Snyk Code is our newest addition to the Snyk platform. Snyk Code uses a revolutionary approach designed to be developer-first. Conventional Static Application Security Testing (SAST) tools are limited by lengthy scans times and poor accuracy, returning too many false positives, and eroding developer trust. Snyk Code makes developer efforts efficient and actionable.
In this short blog post let's take it for a test drive on a large Java Project.
Steps
1. You will need an account on Snyk App sign up for free at snyk.io
2. Once you have an account and are logged in go ahead and enable "Snyk Code" as follows
3. Clone the following GitHub repo as follows.
https://github.com/papicella/CWE-Juliet-TestSuite-Java
4. Authenticate with "Snyk CLI" as shown below
Note: The following link will get the CLI installed for you
https://support.snyk.io/hc/en-us/articles/360003812538-Install-the-Snyk-CLI
$ snyk auth
5. Let's check the number of lines of code we scanning as follows. Here we are making sure we only scan Java Source files as that's all that exists in this repo in any case. Snyk Code supports other programming languages as well like Python, JavaScript etc.
So we have close 2.5 million lines of code here of course that counts lines of empty space such as carriage returns BUT still that's lots of code to scan.
6. Run your "Snyk Code" Test as follows to see two things , how long the scan took and the number of results returned. From this we can see the scan and results took less then 2 minutes!
$ time snyk code test ./Java/src
....
The following post shows some comparison data against other SAST engines and code repositories.
https://snyk.io/blog/sast-tools-speed-comparison-snyk-code-sonarqube-lgtm/
No comments:
Post a Comment