Snyk Security Scanning Tutorial 🚀¶
What is Snyk?¶
Snyk is a developer-friendly security tool that scans and fixes vulnerabilities in:
✅ Container Images (Docker, Podman, etc.)
✅ Kubernetes Clusters
✅ Infrastructure as Code (IaC) (Terraform, Helm, Kubernetes manifests, CloudFormation)
✅ Cloud Resources (AWS, Azure, GCP)
✅ Container Registries (ECR, GCR, Docker Hub, etc.)
✅ File Systems & Root Filesystem
✅ Code Repositories (GitHub, GitLab, Bitbucket, etc.)
✅ VM Images (AWS AMI, VMware, VirtualBox, etc.)
✅ Software Dependencies (NPM, Maven, Pip, Go, etc.)
1️⃣ Set Up Snyk CLI¶
Login to Snyk¶
Check Snyk Version¶
2️⃣ Scan a Container Image¶
Scan a Local Docker Image¶
Monitor for Continuous Scanning¶
3️⃣ Scan Kubernetes Clusters¶
Scan a Running Kubernetes Cluster¶
Scan a Specific Kubernetes Deployment¶
4️⃣ Scan Infrastructure as Code (IaC)¶
Scan Terraform, Kubernetes Manifests, Helm Charts, or CloudFormation¶
Monitor an IaC Project¶
5️⃣ Scan Cloud Resources¶
🔹 Scan AWS Security Resources¶
First, configure AWS CLI:
Then, run:
Scans AWS services (EC2, S3, IAM, RDS, etc.) for misconfigurations and vulnerabilities.
Scan Specific AWS Services¶
🔹 Scan Azure Security Resources¶
Login to Azure:
Then, scan:
Scans Azure services (Storage, VM, IAM, etc.) for security misconfigurations.
6️⃣ Scan Container Registries¶
Amazon ECR¶
Google Container Registry (GCR)¶
Docker Hub¶
7️⃣ Scan Code Repositories¶
Scan a GitHub Repository¶
Scan a Local Git Repository¶
8️⃣ Scan VM Images¶
Snyk can scan VM images, including AWS AMI, VMware, VirtualBox.
Scan an AWS AMI Image¶
Scan a VMware Image¶
9️⃣ Monitor a Software Bill of Materials (SBOM)¶
Snyk helps track all dependencies in an application.
Generate SBOM in SPDX Format¶
Generate SBOM in CycloneDX Format¶
🔟 Integrating Snyk with AWS Security Hub¶
Enable AWS Security Hub¶
Ensure you have an IAM user/role with Security Hub permissions.
Scan AWS Services & Send Results to Security Hub¶
snyk test --json > snyk-securityhub.json
aws securityhub batch-import-findings --findings file://snyk-securityhub.json
Verify Results in AWS Security Hub¶
1️⃣ Open AWS Console → Security Hub
2️⃣ Navigate to Findings
3️⃣ Filter by "Product Name: Snyk"
1️⃣1️⃣ Automate AWS Security Scans with Lambda¶
Example AWS Lambda Code (Python)¶
import json
import subprocess
import boto3
def lambda_handler(event, context):
region = "us-east-1"
output_file = "/tmp/securityhub.json"
# Run Snyk Scan
cmd = f"snyk test --json > {output_file}"
subprocess.run(cmd, shell=True, check=True)
# Upload findings to AWS Security Hub
securityhub = boto3.client("securityhub", region_name=region)
with open(output_file, "r") as f:
findings = json.load(f)
response = securityhub.batch_import_findings(Findings=findings)
return {
"statusCode": 200,
"body": json.dumps(response)
}
🚀 Trigger this Lambda using an AWS EventBridge rule to scan AWS security resources on a schedule!
1️⃣2️⃣ CI/CD Integration¶
GitHub Actions¶
uses: snyk/actions@master
with:
scan-type: "aws"
aws-region: "us-east-1"
format: "json"
output: "securityhub.json"
Then, upload to AWS Security Hub using AWS CLI.
Jenkins Pipeline¶
Why Use Snyk?¶
✅ Developer-friendly and integrates with CI/CD pipelines
✅ Scans everything – containers, Kubernetes, IaC, registries, cloud, VM images
✅ Generates SBOM for dependency tracking
✅ Integrates with AWS Security Hub for centralized monitoring
✅ Automates AWS security checks with Lambda