The Snyk Security IDE plugin is an essential tool to produce secure code from the start, as part of your normal workflow, minimizing or even avoiding repeated rounds of remediation.

It allows you to find issues early; by identifying issues that may be a blocker later on, for example at build time, and by providing remediation advice while you are working on it.

The plugin enables developers by providing:

• Fast and accurate results
• Intelligent remediation, including DeepCode AI fix recommendations
• Configuration options that allow them to show only the issues that may block later in the process, or show all issues.

Using Snyk in the IDE supports the development of secure code and fast remediation. Additionally, several enterprise and compliance functionalities run in the background, including:

• Snyk security policies (see Enterprise Plan)
• Snyk license policie(s) (see Team and Enterprise plans)
• Pull request/pipeline features where enforcement happens through automation and blocking occur.

Usage across IDEs is nearly identical. The videos in this lesson use a variety of IDEs to illustrate functionality and usage is nearly identical across IDEs.

• They typically show Visual Studio Code and Jetbrains IntelliJ IDEs.
• Where functionality differs, the video and/or relevant section of the lesson indicates this. For more information on IDEs and feature support , see Requirements below.

Requirements

• A supported IDE, such as Visual Studio Code (VS Code), Visual Studio, Eclipse, or Jetbrains.
• A Snyk user account (available to all plans: Free, Team, and Enterprise).
• If you intend to use Snyk Code in the IDE, make sure it's enabled in your organizational settings in the Snyk web interface for your organization, in addition to having it enabled with the IDE settings.
  • Snyk Team & Snyk Enterprise customers will have that enabled in their instance of by adminstrators.
  • Free users must set this themselves.

Useful links

• For more information on how Snyk handles your data, see How Snyk handles your data.
• For more information on IDE support, see Snyk IDE plugins and extensions .

Download and install the Snyk Security plugin from your IDE marketplace/extensions

Video (1m55s)

Topics in this video:

1. Snyk Security Plugin
2. Preview version/Betas versions

Navigate to the extension settings for Snyk Security. This is where you will authenticate the Snyk extension.

Ways to authenticate the Snyk extension

There are three ways to authorize the plugin.

1. Oauth2 - authenticating via social logins, such as Github (Default)
2. Oauth2 - Single sign-on (SSO)
3. Using an account token from the Snyk platform (service accounts are not appropriate for this role)

Choose one of these options and proceed to the next section.

Connect

Within the IDE, click the Connect button. A browser opens and prompts you through the login process.

By completing this process, the IDE automatically links the Snyk Security plugin or extension to your Snyk account and the plugin automatically knows what endpoint or region to communicate with. This is especially important for private or specific geographic regions.

Follow the login process using the next steps.

Choosing an Authentication Provider

If you are a Snyk Enterprise customer, you're likely using SSO. If that's the case, make sure you choose the appropriate login method. For cases when the login process fails, see the next section that addresses login failure.

If you only see one login method that is not yours, use the "View more" option to see more providers.

Login and authorize

Sign in to Snyk and follow the prompt to authorize the IDE with Snyk by granting permission to do so.

If the Connect login process fails

If the automated login fails, you can manually set the endpoint so the IDE can connect to the correct region of Snyk. The following explains the Custom endpoint option and what you need to consider, depending on the plan you are on.

Understanding the Custom Endpoint

As was mentioned, if you use the "Connect" button to connect the IDE to Snyk, by default it automatically detects your region based on your email address. This allows the IDE to determine which region to communicate with. This also means you don't have to manually set your custom endpoint. However, if the login fails, because of a pop-up blocker, or because you want to set it manually, you must first configure the custom endpoint and set your personal token so the IDE knows which region to communicate with and which token to use to authenticate to it.

Snyk can host your instance of Snyk in one of several regions:

• Snyk-US-01 - the default instance where Snyk Free plan users and legacy customers hosted (https://api.snyk/io). If you leave the Custom Endpoint blank, you are defaulting to this region.
• AU and EU instances
• Private, single tenant instances which use a custom region. You can retrieve this from your account representative or administrator.

