Snyk as a Security Scanning Tool
Last updated: 23 July 2025
Introduction
- Snyk is a tool that is used as an all-encompassing software package used to identify vulnerabilities in first party software
- It also helps non-technical people get an understanding of security issues across an entire enterprise estate of developed software
Processes
Development
Snyk Extensions
- Snyk provides extensions for developers to scan their code before committing
- It is expected that developers have these extensions installed for the IDEs they use, and that they actively use the extension on a regular basis
- The focus of using these extensions should be for First Party Code, but can also be used to help identify issues with Third Party Dependencies early on in development
Snyk Scan and Pipelines
- A Snyk Scan should be added to pipelines for the purpose of monitoring security
- It is recommended that the scanner is “gated” to block builds when new issues are identified
- The conditions for this block, if beyond that of the standard, should be determined by the Security Team
Auditing
- The conditions for this block, if beyond that of the standard, should be determined by the Security Team
- Snyk provides a way of prioritizing issues through a proprietary scoring system called “Snyk Score”
- This generally indicates how severe an issue is on a practical level, as well as how fixable the issue is. The higher the score, the more severe and potentially fixable the problem is
- This can be used to help with triaging issues and assisting the Product Team in prioritizing what security problems should be fixed first
Training
- Developers should regularly use the Snyk Learn platform to understand how to resolve issues, particularly when issues are raised by Snyk
- Developers should also review the following Snyk University modules as part of their learning and development:
- Security for Developers
- OWASP Top 10
- OWASP Top 10 risks for open-source software
- OWASP API Security Top 10