Wednesday, 17 February, 2021 UTC


Summary

The product security team at Twilio is responsible for securing all applications built by Twilio. We work with Engineering teams to help secure Twilio and our customers. We use Snyk, a cloud native application security platform, to make sure our code is secure at all stages of design and deployment.
Automation is the key to building security at scale, because it eliminates human error. When we automate, we catch more vulnerabilities. Snyk scans repositories automatically—that is, as long as you’ve told Snyk which ones to scan.
We needed a way to automate the process of keeping Snyk up to date with projects in our SCM, detecting when repositories are added, deleted, or renamed and configuring Snyk automatically.
We created Snyk-Watcher, a Github App that listens to webhooks on the main branch for repository changes and pull requests. When a pull request is merged to main, Snyk-Watcher imports the project into Snyk for scanning. When a repository is created, deleted, or renamed, Snyk-Watcher triggers the appropriate actions in Snyk. These automated actions are facilitated by the Snyk API which can be used to integrate and automate Snyk's various security functions.
Once Snyk-Watcher is installed from GitHub, you can test it by adding a new repository, then check in the app’s advanced settings to see if the request was successful. Keep in mind, Snyk needs a manifest file to scan your project and its dependencies—for example, `MANIFEST.MF` in Maven, or package.json in JavaScript projects. Snyk supports a growing number of languages along with their manifest file formats. When Snyk detects a valid manifest file in your project, you’ll see the project appear in Snyk.
With Snyk-Watcher, you don't have to remember to add and remove projects from Snyk. It just happens. Today we are open sourcing the tool, so you can automate the process of importing projects to keep your SCM and Snyk in sync.
To get started with Snyk-Watcher, check out the README on the GitHub repo.
Vlad Perelmuter is a Senior Security Engineer at Twilio focused on securing our products and keeping our customers safe. He can be reached at vperelmuter [at] twilio.com or on LinkedIn.