Travis

Continuous Security with Snyk and Travis CI

Tim Kadlec,

This is a guest blog post from Tim Kadlec, Developer Advocate at Snyk.

Security isn't easy. You have to be able to protect your application from each and every angle, against attackers who only need to be able to find a single weakness. In fact, just about the only thing that is "easy" about properly securing your site is how easy it is to miss basic security issues. You need all the help you can get.

That's where a proper build process comes into play. Having a well thought-out build process in place is like having a big, shiny "easy" button that you can press to help you take care of all the low-hanging fruit that is so critical, yet so easy to forget in your day to day work. If you're using open-source dependencies in your application, Snyk gives you an easy button for keeping those dependencies vulnerability free.

From memory exposure in mongoose to remote command execution in actionpack, Snyk helps to keep your Ruby, Java and JavaScript projects free of known vulnerabilities in your dependencies by focusing on four critical steps:

  1. Find the vulnerable dependencies
  2. Fix the vulnerabilities
  3. Prevent addition of new vulnerable packages
  4. Respond quickly and efficiently to newly disclosed vulnerabilities.

Snyk accomplishes this by scanning your Ruby or JavaScript projects for any known vulnerabilities in the dependencies you’re pulling in, help you fix any vulnerabilities it discovers, and even actively alerts you (via Slack or email) to vulnerabilities that get disclosed after you last tested.

Travis CI makes it easy to incorporate Snyk and these four steps into each and every build.

Getting Snyk setup

The first thing you'll need to do is get Snyk installed locally, which you can do by running npm install -g snyk from the command-line. You can confirm that the install was successful by running snyk -v, which should tell you which version of the CLI is installed.

Next, you'll need to authenticate your account using the snyk auth command. This will open a browser window that will attempt to verify your Snyk account. If you don't have an account yet, you'll be able to signup for one (it's free for open-source) using your GitHub, Bitbucket or Google accounts. The CLI will alert you when it sees that you've been authenticated.

You'll also need to make sure that you API token is included in your Travis build settings. You can copy the token from your account page. Then, in your Travis build settings, set an environment variable with the name SNYK_TOKEN and paste your token in for the value.

Setting your Snyk token in a Travis Environment Variable

You now have Snyk installed and authenticated locally. In addition, Travis now knows your API token so it can run any commands you tell it to during the build process.

From there, the instructions differ slightly based on whether your application uses Node or Ruby, so let's walk through them both.

Using your Ruby apps with Snyk

An ideal workflow for using Snyk with your Ruby application would first involve Snyk scanning your application on each build to make sure your dependencies are vulnerability free. Then, Snyk would take a snapshot of your application’s dependencies so that they could be monitored in case any new vulnerabilities are introduced.

We can provide this exact workflow by adding snyk test and snyk monitor to our Travis CI configuration file.

Finding vulnerabilities with snyk test

In your .travis.yml file, it's possible to define your own dependency installation process using the install setting. You can define multiple steps so that your dependencies will be installed using Bundler, and then tested with Snyk:

install:
    - bundle install --path vendor/bundle
    - snyk test

Now each time the build process installs your dependencies, it will then check them against Snyk's open-source database for any known vulnerabilities. If any are discovered, the build will fail until they've been addressed (either by fixing the issue or by telling Snyk to ignore the vulnerability for the next 30 days).

Respond to new vulnerabilities with snyk monitor

With snyk test in place, you can rest assured that you won't put your application into production with any vulnerabilities that are known the day that you ship. However new vulnerabilities are publicly disclosed and added to the Snyk database every single day which means that while you may have no known vulnerabilities today, that doesn't mean it will stay that way. You also want to make sure that you address any new issues before attackers manage to exploit them.

You can use snyk monitor to take a snapshot of your application's dependencies on each successful deploy, enabling Snyk to alert you if any new vulnerabilities are discovered that impact your application.

A good way to do this is by using the after_success step of the lifecycle with runs after each successful build.

after_success:
    - snyk monitor

Alternatively, if you're using the optional deploy step (to push to Heroku or something similar), you can run snyk monitor after deployment:

after_deploy:
    - snyk monitor

Now when a new vulnerability that impacts your application is disclosed, Snyk will notify you. From there, you'll be able to view the snapshot in your Snyk account and, if you're using the GitHub integration, apply any applicable fix with an automated pull request.

