The Snyk Security IDE plugin is an essential tool to produce secure code from the start, as part of your normal workflow, minimizing or outright avoiding repeated rounds of remediation.

It allows you to find issues early, identifying issues that may be blocking later in the process, such as at build time, and by providing remediation advice while you are working on it.

The plugin is all about enabling developers by providing:

• Accurate, fast results
• Meaningful, intelligent remediation, including DeepCode AI fix recommendations
• Configuration to show only the issues that may block later in the process, or show all issues.

The use of Snyk in the IDE is to enable development of secure code and fast remediation. More "enterprise+compliance" type behaviors operate behind the scenes:

• Snyk security policies (See Enterprise Plan)
• Snyk license policie(s) (See Team and Enterprise plans)
• Pull request/pipeline features are where automation and blocking occur (that is, enforcement)

The videos in this lesson use a variety of IDEs to illustrate functionality and usage is nearly identical across IDEs.

• Typically Visual Studio Code and Jetbrains IntelliJ IDEs are shown.
• Where functionality may differ, it is indicated in the video and/or relevant section of the lesson. For more information on IDEs and feature support , see Requirements below.

Requirements

• A supported IDE, such as Visual Studio Code (VS Code), Visual Studio, Eclipse, or Jetbrains.
• A Snyk user account (Available to all plans: Free->Enterprise).

Useful links

• Snyk values our customers and trust is critical. For information on how Snyk handles your data, please visit How Snyk handles your data.
• For more information on IDE support, see the Snyk IDE plugins and extensions documentation.

Download and install the Snyk Security plugin from your IDE marketplace/extensions

Video (1m55s)

Topics:

1. Snyk Security Plugin
2. Preview version/Betas

Navigate to the extension settings for Snyk Security. From here, you will authenticate the Snyk extension.

There are essentially three ways you can authorize the plugin.

1. Oauth2 - Authenticating via social logins, such as Github
2. Oauth2 - Single sign on (SSO)
3. Account token from the Snyk platform

It's essential you use the login you previously used or the one your company has set up Snyk for. You will set this as the first step of authenticating.

Understanding the Custom Endpoint

Snyk has several regions that can host your instance of Snyk, for example:

• Free plan users are, and typically legacy customers were, hosted on default the Snyk-US-01 instance
• AU and EU instances are available
• Private single tenant instances use a custom region

The custom endpoint indicates where the relevant plugin or external tool should communicate back to Snyk. If you are on the default instance, no endpoint need be specified.

For more information, see IDE Urls

Be sure to specify the custom endpoint prior to clicking "Connect IDE to Snyk"!

Free Plan - First time users

• You will use the default Custom EndPoint
• If you’ve never used Snyk and you just downloaded the IDE to try it out, you will be prompted to create an account using one of the social authentication methods. Snyk will place you on the free plan by default, with unlimited open-source project testing and limited private-repository tests. See https://snyk.io/plans for more information.
  • Make sure to go to Settings->Snyk Code in the web interface and enable Snyk Code!
• If you’ve signed into Snyk previously, you will link Snyk to your existing account, either by using the same authentication method you'd previously chosen, via the Oauth2 workflow (recommended) or by providing your account API token.

Snyk Enterprise Plan users

The vast majority of users use SSO to interact with Snyk.

Many customers use the default region of snyk.io (https://api.snyk.io) to authenticate, however there are several other regional instances and private single tenants.

Pro tip: Your Snyk contact, your team leader, or Snyk administrator are great contacts to reach out to if you're unsure which region to use.

Step 1: Determine which tenant/API endpoint your company uses (ask your Snyk administrator or team lead).

Step 2: If your are not in the default snyk.io, place the appropriate value in the Custom Endpoint field, prior to connecting. This will seamlessly authenticate you to the correct instance when you click Connect in the next step.

Step 3: Select SSO and login

Snyk Free Plan/Team Plan/Trial Users

You will login using one of the available identity providers of your choice. You do not need to modify the API endpoint at this time.

Video (2m37s)

Topics:

1. Using the Connect IDE to authenticate the IDE
2. Using an account token to authenticate the IDE and how to retrieve the token

When opening the Snyk plugin, new projects, or scans, you may be prompted to trust workspace or folders as a security precaution. For more information, please review the following references for the IDE of interest to you

• Eclipse
• Jetbrains
• Visual Studio
• Visual Studio Code

This section covers key values that you typically set once, and don't change very often. Snyk has many settings that can be configured, however in this lesson we separate them among Authentication, Essential Configuration, and Filter sections.

• In Authentication, we have already discussed the custom endpoint.
• In this Essential Configuration section, we will discuss Organization and some additional options
• In the following section, Filters, we will discuss various options like Product , Severity and settings to view all vs new issues.

Scan on Save

Some IDEs , such as Visual Studio Code, have an option to "Scan on save". Additionally, Visual Studio Code has an option to "Save as you type" in its general settings, these two features, when paired, help provide timely scans as you write!

Additional Parameters

The IDE uses the Snyk CLI under the hood, which means that some very powerful options can be passed to it via this field.

If you're using gradle, python, even Maven or C++, you may consider reviewing the language specific options in the Snyk documentation, especially for open source for the relevant package managers.