For more information, see IDE URL

Tip: If login fails and you need to manually configure the custom endpoint, or if you are not sure which region to use, contact your team leader or Snyk administrator.

Authenticating Manually

Step 1: If you are setting it manually, determine which tenant or API endpoint your company uses (ask your Snyk administrator or team leader).

Place the appropriate value in the Custom Endpoint field, prior to connecting. This will seamlessly authenticate you to the correct instance when you click Connect in the next step.

Step 2: Navigate to your user profile in the Snyk web interface, and retrieve your personal API token. Note that Service Accounts are not appropriate for SSO accounts.

Set the token in the IDE. The region and token will be used the next time you run a scan.

Video (3m18s)

Topics in this video:

1. Using the Connect IDE to authenticate the IDE
2. Using an account token to authenticate the IDE and how to retrieve the token

When you open the Snyk plugin, new Projects, or perform scans, as a security precaution, you are prompted to trust workspace or folders. For more information, see:

• Eclipse
• Jetbrains
• Visual Studio
• Visual Studio Code

This section covers key values that you set once, and don't change very often. Snyk has many settings that can you can configure, however in this lesson we separate them among Authentication, Essential Configuration, and Filter sections.

• The Authentication section covers the custom endpoint.
• The Essential Configuration section; covers Organization and some additional options
• The Filters section discusses various options like Product , Severity and settings to view all or just new issues. Additionally it covers filters in the interface vs the configuration setting filters.

Scan on Save

Some IDEs , such as Visual Studio Code, have an option to "Scan on save". Additionally, Visual Studio Code has an option to "Save as you type". When paired these two features help provide timely scans as you write your code.

Additional Parameters

Under the hood, the IDE uses the Snyk CLI, which means that some very powerful options can be passed to it via this field.

If you're using Gradle, Python, or even Maven or C++, you may consider reviewing the language specific options, especially for open source for the relevant package managers. The information is available in the Snyk documentation.

For example

• Maven and Gradle

Video (4m10s)

Topics in this video:

• Custom EndPoint (Only required if login failed and you are trying to override the custom endpoint)
• Organization
• Additional Parameter

Organization

Using a default Organization versus explicitly setting the Organization

The IDE has configuration items the user can modify in the configuration settings, however, some features and capabilities may be set or restricted based on the plan the customer has purchased or the settings by an administrator. These are set at the Organization level in Snyk. You can select the Organization settings to use, either by defaulting it in your user profile in Snyk or setting it in the IDE configuration screen.

• The IDE's Organization setting indicates where to retrieve settings for features (i.e Snyk Code enabled), policies and other rules to apply to your local project based on the Organization it belongs to.
• The Organization is defaulted in the web interface, implicitly setting your default Organization, or it can be explicitly set in the IDE in the Organization field, overriding that default value.
• If your Organization doesn't change often and all your projects are in one Organization, set it once in the IDE and only change it when you need to. Consider using the Default Organization in your Snyk account settings to set it. If it changes a lot, it's recommended to set within the IDE's Organization setting for visibility.

Using an Organization ID Vs Organization Slug

• You can set Organization value to what's known as the URL slug or Organization ID. These options are provided such that the slug is human readable, whereas the ID is typically used for programmatic tasks. Snyk recommends using the Organization ID over using the slug for consistency purposes when using multiple integrations,tools. or the API.
  • You can extract the slug from the URL or you can find it on the Organization Settings page.
  • You can find the ID on the Organization settings page in the Snyk web interface. The ID is the recommended approach/value.

When to use the Organization Slug vs an Organization ID

If you use many different Snyk tools, using the Snyk Organization ID is the best approach to ensure consistency, as some tools, such as the API, only accept the ID.

If you often switch Organizations in the IDE, human readable format is often preferred, so we recommend using the slug. This allows you to see more easily when you're using the wrong Organization.

