https://appsec.fyi/tools.html#snyk Curated Snyk resources from appsec.fyi en-us Sun, 07 Jun 2026 04:05:35 +0000 carl@chs.us (Carl Sampson) https://snyk.io/articles/software-bill-of-materials/ https://snyk.io/articles/software-bill-of-materials/ Library for generating and managing Software Bills of Materials (SBOMs), providing formal records of software components and their supply chain relationships. SBOMs enhance transparency, aid in vulnerability management, and support regulatory compliance, especially for software sold to the federal government as mandated by Executive Order 14028. Standards like SPDX, SWID, and OWASP CycloneDX are supported, enabling detailed analysis of dependencies, licenses, and potential exploits, complementing efforts like SLSA for supply chain integrity. Snyk beginner Fri, 17 Apr 2026 14:50:49 +0000 https://snyk.io/articles/state-of-secrets/ https://snyk.io/articles/state-of-secrets/ Library for detecting and preventing leaked secrets, including API keys, database passwords, cloud IAM credentials, and AI service keys. It addresses accidental commits to Git, insecure .env file practices, supply chain attacks via malicious packages like Shai-Hulud and compromised versions of TruffleHog, and leaks through non-code surfaces such as Slack, Jira, and Docker Hub. The library also highlights the growing risk from AI-assisted development and MCP server credentials, differentiating its secret scanning capabilities from SAST tools by emphasizing the analysis of full Git history, including deleted files. Snyk news Fri, 03 Apr 2026 15:50:53 +0000 https://snyk.io/blog/go-security-cheatsheet-for-go-developers/ https://snyk.io/blog/go-security-cheatsheet-for-go-developers/ Cheatsheet detailing eight Go security best practices for developers, emphasizing the use of Go Modules for dependency management and scanning dependencies for CVEs with tools like Snyk. It covers employing Go's standard crypto packages, utilizing `html/template` to prevent XSS attacks, exercising caution with subshelling, `unsafe`, and `cgo`, using reflection sparingly, and minimizing container attack surfaces. Snyk beginner Thu, 14 Aug 2025 04:39:12 +0000 https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/ https://learn.snyk.io/lesson/ssrf-server-side-request-forgery/ Tutorial on Server-Side Request Forgery (SSRF) vulnerabilities, detailing how attackers can make arbitrary outbound requests from a server to access internal resources or cloud metadata. It demonstrates exploiting SSRF in a social app by reaching localhost and the AWS metadata endpoint (169.254.169.254), and discusses pivoting into internal networks, referencing CVE-2021-26084. The tutorial also covers prevention techniques like allowlisting and reconsidering dynamic request needs, noting SSRF's inclusion in the OWASP Top 10. Snyk beginner Thu, 14 Aug 2025 03:59:39 +0000 https://x.com/marcin_brz81183/status/1947913994729058729 https://x.com/marcin_brz81183/status/1947913994729058729 The content discusses a new CVE record, CVE-2025-8020, indicating that all Snyk versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF). This vulnerability allows an attacker to input an IP or hostname that resolves to a multicast IP address (224.0.0.0/4), not included in the private IP range. This poses a security risk. Snyk news Wed, 23 Jul 2025 07:43:48 +0000 https://learn.snyk.io/lesson/dom-based-xss/ https://learn.snyk.io/lesson/dom-based-xss/ Tutorial on DOM XSS vulnerabilities, explaining how attackers manipulate the Document Object Model with client-side code injected via user-controllable sources like `eval()`, `document.write()`, or `innerHTML` sinks. It demonstrates exploiting a personalized profile color feature by escaping URL query parameters and recommends mitigating this by directly assigning color values to `document.body.style.color`, sanitizing input with libraries like `node-esapi`, or employing Content Security Policy (CSP) with nonces. Snyk beginner Mon, 22 Jul 2024 18:50:42 +0000 https://snyk.io/blog/go-security-cheatsheet-for-go-developers https://snyk.io/blog/go-security-cheatsheet-for-go-developers Cheatsheet detailing eight Go security best practices for Go developers. It covers using Go Modules for dependency management and scanning dependencies for CVEs with tools like Snyk. The resource recommends using Go's standard crypto packages and `html/template` to prevent XSS attacks. It also advises caution with subshelling, the `unsafe` package, and `cgo`, while recommending sparing use of reflection. Finally, it touches on minimizing container attack surfaces. Snyk beginner Mon, 21 Feb 2022 22:59:20 +0000