Snyk slips into Azure for open source vulnerability spotting

By Team Devclass
-
Snyk slips into Azure for open source vulnerability spotting

Synk has tightened its integration with Azure, offering vulnerability scanning through the open source development workflow on the Microsoft cloud platform

Snyk COO Geva Solomonovich said Snyk was integrating into Azure Repos, through Azure Pipelines, into the Azure Container Registry and into Azure Functions.

So, for example, Snyk will scan and monitor Azure repos for vulnerabilities, and scan pull requests to ensure new vulnerabilities are not introduced.

Similarly, in Azure Pipelines and the Azure Container Registry, Snyk will scan dependencies for open source vulnerabilities, and can be used to prevent vulnerabilities entering the pipeline.

The integration extends into Azure Functions, with Snyk scanning applications for vulnerabilities, and altering when vulns are detected in running applications.

Solomonovich said this was the first time Snyk had integrated to this degree with a particular cloud vendor’s whole stack.

Microsoft’s “richer pedigree of being partner oriented” had helped smoothed the integration process, he said. “What’s been unique with Microsoft – they know how to engage with partners so much better than others.”

“We’ve levelled up our .NET support across our tooling and across our security team,” he continued, and the vendor aimed to build the most comprehensive vulnerability database out there for .NET. He added this had been in process before the integration happened.

As for traditional security vendors, Solomonovich said Snyk partnered with some of them on container scanning. He said the key difference was that traditional vendors saw the container as an evolution of an endpoint, while “we look at containers as the evolution of an application.”

Traditional security teams risked being side-lined as organisations moved to both the cloud, and modern software development and deployment models, Solomonovich said. At the same time, software developers didn’t have the time to keep fully up to speed with vulnerability reports, and patching requirements. Even if they actually had the inclination.

Snyk was aiming to remove this friction, by giving developers tools they want to use in their day to day work, while giving the controls and governance to the security team.

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Atlassian takes another step toward full DevOps automation
Podman 5.0 released with native Mac hypervisor support, new features and breaking changes
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Fermyon promises over 5000 WebAssembly applications on one Kubernetes node via new platform
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Kubecost 2.0 released as reports show persistent Kubernetes over-provisioning
Docker introduces Build Cloud for accelerated local development
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code