Using Snyk in an IDE
Enabling developers to find and fix issues in real-time without leaving your "flow state" or development environment.
~15mins estimatedThis lesson is designed to help you map your company’s business structure to the Snyk hierarchy. You will learn to define and strategically organize Tenants, Groups, and Organizations to ensure proper data isolation and streamlined management across different business units.
The Snyk Architecture
To build a scalable security program, you must first understand how Snyk organizes data. Snyk uses a four-tier hierarchy designed to mirror the structure of modern enterprise organizations.
- Tenant: The root of your Snyk environment. Typically, a customer has one tenant representing the entire company. This level provides global analytics via Snyk AppRisk
- Group: The primary administrative container. Groups hold your Organizations, global security policies, and default notification templates
- Organization (Org): The operational hub. This is where you control access, configure SCM integrations, and view project-level scan results
- Target & Project: A Target is a repository or image; a Project is a specific scannable file within that target (e.g., a package.json or a Dockerfile)
The Snyk Security IDE plugin allows you to ship secure code by default, integrating directly into your existing workflow to eliminate tedious remediation loops. By identifying critical blockers in real-time and providing actionable fix advice as you write code, Snyk helps you secure your application before the first commit.
Key Developer Benefits
- High-Velocity Scanning: Get fast, accurate results without leaving your editor.
- Intelligent Remediation: Leverage automated fix suggestions, including AI-driven Snyk Agent Fix recommendations (for Enterprise customers only).
- Customizable Signal: Tune your configuration to focus on immediate blockers or expand your view to see all security insights.
Enterprise & Compliance Features
For organizations requiring deeper governance, Snyk runs several background processes to ensure alignment with security standards:
- Security & License Policies: Automated enforcement based on your Team or Enterprise plan.
- Pipeline Guardrails: Integrated PR and CI/CD features that automate enforcement and prevent vulnerable code from progressing.
Prerequisites
Before getting started, ensure you have the following ready:
- A Supported IDE: VS Code, Eclipse, JetBrains, etc.
- A Snyk Account: Available for all tiers (Free, Team, and Enterprise).
- Snyk Code Activation: Ensure Snyk Code is enabled in your Snyk Web UI organizational settings
- Note: For Team and Enterprise users, this is typically managed by your admin. Free users will need to toggle this on manually in their account settings.
Resources
- Data Privacy: How Snyk handles your data
- Documentation: Snyk IDE Plugins and Extensions
Installing and Authenticating the Snyk Security plugin
This demo covers the full setup process: getting the Snyk Security plugin from your IDE marketplace, installing it, and linking your account via authentication. Although there are multiple ways to authorize Snyk Security plugin, this demo demonstrates the recommended method of using OAuth2 (authenticating via social origins, such as GitHub).
By completing the Authentication process, the IDE automatically links the Snyk Security plugin or extension to your Snyk account and the plugin automatically communicates with a specific endpoint or region. This is especially important for private or specific geographic regions.
Reviewing Settings and Filters
This demo covers how to fine-tune your Snyk configuration and apply filters to ensure you're seeing the most relevant security insights. The common settings for Developers include:
- Snyk Account
- Auto Select Organization (on by default)
- Snyk Configuration
- Features - Open source security, Code Security, and IaC (3 separate options)
- Severity
- Risk Score Threshold
- All Issues vs Net New Issues
- User Experience
- Scanning mode
- Execution Frequency
There are three areas of IDE scanning:
- Open Source (dependencies)
- Code Security (first-party code)
- Infrastructure as Code (configurations)
You can use filters to focus only on the issues for which you are responsible. NOTE: Container images can be scanned through Snyk using the Snyk CLI.
Scanning and Remediating - Open Source and Your Code
This demo covers how to run scans and apply fixes for two critical areas: Snyk Open Source for your dependencies and Snyk Code for your own custom implementation.
Scanning and Remediating - AI Remediation
This demo demonstrates how to leverage AI-driven fixes to streamline your remediation workflow. Note: Snyk Agent fix functionality is an Enterprise-tier feature.
Enabling Snyk Agent Fix
If you don't see any proposed AI fixes for the issues in your code, you (or your system administrator) may need to enable the option in Snyk. Under the Group and Organization settings, in the menu called DeepCode AI Fix, enable it by toggling Enable Snyk Agent Fix.
See fix code vulnerabilities automatically for more information on Snyk Agent Fix.