Around 14% of npm packages carry a known vulnerability, and new vulnerabilities are being discovered every day. The Serverless Snyk plugin helps you keep your application secure by allowing you to check the Node.js dependencies in your Serverless app for known vulnerabilities using Snyk.
For Serverless v1 only.
-
Fix any existing vulnerable packages using Snyk's GitHub integration or Snyk wizard.
-
Install the Serverless Snyk plugin using npm
npm install serverless-snyk --save
You should now have Serverless Snyk installed and ready to go. You can confirm that the plugin has been installed by running
serverless
from your command line. You should see the Snyk plugin in the list of installed plugins. -
Add the plugin to your Serverless config
Next, you'll need to add the plugin to your
serverless.yml
file:plugins: - serverless-snyk
-
Optional: Get a Snyk API Key
To avoid running into API rate limits and to enable continuous monitoring, you'll need to sign up for a Snyk account (if you don't have one already) and copy the API token from your dashboard. Detailed instructions on how to include the API token in your configuration are included in the setting an API key section below.
That's it! Now when you deploy, the Serverless Snyk plugin will scan your application for known vulnerabilities.
To ensure you don't run into any API rate limits, or to enable continuous monitoring of the state of your application's security, you'll need to include a valid API token in your application.
You can do this by signing up for an account (if you don't have one already) and copying the API token from your dashboard.
Since the Serverless framework does not currently support environment variables, Serverless Snyk uses dotenv to store your token. You'll want to create a .env
file in the root of your project, and then set a snykAuth
variable with the value you copied from your dashboard:
snykAuth=YOUR_API_TOKEN
By default, Serverless Snyk will stop serverless from deploying if Snyk detects any vulnerabilities in your dependencies. Each vulnerability will also be outputted, and you'll be prompted to run snyk wizard
to address the issues.
If you would like serverless to deploy your application even if Snyk finds known vulnerabilities, you can accomplish this by using a custom variable in your serverless.yml
file.
custom:
snyk:
breakOnVuln: false
Snyk will still run and report any vulnerabilities, but the deploy will now continue on successfully.
Snyk can take a snapshot of the current state of your dependencies each time you deploy, and proactively you of any newly discovered vulnerabilities that may impact them.
This feature requires an API token. If you've included the the API token as described above, the plugin will monitor your application by default.
There may be cases where you want to be authenticated to avoid API limits, but you don't want to monitor your application. You can turn off monitoring in the serverless.yml
file:
custom:
snyk:
monitor: false