Snyk's GitHub integration can fix your vulnerabilities with an automated pull request

Protecting your JavaScript apps with Snyk

The ideal workflow for using Snyk to keep your JavaScript applications free of known vulnerabilities is very similar to the workflow for Ruby. Snyk can test your application whenever dependencies are installed to make sure they're vulnerability free, and can also take a snapshot of your application's dependencies to monitor them. JavaScript applications can benefit from an additional feature of Snyk: protecting your application by applying updates and patches that you specify automatically.

With Snyk installed and authenticated, your next step is to run snyk wizard. The wizard will walk you through any vulnerabilities it discovers in your dependencies and ask if you would like to update, patch or ignore the vulnerability.

Running Snyk Wizard to identify and fix known vulnerabilities

When you've completed the process, the wizard creates a .snyk policy file that documents the decisions you made. Snyk uses this policy file to apply these fixes automatically, so you'll want this file checked into source control (git add .snyk).

Finding vulnerabilities with snyk test

The wizard will also prompt you to add snyk test directly to your npm test command. Since the default test script for Node.js projects on Travis is npm test, no further configuration is necessary. Travis will run npm test which will run snyk test, helping you to spot any vulnerabilities.

If you elect not to use npm test, you can still run snyk test using the hooks provided by Travis:

install:
    - //install process
    - snyk test

Preventing and fixing vulnerabilities with snyk protect

Thanks to the wizard, applying any specified patches or updates is easy to configure as well. If you've selected any patches to apply, the wizard will prompt you to add snyk protect to the npm prepublish script which gets run when you install dependencies.

Again, if you decide not to use npm prepublish, you can still run snyk protect during the install process:

install:
    - //install process
    - snyk protect
    - snyk test

The above configuration would run snyk protect after install, applying any patches you've elected to include. Then it snyk test would run to make sure that the install process didn't include any vulnerable dependencies that weren't there last time.

With all of this setup, Travis will now run snyk test and snyk protect as part of your build process, testing for known issues and applying patches you've specified. All that's left is to enable monitoring.

Responding to new vulnerabilities with snyk monitor

As with Ruby, snyk monitor will take a snapshot of your dependences so that Snyk can monitor those dependencies in case any new vulnerabilities are disclosed that impact your application. If they are, Snyk will notify you so that you can fix them immediately.

Configuring your .travis.yml file to run snyk monitor during the after_success step of the lifecycle with runs is the recommended approach:

after_success:
    - snyk monitor

If you're using the optional deploy step (to push to Heroku or something similar), running snyk monitor after deployment will also work:

after_deploy:
    - snyk monitor

If Snyk finds a new vulnerability that impacts your application, you'll be notified (for example, by email or Snyk's Slack integration) so that you can either fix the issue by running snyk wizard locally or by using the GitHub integration to generate an automated pull request.

Celebrate

Finally, with Snyk now working to keep your dependencies vulnerability free, it's time to celebrate your new level of security. You can add a badge on your README, right next to your build status, that shows your current vulnerability count. If there are no vulnerabilities, you'll see a nice green badge:

Known Vulnerabilities

If vulnerabilities are found, the number of vulnerabilities will be displayed:

Known Vulnerabilities

Security, continuously

Security is too important to be treated as an afterthought—it must be baked into every step of your process. Snyk can help keep your applications free of known vulnerabilities by focusing on finding, fixing, preventing and responding to any vulnerabilities it discovers.

A solid build process makes it even easier to stay secure. Using Travis CI and Snyk allows you to incorporate security checks into each and every build you run, making security an everyday consideration, not an afterthought.

You can learn more about Snyk by browsing the documentation. If you already have a JavaScript or Ruby project being built by Travis, start testing it for known vulnerabilities today!

Want to be notified about new articles and updates? Sign up for our newsletter, we'll send you coffee tips as well!

Questions or feedback?

Let us know what you're thinking by emailing support@travis-ci.com!