Guest posts

Catching Vulnerabilities Instantly in Your IntelliJ IDEA Environment

This is a guest blog post from Brian Vermeer, Developer Advocate at Snyk

Developers practically live in their integrated development environment (IDE). An IDE like IntelliJ IDEA is in most cases an essential tool for developers to help make development more productive and creative.

A recent survey run by Snyk revealed that 81% of respondents believe developers should own the security responsibility of their applications. However, many developers are unsure of where to start with security.

In reality, most companies still work with a dedicated security team, which performs company-wide audits rather than integrating security responsibilities as part of the core development team.

DevSecOps: A modern approach to security

The DevSecOps approach helps development teams create code and be responsible for its behavior in production. In addition, development teams also treat security as part of their day-to-day work. Ideally, all team members should have security expertise and share responsibility for security.

To test for security during the development process, there are basic tools and tasks that developers should add to their ongoing responsibilities. During application development, developers are always looking for libraries and frameworks that can help achieve their goal. If a library can handle certain boilerplate aspects, a developer can focus on the custom business logic.

The only problem is—what happens if a dependency is included in the pom file? In many major enterprise applications, once a dependency is included in a pom file, it stays in the file forever, even if the dependency is not used anymore in the code. These unused dependencies are still available in your program and might contain exploitable vulnerabilities. Overall, whether a dependency is used or not, developers should verify whether it is safe to include in their system.

Shifting security left

It’s important that we shift security testing for vulnerable dependencies from right to left. In so doing, our testing would occur before we even commit our code to our project repository. Developers should check whether a dependency version is safe to include when it is first introduced, in addition to the checks that developers run prior to production. By scanning dependencies when first added to the codebase, we eliminate the unnecessary code reworking that otherwise might be necessary when upgrading to a newer version. Upgrading a dependency, as we all know, may require code alterations. So the fastest and most efficient approach is to avoid adding vulnerable dependencies in your projects by scanning your dependencies at the very moment you add them.

Testing your dependencies with Snyk

At Snyk we can provide you with tools to scan your project for vulnerable dependencies. We match your dependencies against our own proprietary vulnerability database, which includes all the “Common Vulnerabilities and Exposures” (CVE) list, and much more. Our security team enriches the Snyk vulnerability database with many more vulnerable dependencies that do not have associated CVE entries, but can cause just as much harm to your system.

If you like command line tools, install the Snyk CLI locally to run snyk_test from your terminal window. Use the CLI from within IntelliJ IDEA or from a separate terminal. This provides you with all the information you need about security vulnerabilities in your dependencies. But if you’d prefer a fully integrated solution into your IDE, we’ve got you covered.

The Snyk IntelliJ IDEA plugin

According to the 2018 JVM Ecosystem survey, IntelliJ IDEA is the most-used IDE in the Java community, with 45% of respondents stating that they use IntelliJ IDEA.

Snyk offers an integrated plugin that works on both the IntelliJ IDEA community and paid offerings. This plugin scans your Maven dependencies for vulnerabilities while you code. No need to use the terminal anymore.

Installing the plugin is easy. Go to Preferences > Plugins and search for “Snyk”. The Snyk Vulnerability Scanning plugin pops up from that view. Follow the instructions and you are good to go.


The Snyk plugin is located as a tab in the bottom right-hand corner of your screen. Refresh your Maven dependencies to run the scan and see if you have vulnerable dependencies.

If there are vulnerabilities, click details to view the Snyk vulnerability page. This page provides more insight into the nature of the issue and displays the severity score.



Even more impressive is when you have a transitive dependency with a vulnerability. The plugin displays the full dependency tree step by step, including the direct dependency and the vulnerable transitive dependency.


Click the vulnerability to automatically jump to the pom file dependency declaration. This can be extremely useful when your pom file has a lot of dependencies. Now you can either choose to upgrade the direct dependency or exclude the vulnerable transitive dependency.

The Snyk plugin also provides a suggested upgrade if one is available. This is shown in green. The version is not necessarily the newest version of that dependency but is the first available version that solves the specific vulnerability. When clicking on the green remediation advice, the recommended dependency tree up to the specific fixed transitive dependency is displayed.


Plugins for PMD, checkstyle and findbugs help you write better code. Use the Snyk plugin to instantly see if a dependency you introduced has one or more vulnerabilities.

The Snyk plugin for IntelliJ IDEA is a powerful addition that helps you to avoid using vulnerable dependencies. With Snyk, you can write better, more secure software, without leaving your favorite IDE.

Comments below can no longer be edited.

16 Responses to Catching Vulnerabilities Instantly in Your IntelliJ IDEA Environment

  1. Avatar

    Gerry says:

    March 22, 2019

    Unfortunately it doesn’t work with Gradle projects (yet).

  2. Avatar

    Dragos says:

    March 22, 2019

    Any plans on supporting Gradle and npm/yarn?

    • Avatar

      Christopher Rucinski says:

      March 23, 2019

      They do plan on supporting Gradle. No mentions of npm or yarm, though.

      Check the bottom of the linked post…

    • Avatar

      Brian Vermeer says:

      June 19, 2019

      npm/yarn and gradle are all supported when you use our CLI.
      You might want to give it a try:

  3. Avatar

    Mark Kennedy says:

    March 22, 2019

    is it bytecode-based? source-based? both? how does it play with scala?

    • Avatar

      Brian Vermeer says:

      June 19, 2019

      It is based on manifesto files so for this plugin, it looks at you pom file.
      Basically, the only thing we send over the line is your dependency tree.

  4. Avatar

    Christopher Rucinski says:

    March 23, 2019

    Looking at the blog post by Snyk [1], they state that this plugin is built “on top of the JVM” and they they plan on supporting Gradle soon!

    1 –

  5. Avatar

    Tim van der Leeuw says:

    March 26, 2019

    Would be even more interesting if it would also support vulnerability checking for Node / NPM packages.

    • Avatar

      Brian Vermeer says:

      June 19, 2019

      Hi Tim,
      We do support vulnerability checking for npm and yarn package. Only not in this particular ide plugin.
      If you would use our CLI tool or connect your repo to our system we scan you npm packages instantly. Give it a try:

  6. Avatar

    Charlie Hayes says:

    April 3, 2019

    It would be more intellij-like for the tool to automatically upgrade the dependencies and/or add the sub-dependency exclusion and override automatically.

    • Avatar

      Brian Vermeer says:

      June 19, 2019

      That depends, sure we can create this and that maybe is even a good feature to add.
      On the other hand, you are the developer and only you can decide if you want to exclude a certain transitive dependency or upgrade it.

      We do however give you the option of auto fix PR if you connect your repo to our system.

  7. Avatar

    Mohammad Khaledi says:

    September 27, 2019


    In my Intellij 2019.02 I can not find Sync in Pluging/Marketplace to install. Wht causes it?

    Best regards

  8. Avatar

    Tom says:

    October 5, 2019


    When do you plan to release a plugin for PyCharm?

    • Avatar

      Emily says:

      March 24, 2020

      Also looking for a plugin for PyCharm.

  9. Avatar

    Matus says:

    March 25, 2020

    Tried it, but authentication failed for the plug-in constantly. Was eventually able to manually auth via cli tool, but then that failed to scan the project with

    > BUG! exception in phase ‘semantic analysis’ in source unit ‘_BuildScript_’ Unsupported class file major version 57

    Using Gradle multi-module project on JDK 13, no rocket science 🙂 I know the posts here from March ’19 says Gradle not supported yet, but that was a year ago…

    So all in all unfortunately useless for me…

Discover more