Using Snyk in an IDE
Enabling developers to find and fix issues in real-time without leaving your "flow state" or development environment.
~15mins estimatedThis course is designed to serve as a comprehensive guide for both Developers and Snyk Administrators. To ensure you get the most relevant information for your role, the content is organized into two distinct workflow paths:
The Developer Workflow: Focused on the "Inner Loop" of development. This path covers installing the plugin, authenticating, and using real-time scanning to find and fix vulnerabilties without leaving your IDE.
The Administrator Workflow: For more information on the administrator workflow please visit: Using Snyk in an IDE (Administrator)
The Snyk Security IDE plugin allows you to ship secure code by default, integrating directly into your existing workflow to eliminate tedious remediation loops. By identifying critical blockers in real-time and providing actionable fix advice as you write code, Snyk helps you secure your application before the first commit.
Key Developer Benefits
- High-Velocity Scanning: Get fast, accurate results without leaving your editor.
- Intelligent Remediation: Leverage automated fix suggestions, including AI-driven Snyk Agent Fix recommendations (for Enterprise customers only).
- Customizable Signal: Tune your configuration to focus on immediate blockers or expand your view to see all security insights.
Enterprise & Compliance Features
For organizations requiring deeper governance, Snyk runs several background processes to ensure alignment with security standards:
- Security & License Policies: Automated enforcement based on your Team or Enterprise plan.
- Pipeline Guardrails: Integrated PR and CI/CD features that automate enforcement and prevent vulnerable code from progressing.
Prerequisites
Before getting started, ensure you have the following ready:
- A Supported IDE: VS Code, Eclipse, JetBrains, etc.
- A Snyk Account: Available for all tiers (Free, Team, and Enterprise).
- Snyk Code Activation: Ensure Snyk Code is enabled in your Snyk Web UI organizational settings
- Note: For Team and Enterprise users, this is typically managed by your admin. Free users will need to toggle this on manually in their account settings.
Resources
- Data Privacy: How Snyk handles your data
- Documentation: Snyk IDE Plugins and Extensions
Using a Different IDE
Usage across different IDEs is nearly identical. The videos in this lesson use Visual Studio Code to illustrate functionality. If using a different IDE, some of the layout may be different, but the steps will be nearly identical.
Installing and Authenticating the Snyk Security plugin
This demo covers the full setup process: getting the Snyk Security plugin from your IDE marketplace, installing it, and linking your account via authentication. Although there are multiple ways to authorize Snyk Security plugin, this demo demonstrates the recommended method of using OAuth2 (authenticating via social origins, such as GitHub).
By completing the Authentication process, the IDE automatically links the Snyk Security plugin or extension to your Snyk account and the plugin automatically communicates with a specific endpoint or region. This is especially important for private or specific geographic regions.
Release Cadence
Stable versions are updated several times a year, while the preview channel is updated more frequently, and includes capabilities that are eventually incorporated into stable releases. Snyk recommends using the stable, non-preview version.
For more information see IDE Release policy https://docs.snyk.io/scm-ide-and-ci-cd-integrations/snyk-ide-plugins-and-extensions/release-policy
Reviewing Settings and Filters
This demo covers how to fine-tune your Snyk configuration and apply filters to ensure you're seeing the most relevant security insights. The common settings for Developers include:
- Snyk Account
- Auto Select Organization (on by default)
- Snyk Configuration
- Features - Open source security, Code Security, and IaC (3 separate options)
- Severity
- Risk Score Threshold
- All Issues vs Net New Issues
- User Experience
- Scanning mode
- Execution Frequency
There are three areas of IDE scanning:
- Open Source (dependencies)
- Code Security (first-party code)
- Infrastructure as Code (configurations)
You can use filters to focus only on the issues for which you are responsible. NOTE: Container images can be scanned through Snyk using the Snyk CLI.
Snyk Learn
Snyk's free offering to help developers understand how to write secure code (vendor agnostic under "Security Education" content) in addition to training on Snyk's platform, which can be found under "Product Training".
Scanning and Remediating - Open Source and Your Code
This demo covers how to run scans and apply fixes for two critical areas: Snyk Open Source for your dependencies and Snyk Code for your own custom implementation.
Open Source:
Code Security:
Manual Review Necessary
Fixes do not check whether they break functionality in your code or if they actually fixed the vulnerability in context to the broader service. Please verify the fix and any impact on functionality.
Scanning and Remediating - AI Remediation
This demo demonstrates how to leverage AI-driven fixes to streamline your remediation workflow. Note: Snyk Agent fix functionality is an Enterprise-tier feature.
Verify Package Availability
Snyk Agent Fix can recommend a fix that uses packages that don't exist in your Project. Make sure you update your manifest files accordingly.
Enabling Snyk Agent Fix
If you don't see any proposed AI fixes for the issues in your code, you (or your system administrator) may need to enable the option in Snyk. Under the Group and Organization settings, in the menu called DeepCode AI Fix, enable it by toggling Enable Snyk Agent Fix.
See fix code vulnerabilities automatically for more information on Snyk Agent Fix.
Data Privacy
Snyk does not train its AI on customer code; we use fine-tuned LLMs trained on secure open-source patterns.