概要
Snyk はコード、オープンソースライブラリとその依存関係、コンテナやIaC(Infrastructure as Code) における脆弱性を見つてくれるサービス。
CICDパイプラインに組み込むこともできるが、その前にローカルで Snyk を実行してみる。
Snyk 無償・有償プラン
Snyk には無償・有償プランが存在する。
無償版 (Free)
- Code (100 tests/month) : SAST。アプリケーションコードの脆弱性を発見
- Open Source (200 tests/month) : SCA。オープンソースの脆弱性を発見
- Container (100 tests/month) : コンテナイメージの脆弱性を発見
- IaC (300 tests/month) : CSPM。Kubernetes、Helm、Terraformの設定ファイルの脆弱性を発見
有償版は更に以下の機能を利用できる(複数の有償プランがある)。
- License compliance : オープンソースのライセンス問題の発見
- Cloud : CSPM
- etc…
Snyk CLI 準備
Snyk アカウント作成
以下より Snyk アカウントを作成する。
Snyk CLI インストール
以下を参照し Snyk CLI をインストールする。
ローカル PC 上で Snyk CLI コマンド使えるようになったら認証する。
snyk auth
その他 CLI の使い方は以下を参照。
Snyk CLI 実践
Snyk Code
アプリーケーションコードの脆弱性をチェックする。
いわゆる Static Application Security Testing ( SAST ) 。
アプリケーションコードが存在するディレクトリ内で以下を実行。
snyk code test
下記のような結果が出る。
何も発見されなかったパターン。
% snyk code test --all-projects
Testing /Users/xxxx/test-project ...
✔ Test completed
Organization: xxxx
Test type: Static code analysis
Project path: /Users/xxxx/test-project
Summary:
✔ Awesome! No issues were found.
Snyk OpenSource
OpenSource の脆弱性を発見する。
いわゆる SCA ( Software Composition Analysis ) 。
アプリケーションコードが存在するディレクトリ内で以下を実行。--all-projects を付けないとカレントディレクトリしかチェックしてくれない。
snyk test --all-projects
何も発見されなかったパターン。
% snyk test --all-projects
Testing /Users/xxxx/test-project ...
Organization: xxxx
Package manager: npm
Target file: package-lock.json
Project name: nextjs-docker
Open source: no
Project path: /Users/xxxx/test-project
Licenses: enabled
✔ Tested 277 dependencies for known issues, no vulnerable paths found.
Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.
Tested 1 projects, no vulnerable paths were found.
Snyk Container
Docker イメージ内の脆弱性をチェック。
docker ps -a などで Docker イメージ名を確認しコンテナスキャンを実行。
snyk container test nextjs-docker-next
結果。コンテナ内のライブラリに脆弱性が存在するようだ。
% snyk container test nextjs-docker
Testing nextjs-docker...
✗ Low severity vulnerability found in openssl/libcrypto3
Description: CVE-2022-4203
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314648
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], busybox/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 4 more...
Fixed in: 3.0.8-r0
✗ Low severity vulnerability found in openssl/libcrypto3
Description: CVE-2022-4304
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314659
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], busybox/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 4 more...
Fixed in: 3.0.8-r0
✗ High severity vulnerability found in openssl/libcrypto3
Description: NULL Pointer Dereference
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314647
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], busybox/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 4 more...
Fixed in: 3.0.8-r0
✗ High severity vulnerability found in openssl/libcrypto3
Description: Use After Free
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314650
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], busybox/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 4 more...
Fixed in: 3.0.8-r0
✗ High severity vulnerability found in openssl/libcrypto3
Description: Double Free
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314657
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], busybox/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 4 more...
Fixed in: 3.0.8-r0
✗ High severity vulnerability found in openssl/libcrypto3
Description: NULL Pointer Dereference
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314658
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], busybox/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 4 more...
Fixed in: 3.0.8-r0
✗ High severity vulnerability found in openssl/libcrypto3
Description: NULL Pointer Dereference
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314660
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], busybox/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 4 more...
Fixed in: 3.0.8-r0
✗ Critical severity vulnerability found in openssl/libcrypto3
Description: Access of Resource Using Incompatible Type ('Type Confusion')
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-OPENSSL-3314651
Introduced through: openssl/[email protected], openssl/[email protected], apk-tools/[email protected], busybox/[email protected]
From: openssl/[email protected]
From: openssl/[email protected] > openssl/[email protected]
From: apk-tools/[email protected] > openssl/[email protected]
and 4 more...
