Finding and fixing Python vulnerabilities in PyCharm with Snyk’s new plugin
This guest blog post is brought to you by Snyk.
We’re happy to inform PyCharm users that a new Snyk plugin is now available, allowing Python developers to find and fix security vulnerabilities in their open source dependencies from within their favorite IDE!
“Shift left” is an important component of any DevSecOps motion but does not guarantee its success. The only way to ensure developers can successfully take on more responsibility for security is by providing them with developer-friendly tooling that integrates seamlessly into their existing workflows.
Being PyCharm the most popular IDE for Python development (with a 54% combined share for PyCharm Professional and Community editions, according to the JetBrains 2020 State of Developer Ecosystem survey), Snyk wanted to ensure Python developers had the ability to easily test their open source dependencies for security issues. The new plugin – the only SCA plugin for PyCharm – enables that.
The Snyk PyCharm plugin is free to use and available in the Jetbrains marketplace here.
Getting started
To use the plugin, first sign up with Snyk for free here. Also, make sure that the Python dependencies have been installed.
Installing the plugin itself is easy, exactly like any other plugin. From within PyCharm, go to Preferences → Plugins and search for “Snyk”. The Snyk plugin is displayed, and all you have to do is follow the instructions.
Hit the Install button – PyCharm downloads and installs the latest version of the Snyk CLI and a new Snyk tab appears at the bottom of PyCharm.
Before you start your first scan, be sure to authenticate your Snyk account. To do this, simply retrieve your API token from within Snyk and add it in the plugin’s settings, at: Preferences → Tools → Snyk:
Once successfully authenticated, open the Snyk tab and hit the Scan button to commence Snyk’s security testing. Within a few seconds, should the plugin identify any vulnerabilities, a list of issues will be displayed:
Scan results contain a wealth of information to help facilitate a quick fix, including the severity level for the vulnerability (based on CVSS) and the title/type of vulnerability. Additional details about the vulnerability expose how it was introduced by information on available exploits in the wild while an overview of the vulnerability explains how it can be exploited.
In terms of remediation, the Snyk plugin will help you fix the vulnerability by recommending the upgrade required. Snyk will always recommend the minimal path required to fix the specific issue to ensure minimal risk of breakage.
Clicking the details link at the bottom of the issue details takes you to Snyk’s vulnerability database, where you can gain more in-depth details on the vulnerability itself – severity scoring, version ranges, the way it can be exploited, and more.
Shifting left, the right way
When using open source, it’s important to check the risks being introduced. Testing the open source dependencies you pull into your Python projects for security issues is critical to ensure you are not sacrificing your organization’s security posture for fast development.
Shifting this testing left into your IDE enables you to surface issues early on in development and before even committing code into your repository. Instead of finding a critical vulnerability later on in the software delivery pipeline and having to re-engineer your code when it becomes more time consuming and technically difficult, testing your dependencies from the very moment you add them is simply more efficient and productive.
Adding to our existing IntelliJ and TeamCity plugins, this new PyCharm plugin is another step towards helping the JetBrains community of developers shift open source security left, the right way.