ICYMI, in this post you can learn how to ensure that you only push secure Docker Images to production by detecting security vulnerabilities in your pipelines.
In the post you'll be able to learn how to:
- Create a sample application & Dockerfile
- Create a Snyk account & store the API Token in AWS Secrets Manager
- Test with Snyk locally
- Configure a BuildSpec File for CodeBuild
- Use Terraform for AWS Infrastructure
All this enables you to shift security left, and detect vulnerabilities earlier in your pipeline.
You can read the full blog post here, and feel free to follow and reach out if you have any questions.
Discussion (2)
Hi Lukonde.
Great article. I love the breakdown. Thanks for sharing!
A small remark on authenticating the CLI.
Although your way definitely works, the preferred way of authenticating is:
snyk auth
(will open a browser and let you sign in)snyk auth token
sets the preferred token in your configuration Alternatively, you can also set an environment variableSNYK_TOKEN
containing the token. This way, you do not need to run anything at all. This is super useful we automating CLI scanning in a CI pipeline, for instance.Good stuff Lukonde! Any chance you can also cross-post the article here in full? I fear the medium paywall isn't very accessible.