Fixed in: 3.0.8-r0
Organization: xxxx
Package manager: apk
Project name: docker-image|nextjs-docker
Docker image: nextjs-docker
Platform: linux/arm64
Licenses: enabled
Tested 17 dependencies for known issues, found 8 issues.
Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test nextjs-docker-next --file=path/to/Dockerfile
To remove this message in the future, please run `snyk config set disableSuggestions=true`
Snyk IaC
IaC の脆弱性をチェックする。
IaC コードが存在するディレクトリで実行する。
snyk iac test
以下の結果となった。
% snyk iac test
Snyk Infrastructure as Code
✔ Test completed.
Issues
Low Severity Issues: 12
[Low] ALB does not drop invalid headers
Info: The application load balancer is not set to drop invalid headers.
Maliciously crafted headers may be accepted by the load balancer
Rule: https://snyk.io/security-rules/SNYK-CC-AWS-405
Path: resource > aws_lb[for_webserver]
File: modules/alb/main.tf
Resolve: Set `drop_invalid_header_fields` to `true`
[Low] Load balancer is internet facing
Info: Load balancer is internet facing. Increases attack vector
reachability
Rule: https://snyk.io/security-rules/SNYK-CC-TF-48
Path: resource > aws_lb[for_webserver] > internal
File: modules/alb/main.tf
Resolve: Set `internal` attribute to `true`
[Low] AWS Security Group allows open egress
Info: The inline security group rule allows open egress. Open egress can be
used to exfiltrate data to unauthorized destinations, and enable
access to potentially malicious resources
Rule: https://snyk.io/security-rules/SNYK-CC-TF-73
Path: resource > aws_security_group[alb] > egress
File: modules/alb/main.tf
Resolve: Set `egress.cidr_blocks` attribute to specific ranges e.g.
`192.168.1.0/24`
[Low] CloudWatch log group not encrypted with managed key
Info: Log group is not encrypted with customer managed key. Scope of use of
the key cannot be controlled via KMS/IAM policies
Rule: https://snyk.io/security-rules/SNYK-CC-AWS-415
Path: resource > aws_cloudwatch_log_group[dockle_check] > kms_key_id
File: modules/codepipeline/cloudwatch.tf
Resolve: Set `kms_key_id` attribute with customer managed key id
[Low] CloudWatch log group not encrypted with managed key
Info: Log group is not encrypted with customer managed key. Scope of use of
the key cannot be controlled via KMS/IAM policies
Rule: https://snyk.io/security-rules/SNYK-CC-AWS-415
Path: resource > aws_cloudwatch_log_group[secrets_check] > kms_key_id
File: modules/codepipeline/cloudwatch.tf
Resolve: Set `kms_key_id` attribute with customer managed key id
[Low] S3 bucket versioning disabled
Info: S3 bucket versioning is disabled. Changes or deletion of objects will
not be reversible
Rule: https://snyk.io/security-rules/SNYK-CC-TF-124
Path: resource > aws_s3_bucket[artifacts_store] > versioning > enabled
File: modules/codepipeline/s3.tf
Resolve: For AWS provider < v4.0.0, set `versioning.enabled` attribute to
`true`. For AWS provider >= v4.0.0, add aws_s3_bucket_versioning
resource.
[Low] S3 bucket MFA delete control disabled
Info: S3 bucket will not enforce MFA login on delete requests. Object could
be deleted without stronger MFA authorization
Rule: https://snyk.io/security-rules/SNYK-CC-TF-127
Path: resource > aws_s3_bucket[artifacts_store] > versioning > mfa_delete
File: modules/codepipeline/s3.tf
Resolve: Follow instructions in `https://docs.aws.amazon.com/AmazonS3/latest/u
serguide/MultiFactorAuthenticationDelete.html` to manually configure
the MFA setting. For AWS provider < v4.0.0 set
`versioning.mfa_delete` attribute to `true` in aws_s3_bucket
resource. For AWS provider >= v4.0.0 set
'versioning_configuration.mfa_delete` attribute to `Enabled`. The
terraform change is required to reflect the setting in the state file
[Low] S3 server access logging is disabled
Info: The s3 access logs will not be collected. There will be no audit
trail of access to s3 objects
Rule: https://snyk.io/security-rules/SNYK-CC-TF-45
Path: input > resource > aws_s3_bucket[artifacts_store] > logging
File: modules/codepipeline/s3.tf
Resolve: For AWS provider < v4.0.0, add `logging` block attribute. For AWS
provider >= v4.0.0, add aws_s3_bucket_logging resource.
