto-detection) for Gradle projects using gradle (gradle.build) is coming soon.

Snyk for Scala (coming soon)

Support (and auto-detection) for Scala projects using sbt (build.sbt) is coming soon.

Snyk for Python (coming soon)

Support (and auto-detection) of Python 2 and Python 3 projects using pip (requirements.txt) is coming soon.

Applications with multiple package files

Snyk supports (and auto-detects) applications with multiple package files (any of those listed in Language-specific support). In order for auto-detection to work, all package files must be in the application’s root folder.

Dashboard

For more information on the features available within the Snyk dashboard, please see the docs at https://snyk.io/docs.

The Snyk dashboard allows you to:

  • See all apps that are continuously monitored by Snyk
  • See a high-level overview of the amount of vulnerabilities in your apps, organized by severity
  • Zoom in to see the vulnerability report for each individual app
  • In each report, zoom in on a specific vulnerability to get detailed information in the advisory
  • When available, see remediation advice (such as a version upgrade), or download a patch that you can apply to resolve the vulnerability

You can access the dashboard via the CLI:

$ heroku addons:open snyk
Opening snyk for sharp-mountain-4005

or by visiting the Heroku Dashboard and selecting the application in question. Select Snyk from the Add-ons menu.

Migrating between plans

Application owners should carefully manage the migration timing to ensure proper application function during the migration process.

Use the heroku addons:upgrade command to migrate to a new plan.

$ heroku addons:upgrade snyk:newplan
-----> Upgrading snyk:newplan to sharp-mountain-4005... done, v18
       Your plan has been updated to: snyk:newplan

Removing the add-on

You can remove Snyk via the CLI:

This will destroy all associated data and cannot be undone!

$ heroku addons:destroy snyk
-----> Removing snyk from sharp-mountain-4005... done, v20 (free)

Support

All Snyk support and runtime issues should be submitted via one of the Heroku Support channels. Any non-support related issues or product feedback is welcome at support@snyk.io.

Feedback

Log in to submit feedback.