Snyk Security Planning
Snyk Code Security Capacity Planning SAST SCA Container IaC CI/CD Vulnerability Management License Compliance Enterprise
| Product | What it Scans | Languages/Tools | Scan Speed | Fix Method |
|---|---|---|---|---|
| Snyk Code (SAST) | Source code vulnerabilities | Java Python JS Go C# Ruby PHP | ~30s per repo | Code fix suggestions |
| Snyk Open Source (SCA) | Dependencies with CVEs | npm Maven pip Go NuGet | ~10s per manifest | Auto PR with upgrade |
| Snyk Container | Docker/OCI image vulns | Docker Podman ECR GCR | ~60s per image | Base image upgrade |
| Snyk IaC | Infrastructure misconfig | Terraform K8s CloudFormation | ~15s per file | Config fix suggestion |
Capacity Estimation
# === Snyk Capacity Calculator ===
from dataclasses import dataclass
@dataclass
class OrgProfile:
repos: int
developers: int
avg_deps_per_repo: int
container_images: int
iac_files: int
ci_runs_per_day: int
branches_per_repo: int
@dataclass
class CapacityPlan:
daily_scans: int
monthly_scans: int
license_needed: str
estimated_vulns: int
remediation_hours_week: float
cost_estimate: str
def calculate_capacity(org):
sca_scans = org.ci_runs_per_day * org.repos * 0.3
sast_scans = org.ci_runs_per_day * org.repos * 0.2
container_scans = org.container_images * 2
iac_scans = org.iac_files * 0.5
daily = int(sca_scans + sast_scans + container_scans + iac_scans)
monthly = daily * 30
if monthly <= 200:
license_type = "Free (200 tests/month)"
elif org.developers <= 10:
license_type = f"Team ($25/dev = /month)"
else:
license_type = f"Enterprise (custom pricing, {org.developers} devs)"
est_vulns = org.repos * org.avg_deps_per_repo * 0.03
hours = est_vulns * 0.5
return CapacityPlan(daily, monthly, license_type, int(est_vulns), hours,
f"/month (Team)")
# Small startup
small = OrgProfile(20, 5, 50, 10, 30, 10, 3)
# Mid-size company
mid = OrgProfile(100, 30, 80, 50, 200, 50, 5)
# Enterprise
enterprise = OrgProfile(500, 150, 120, 200, 1000, 200, 8)
for name, org in [("Small Startup", small), ("Mid-size", mid), ("Enterprise", enterprise)]:
plan = calculate_capacity(org)
print(f" [{name}] Repos: {org.repos} | Devs: {org.developers}")
print(f" Daily scans: {plan.daily_scans} | Monthly: {plan.monthly_scans}")
print(f" License: {plan.license_needed}")
print(f" Est. vulns: {plan.estimated_vulns} | Remediation: {plan.remediation_hours_week:.0f} hrs/week")
CI/CD Integration
# === CI/CD Pipeline Setup ===
# GitHub Actions
# name: Snyk Security Scan
# on: [push, pull_request]
# jobs:
# security:
# runs-on: ubuntu-latest
# steps:
# - uses: actions/checkout@v4
# - name: Snyk SCA Test
# uses: snyk/actions/node@master
# env:
# SNYK_TOKEN: }
# with:
# command: test
# args: --severity-threshold=high
# - name: Snyk Code Test (SAST)
# uses: snyk/actions/node@master
# env:
# SNYK_TOKEN: }
# with:
# command: code test
# - name: Snyk Container Test
# uses: snyk/actions/docker@master
# env:
# SNYK_TOKEN: }
# with:
# image: myapp:latest
# args: --severity-threshold=critical
# - name: Snyk Monitor (record to dashboard)
# uses: snyk/actions/node@master
# env:
# SNYK_TOKEN: }
# with:
# command: monitor
# CLI Commands
# snyk auth # Authenticate
# snyk test # Test dependencies
# snyk test --severity-threshold=high # Fail on high+
# snyk code test # SAST scan
# snyk container test myapp:latest # Container scan
# snyk iac test terraform/ # IaC scan
# snyk monitor # Record to dashboard
# snyk ignore --id=SNYK-JS-LODASH-1234 --expiry=2024-12-31
@dataclass
class PipelineStage:
stage: str
snyk_command: str
when: str
fail_on: str
time: str
pipeline = [
PipelineStage("PR Check (SCA)", "snyk test --severity-threshold=high",
"Every PR", "High + Critical", "~10s"),