Video (2m28s)

Topics in this video:

1. Extracting the Organization slug from the URL
2. Retrieving the Organization slug from settings

• See the information above on using an Organization ID vs organization slug. The Organization ID can be found below the Slug on the settings screen shown in this presentation.

In the following sections on running scans, validating your code and remediation, you may find you don't see any options to use AI fix on your code. If that's the case, your administrator or yourself, if you have admin rights, may need to enable the option.

You can find this feature under the Group and Organization settings, in the menu called DeepCode AI Fix. You must enable it by toggling Enable DeepCode AI Fix.

• Snyk does not train on customer's code.
• See Fix code vulnerabilities automatically for more information on DeepCode Ai

This section reviews key settings that can change depending on the codebase you are working on, which may, in turn, impact the results you see within the IDE, specifically:

• Products
• Severity
• A toggle to show all issues or to show only new issues introduced in your branch of code. This feature is visible both within the IDE plugin settings and on the main interface of the IDE plugin.

We also discuss strategies on how or why you would set those filters.

Video (8m36s)

Topics in this video:

1. Common filters (Products, severity, All vs Net New issues)
2. Setting filters based on strategy (triage vs investigating an issue vs fixing issues you are responsible for)

The Snyk plugin will scan typically when a Project is opened, or when you choose to run a scan. Snyk may also scan when saved, if that option is enabled in an IDE that supports it.

• You must save the code before running Snyk Scans.
• You must build containers and reference them in the deployment files, so that the Snyk IDE plugin can scan it, if container scanning is available for that IDE type.
• On the Issues tab, results will provide information on the issue on the tab. This includes:
  • Links to external CVE and/or CWE information
  • Information from Snyk's database on the issue
  • Snyk Learn: Snyk's free offering to help developers understand how to write secure code (vendor agnostic under "Security Education" content) in addition to training on Snyk's platform, which can be found under "Product Training"

Video (7m31s)

Topics in this video:

1. Initiating a scan
2. Types of scans
3. Navigating the results
4. Snyk Learn
5. Scanning a container, and navigating the results

Depending on the type of issue and where it occurred, there are several ways to look at issue management:

• Remediating the vulnerability
• Suggesting fixes back to the relevant open source
• Remediating your code
• Ignoring the issue locally or by policy (as set by administrator)

For more information about the .snyk file referred to in some presentations, see the .snyk file.

The following sections discuss how to navigate and remediate the different result types that Snyk provides. You can filter these out (See previous Filter section), so review your filters or IDE support of the option (i.e Containers) in case you need assistance.

Tips

• Fixes do not check whether they break functionality in your code or if they actually fixed the vulnerability in context to the broader service. Please verify the fix and any impact on functionality.
• DeepCode AI Fix can recommend a fix that uses packages that don’t exist in your Project. Make sure you update your manifest files accordingly.

Video (4m7s)

Topics in this video:

1. Understanding the issue via Snyk database, Snyk Learn, CVE
2. How an issue was introduced
3. Calculated remediation
4. The .snyk file
5. Security policies (available only on the Enterprise plan)

During the remediation step, ensure you install the package(s) locally, and update any manifest/lockfiles with the correct version(s).

To learn more about DeepCode AI Fix, see Find, auto-fix and prioritize intelligently, with Snyk's AI-powered code security tools

Video (8m33s)

Topics in this video:

1. Q&A - Common questions. For example Snyk's AI not training on customer code
2. Enable, or request to enable, DeepCode AI fix , if it's not already
3. Snyk Learn
4. Reviewing code results
5. Preview and apply DeepCode AI Fix

Video(4m5s)

Topics in this video:

1. Requirements to scan containers (built, reference in deployment files)
2. Parent image remediation
3. Understanding the vulnerability
4. Package remediation

For more information on IaC custom policies see

• IAC custom rules

Video (2m34s)

Topics in this video:

1. Remediation
2. Ignores