CircleCI is committed to helping developers automate their workflows leading to time savings, increased predictability, and relevant insights into their software development life cycle (SDLC). However, automation can be subject to bottlenecks. If there is a critical security step in your workflow that is not automated, one of two things could happen. First scenario: the critical step could cause a bottleneck and the team loses the benefits from automation that they would otherwise enjoy. Second scenario: the bottleneck becomes too much of a pain point that the team makes a compromise on the issue and removes its consideration from the workflow. We argue that critical security steps should be automated as a part of your workflow and not removed from consideration.
Why it matters
This is about security. If your workflow is automated, your security should be, as well. If it isn’t, you are going to cut corners to keep work progressing or your workflow will stall while you try to intelligently address your security concerns.
Consider your current method for incorporating security concerns into your SDLC. At what point in the life cycle do you consider security, and who is part of that conversation? If security is kept in mind throughout the process, smaller incremental changes can occur as soon as possible, costing less time, and preventing problems before they start. Developers and security professionals can work together on the same team instead of operating in silos. If security is automated, risk tolerances can be agreed upon ahead of time and builds can be failed if the standards are not met.
Developers have heartily embraces DevOps and we believe it is time to embrace security as an equal partner and adopt a DevSecOps mindset.
Snyk delivers DevSecOps
Fans of CircleCI likely know that DevOps is a set of software development practices that seek to remove the division between the disciplines of software development and information technology operations. DevOps can shorten your SDLC and allow your team to release new features and fixes quickly.
If DevOps moves development and operations out of their silos, DevSecOps takes it one step further and takes security out of its silo, as well. Security considerations are brought into the SDLC earlier and developers are encouraged to think about security throughout their workflow.
If a team is practicing DevSecOps, it means that developers are going to be engaging with the security concerns of their code in a way that they possibly have not before. Snyk builds tools to help developers bridge this gap so DevSecOps can truly be practiced.
Snyk helps developers find and fix vulnerabilities in their open source dependencies. The focus is on vulnerabilities in open source dependencies for a few reasons. First, known vulnerabilities in open source libraries are, well, known. They are known to both parties wanting to keep their applications safe and to those who seek to act maliciously. They are known, but developers typically lag behind on upgrading and patching. Second, open source dependencies typically account for the largest footprint within a code base. By addressing open source dependencies we cover a lot of ground. Third, this is an area within security that is ripe for automation. Snyk can automatically build your dependency tree, tell you what vulnerabilities exist in your application, and provide remediation advice.
Snyk is integrated throughout the SDLC, starting with a CLI and IDE plugins to use as you develop, through integrating with your source control, to tools that can monitor deployed projects. Snyk can automatically open pull requests that make the smallest change necessary to your dependencies to address the target vulnerabilities. Snyk’s security research team routinely finds new vulnerabilities, provides context and further insights into known vulnerabilities, and through their review of public data, removes false positives from the vulnerability database.
CircleCI + Snyk
Because Snyk is committed to building developer-friendly security tools, we seek to meet developers where they are. This includes broad language support and integration with tools and services that developers already use and love.
We are thrilled to partner with CircleCI for this very reason. CircleCI empowers developers to automate their pipeline from commit to deploy. They offer first-class Docker support (Snyk also offers tools to scan Docker images for open source vulnerabilities!). CircleCI provides fast performance, complete control, and unparalleled flexibility in creating your CI/CD pipeline. And now it is easier than ever to use Snyk alongside CircleCI because of the creation of a Snyk CircleCI orb.
CircleCI orbs are shareable packages of CircleCI configuration to use in your builds. Orbs define reusable commands, executors, and jobs so that commonly used pieces of configuration can be condensed into a single line of code.
Snyk is delighted to be launching a CircleCI orb to make it even easier for our users to incorporate Snyk into their CircleCI workflows. By utilizing our orb, it is possible to install Snyk, run a test, and monitor your project with a single line of code. You can also customize how your project interacts with Snyk by setting a threshold for failing builds. Depending on your risk tolerance and your needs for a given project, it may make sense to allow vulnerabilities in your project, as long as they are under a certain severity level. The Snyk orb allows for easy customization. Do you use containers? The Snyk orb can automate container scanning, too.
Are you new to Snyk? Try it for free to see what vulnerabilities exist in your application today.
Already a user? That’s awesome! Consider upgrading to a paid plan, which will give you an API key and allow you to take advantage of our orb.
This post is a part of a series we produced covering DevSecOps. To read more posts from this series, click one of the links below.