PipelineStage("PR Check (SAST)", "snyk code test",
"Every PR", "High + Critical", "~30s"),
PipelineStage("Build (Container)", "snyk container test image:tag",
"After Docker build", "Critical only", "~60s"),
PipelineStage("Deploy (IaC)", "snyk iac test --severity-threshold=high",
"Before Terraform apply", "High + Critical", "~15s"),
PipelineStage("Monitor", "snyk monitor",
"After merge to main", "None (record only)", "~5s"),
PipelineStage("Scheduled Scan", "snyk test --all-projects",
"Daily at 02:00", "Report only", "~5 min"),
]
print("\nCI/CD Pipeline:")
for p in pipeline:
print(f" [{p.stage}] Command: {p.snyk_command}")
print(f" When: {p.when} | Fail: {p.fail_on} | Time: {p.time}")Vulnerability Management
# === Vulnerability SLA and Metrics ===
@dataclass
class VulnSLA:
severity: str
cvss_range: str
sla_days: int
auto_pr: bool
escalation: str
slas = [
VulnSLA("Critical", "9.0-10.0", 7, True, "CISO + Engineering Lead immediately"),
VulnSLA("High", "7.0-8.9", 30, True, "Engineering Lead within 48 hours"),
VulnSLA("Medium", "4.0-6.9", 90, False, "Security team weekly review"),
VulnSLA("Low", "0.1-3.9", 180, False, "Quarterly review, fix if easy"),
]
print("=== Vulnerability SLA ===")
for s in slas:
print(f" [{s.severity}] CVSS: {s.cvss_range} | SLA: {s.sla_days} days")
print(f" Auto PR: {s.auto_pr} | Escalation: {s.escalation}")
# Dashboard metrics
metrics = {
"Open Vulnerabilities": "Total count by severity (target: decreasing trend)",
"MTTR (Mean Time to Remediate)": "Average days from discovery to fix",
"Fix Rate": "% of vulns fixed within SLA (target: > 90%)",
"New Vulns per Week": "Newly discovered vulnerabilities",
"SLA Compliance": "% of vulns fixed within SLA deadline",
"Dependencies Count": "Total dependencies across all repos",
"License Violations": "Dependencies with non-compliant licenses",
"Container Base Image Age": "Days since last base image update",
}
print(f"\n\nDashboard Metrics:")
for k, v in metrics.items():
print(f" [{k}]: {v}")เคล็ดลับ
- Shift Left: ตรวจใน IDE ด้วย Snyk Plugin ก่อน Commit ลด Feedback Loop
- Auto PR: เปิด Auto Fix PR ให้ Snyk สร้าง PR อัพเดท Dependencies อัตโนมัติ
- Policy: ใช้ .snyk file กำหนด Policy ข้าม Vulnerability ที่ไม่เกี่ยวข้อง
- Monitor: ใช้ snyk monitor หลัง Merge ติดตาม Vulnerability ใหม่ทุกวัน
- License: ตรวจ License Compliance ป้องกันใช้ GPL ใน Commercial Software
การนำไปใช้งานจริงในองค์กร
สำหรับองค์กรขนาดกลางถึงใหญ่ แนะนำให้ใช้หลัก Three-Tier Architecture คือ Core Layer ที่เป็นแกนกลางของระบบ Distribution Layer ที่ทำหน้าที่กระจาย Traffic และ Access Layer ที่เชื่อมต่อกับผู้ใช้โดยตรง การแบ่ง Layer ชัดเจนช่วยให้การ Troubleshoot ง่ายขึ้นและสามารถ Scale ระบบได้ตามความต้องการ
เรื่อง Network Security ก็สำคัญไม่แพ้กัน ควรติดตั้ง Next-Generation Firewall ที่สามารถ Deep Packet Inspection ได้ ใช้ Network Segmentation แยก VLAN สำหรับแต่ละแผนก ติดตั้ง IDS/IPS เพื่อตรวจจับการโจมตี และทำ Regular Security Audit อย่างน้อยปีละ 2 ครั้ง
Snyk คืออะไร
Developer Security SAST SCA Container IaC Code Dependencies Docker Terraform Kubernetes CVE Fix PR Dashboard Free Team Enterprise
Capacity Planning ทำอย่างไร
Repository Developer Dependencies Container Images CI/CD Runs Scan Frequency Remediation License SLA Critical High Medium Low
ใช้ใน CI/CD อย่างไร
snyk test code container iac monitor GitHub Actions severity-threshold PR Check Build Deploy Scheduled .snyk Policy Jira Ticket
จัดการ Vulnerability อย่างไร
CVSS Exploit Reachability SLA 7 30 90 วัน Fix PR Ignore False Positive MTTR Fix Rate Security Review Dashboard Metrics
สรุป
Snyk Code Security Capacity Planning SAST SCA Container IaC CI/CD Vulnerability SLA MTTR Fix Rate License Compliance Enterprise Production