[Low] ECR repository is not encrypted with customer managed key
Info: ECR repository is not encrypted with customer managed key. Scope of
use of the key cannot be controlled via KMS/IAM policies
Rule: https://snyk.io/security-rules/SNYK-CC-AWS-418
Path: resource > aws_ecr_repository[foo] > encryption_configuration
File: modules/ecr/main.tf
Resolve: Set `encryption_configuration.kms_key` attribute to customer managed
KMS key
[Low] ECR Registry allows mutable tags
Info: The AWS ECR registry does not enforce immutable tags. Image tags can
be modified post deployment
Rule: https://snyk.io/security-rules/SNYK-CC-TF-126
Path: resource > aws_ecr_repository[foo] > image_tag_mutability
File: modules/ecr/main.tf
Resolve: Set `image_tag_mutability` attribute to `IMMUTABLE`
[Low] CloudWatch log group not encrypted with managed key
Info: Log group is not encrypted with customer managed key. Scope of use of
the key cannot be controlled via KMS/IAM policies
Rule: https://snyk.io/security-rules/SNYK-CC-AWS-415
Path: resource > aws_cloudwatch_log_group[frontend] > kms_key_id
File: modules/ecs/main.tf
Resolve: Set `kms_key_id` attribute with customer managed key id
[Low] AWS Security Group allows open egress
Info: The inline security group rule allows open egress. Open egress can be
used to exfiltrate data to unauthorized destinations, and enable
access to potentially malicious resources
Rule: https://snyk.io/security-rules/SNYK-CC-TF-73
Path: resource > aws_security_group[ecs_tasks] > egress
File: modules/ecs/main.tf
Resolve: Set `egress.cidr_blocks` attribute to specific ranges e.g.
`192.168.1.0/24`
Medium Severity Issues: 4
[Medium] AWS Security Group Rule allows public access
Info: That inbound traffic is allowed to a resource from any source instead
of a restricted range. That potentially everyone can access your
resource
Rule: https://snyk.io/security-rules/SNYK-CC-TF-37
Path: resource > aws_security_group_rule[alb_http] > cidr_blocks
File: modules/alb/main.tf
Resolve: Set `cidr_blocks` attribute to specific IP range only, e.g.
`192.168.1.0/24`
[Medium] Load balancer endpoint does not enforce HTTPS
Info: Load balancer endpoint does not enforce HTTPS. The content could be
intercepted and manipulated in transit
Rule: https://snyk.io/security-rules/SNYK-CC-TF-47
Path: resource > aws_lb_listener[http] > protocol
File: modules/alb/main.tf
Resolve: Set the `protocol` attribute to `HTTPS` or `TLS`
[Medium] Non-encrypted S3 Bucket
Info: Non-encrypted S3 Bucket. A non-encrypted S3 bucket increases the
likelihood of unintentional data exposure
Rule: https://snyk.io/security-rules/SNYK-CC-TF-4
Path: input > resource > aws_s3_bucket[artifacts_store]
File: modules/codepipeline/s3.tf
Resolve: For AWS provider < v4.0.0, set `server_side_encryption_configuration`
block attribute. For AWS provider >= v4.0.0 add
aws_s3_bucket_server_side_encryption_configuration resource.
[Medium] Security Group allows open ingress
Info: That inbound traffic is allowed to a resource from any source instead
of a restricted range. That potentially everyone can access your
resource
Rule: https://snyk.io/security-rules/SNYK-CC-TF-1
Path: input > resource > aws_security_group[ecs_tasks] > ingress
File: modules/ecs/main.tf
Resolve: Set `cidr_block` attribute with a more restrictive IP, for example
`192.16.0.0/24`
High Severity Issues: 1
[High] S3 block public ACLs control is disabled
Info: Bucket does not prevent creation of public ACLs. Anyone who can
manage bucket's ACLs will be able to grant public access to the
bucket
Rule: https://snyk.io/security-rules/SNYK-CC-TF-95
Path: resource > aws_s3_bucket[artifacts_store]
File: modules/codepipeline/s3.tf
Resolve: Set the `aws_s3_bucket_public_access_block` `block_public_acls` field
to true.
-------------------------------------------------------
Test Summary
Organization: runble1
Project name: resource
✔ Files without issues: 13
✗ Files with issues: 5
Ignored issues: 0
Total issues: 17 [ 0 critical, 1 high, 4 medium, 12 low ]
-------------------------------------------------------
Tip
New: Share your test results in the Snyk Web UI with the option --report
まとめ
Snyk CLI の利用方法がわかった。
セキュリティチェックを包括的に行えるとても便利なツールだ。
次回はパイプラインに組み込む。
コメント