For example

• Maven and Gradle

Video (4m11s)

Topics:

• Custom EndPoint (Be sure to set this before trying to authenticate!)
• Organization
• Additional Parameter

Organization

Defaulting versus explicitly setting Organization

• The Organization setting indicates where to retrieve settings for features (i.e Snyk Code enabled), policies and other rules to apply to your local project based on the Organization it belongs to.
• The Organization is defaulted in the web interface, implicitly setting your default Organization, or it can be explicitly set in the IDE in the Organization field, overriding that default value.
• If your Organization doesn't change often and all your projects are in one Organization, you may set it once in the IDE and only periodically change it. You may even consider using the Default Organization in your Snyk account settings to set it. If it changes a lot, it's recommended to set within the IDE's Organization setting.

Using Organization ID Vs Slug

• The Organization value can be set to what's known as the URL Slug or Organization ID. These options are provided such that the slug is human readable, whereas the ID is typically used for programmatic tasks. Snyk recommends using the Organization ID over using the Slug for consistency purposes when using multiple integrations/tools/API.
  • The Slug can be extracted from the URL or found on the Organization Settings page.
  • The ID can be found on the Organization settings page in Snyk. The ID is the recommended approach/value.
• Guidance on when to use the Organization Slug vs ID
  • If you use a lot of different Snyk tools, the Snyk Organization ID is probably best for consistency, as some tools, such as the API, only accept the ID form.
  • If you do a lot of switching of Organization in the IDE, human readable format is often preferred, so the Slug is often used, as it allows you to more easily spot when you're using the wrong Organization.

Video (2m28s)

Topics:

1. Extracting Organization slug from URL
2. Retrieving Organization slug from settings

• See notes above on Organization ID vs Slug. The Organization ID can be found below the Slug on the settings screen shown in this presentation.

In the following sections on running scans, validating your code and remediation, you may find you don't see any options to use AI fix on your code. If that's the case, your administrator or yourself, if you have admin rights, may need to enable the option.

This feature can be found under the Group and Organization settings, in a menu called DeepCode AI Fix. You will need to toggle Enable DeepCode AI Fix to enable it.

• Snyk does not train on customer's code.
• See Fix code vulnerabilities automatically for more information on DeepCode Ai

In this section we review key settings that may change depending on the codebase being worked on, which may, in turn, impact the results seen within the IDE:

• Products
• Severity
• All issues or to show only new issues introduced in your branch of code

We also discuss strategies on how/why you would set those filters.

Video (7m13s)

Topics:

1. Common filters (Products/Severity/All vs New issues)
2. Setting filters based on strategy (triage vs investigating an issue vs fixing issues you are responsible for)

The Snyk plugin will scan typically when a project is opened, or when a user selects to run a scan. Snyk may also scan when saved, if that option is enabled in an IDE that supports it.

• Code must be saved prior to running Snyk Scans
• Containers must be built and referenced in the deployment files in order for Snyk IDEs to scan when supported.
• Results will provide information on the issue on the tab
  • Links to external CVE and/or CWE information, Snyk's Database, in addition to Snyk Learn, Snyk's free offering to help developers understand how to write secure code (vendor agnostic under "Security Education" content) in addition to training on Snyk's platform, which can be found under "Product Training"

Video (7m31s)

Topics:

1. Initiating a scan
2. Types of scans
3. Navigating the results
4. Snyk Learn
5. Scanning a container, navigating results

Issue management takes on several forms depending on the type of issue and where it occurred. Here are some of the options

• Remediating the vulnerability
• Suggesting fixes back to the relevant open source
• Remediating your code
• Ignoring the issue locally or by policy (as set by administrator)

For more information about the .snyk file referred to in some presentations, see the user documentation found here:

• https://docs.snyk.io/manage-risk/policies/the-.snyk-file

The following sections discuss how to navigate and remediate the different result types from Snyk. You may choose to filter these out in the Filter section earlier, so please review your filters or IDE support of the option (i.e Containers) should you need assistance.

Additional tips

• Fixes do not check if they break functionality in your code or if they actually fixed the vulnerability in context to the broader service. Please verify the fix before implementing.
• DeepCode AI Fix may recommend a fix that uses packages that don’t exist in your project. Don’t forget to update your manifest files accordingly.

Video (4m7s)

Topics:

1. Understanding the issue via Snyk database, Snyk Learn, CVE
2. How an issue was introduced
3. Calculated remediation
4. .snyk file
5. Security policies (only available with the Enterprise plan)

During the remediation step, be sure to install the package(s) locally, and update any manifest/lockfiles with the correct version(s).

To learn more about DeepCode AI Fix, see

• https://snyk.io/blog/find-auto-fix-prioritize-intelligently-snyks-ai-powered-code/

Video (6m31s)

Topics

1. Q&A - Common questions, like Snyk's AI not training on customer code
2. Enable , or request to enable, DeepCode AI fix , if it's not already
3. Snyk Learn
4. Reviewing code results
5. Preview and apply DeepCode AI Fix

Video(4m5s)

Topics:

1. Requirements to scan containers (Built, reference in deployment files)
2. Parent image remediation
3. Understanding the vulnerability
4. Package remediation

For additional information on IaC custom policies:

• https://learn.snyk.io/lesson/iac-custom-rules/

Video (2m34s)

Topics:

1. Remediation
2. Ignores