Snyk Glossary

Introduction

In the sphere of security and vulnerability management, understanding essential terms and concepts is paramount to effectively safeguarding your software.

Our Snyk glossary deciphers key definitions related to security monitoring, vulnerability detection, and software protection. Deepen your knowledge of Snyk's functionalities and fortify your proficiency in securing software effortlessly as you delve into our comprehensive glossary.

Snyk Terms

A

Advisor: A freely accessible web application, Libraries.io facilitates the comparison of software packages across various open-source ecosystems. It offers a comprehensive perspective on the overall health of a specific package by integrating community and security data into a consolidated view.

Asset (Snyk AppRisk): An asset within Snyk's AppRisk framework is a distinct entity associated with an application, significant for both security and developers.

B

Base image: The base image serves as the foundation for constructing a container image, which is customarily specified in the FROM directive of a Dockerfile. In turn, base images can also be built upon other base images.

Broker: Snyk Broker is a client-server architecture that operates as an agent or proxy, enabling Snyk to analyze private customer environments, including Jira, code repositories, or container registries. By relaying messages and providing users with the ability to regulate which messages are transmitted, Snyk Broker allows users to restrict access to specific GitHub APIs.

Build System: A system that transforms source code into a deployable application, such as a container image.

C

CI/CD: The Software Development Lifecycle (SDLC) model encompasses Continuous Integration (CI), Continuous Delivery (CD), and Continuous Deployment (CD), which collectively guide developers in automating the development and delivery of small, frequent changes. This approach ensures that all team members have access to the most recent codebase and can verify the compatibility of committed code during the development phase.

Class (Snyk AppRisk): A method for assigning business relevance to assets and categorizing them based on their criticality to the business. Assets can be classified into Classes A, B, C, or D, with Class A being the most significant and Class D being the least significant. Class A assets, which are critical to business operations, handle sensitive data, and are subject to compliance requirements, are the most important, while Class D assets, such as test applications and sandbox environments, are the least important. By default, assets are assigned to Class C. Classes can be utilized in policies and defined within policies.

CLI: Command Line Interface. A Snyk platform tool that enables developers to find and fix known vulnerabilities in dependencies, using a command line interface.

Cloud Native Application Security: By integrating security measures throughout the CI/CD pipeline, automating the incorporation of security in microservices, and promoting repetition to minimize the introduction of vulnerabilities, Snyk offers a comprehensive platform that aligns with the Cloud Native Application Security (CNAS) framework.

Container: Containers enable the bundling of applications and their dependencies into a unified entity for deployment as a standalone executable. Operating as an abstraction facilitated by the operating system kernel, a container isolates a process from other processes operating on the system

Container engine: For end-users, a container runtime is an application that transforms a container image into a functional container. Container runtimes typically interact with container registries and execute containers. Illustrative examples of container runtimes include Docker, CRI-O, and LXC.

Container image: A container image refers to one or more files that, when instantiated by a container engine or runtime, result in a functional container. This format serves as the packaging and distribution mechanism for containers.

Container registry: A container registry is a server that offers a system for storing and retrieving container images, facilitating their management and distribution.

Controls (Snyk AppRisk): The security measures linked to a particular asset can be found in the Snyk AppRisk Controls section, which provides a comprehensive list of all available security control statuses.

Coverage (Snyk AppRisk): This evaluation determines if relevant assets undergo scanning and testing by security tools, such as Snyk Open Source, within the context of an application security program. It represents a policy type that enables the definition of required controls and, if desired, the frequency of their execution.

CVE: Common Vulnerabilities and Exposures (CVE) refers to a universally recognized identifier for a commonly known vulnerability.

CVSS: Common Vulnerability Scoring System (CVSS) is an industry standard for evaluating the seriousness of vulnerabilities, assigning a score ranging from 0 (representing the lowest severity) to 10 (indicating the highest severity). Snyk employs CVSS as part of its vulnerability assessment process.

CWE: Common Weakness Enumeration (CWE) is an online dictionary that categorizes software and hardware vulnerabilities into distinct types, such as CWE-20: Input Validation.

D

DAST: Dynamic Application Security Testing. A tool, referred to as a dynamic application security testing (DAST) tool, can be directed towards a website or service, where it initially profiles the target, followed by an analysis of its output and behavior to identify security vulnerabilities.

Dependency: When your application incorporates an external package, that package becomes a dependency within your software. A direct dependency is a package directly included in your project. An indirect dependency, also referred to as a deep, chained, or transitive dependency, is a package utilized by one of your direct dependencies.

Dependency tree: Alternatively known as a dependency tree, it represents a hierarchical diagram that illustrates the dependencies of a software application, encompassing both direct and indirect dependencies, and potentially extending across multiple levels.

DevOps: A blend of cultural principles, methods, and tools that amalgamates software development and IT operations, with the objective of streamlining the software development lifecycle.

DevSecOps: The incorporation of security into evolving agile IT and DevOps development in a manner that is as seamless and unobtrusive as possible.

Dockerfile: A text-based format, known as Dockerfile, is employed to construct container images using Docker. This file encompasses all the commands necessary to generate the final image, including the specification of the parent base image.

E

Environment: The term "context" can refer to a cloud environment, a characteristic of a project, or an interface for interacting with Snyk, such as the Snyk Command Line Interface (CLI), Web User Interface (UI), or an Integrated Development Environment (IDE).

Exploit: An exploit is a demonstration that illustrates how a vulnerability can be exploited. When an exploit is extensively disseminated, it is often referred to as an exploit "in the wild".

Exploit Maturity: The exploitability of a vulnerability is assessed by considering its practicality, which is determined by whether the exploit is actively used in real-world scenarios and how advantageous it is to potential attackers.

F

Fixable / Partially fixable: The fixability of a vulnerability is determined by the feasibility of addressing it through the application of a patch, upgrade, or pin.

Fix PR: A pull request containing an automated solution for identified vulnerabilities that Snyk can provide to the user.

G

Git: A decentralized version control system used to monitor modifications in source code throughout the software development process.

I

IaC: Infrastructure as Code. A Snyk offering, designed to assist developers in identifying and remedying vulnerabilities within Kubernetes, Helm, and Terraform configuration files.

IAST: Interactive Application Security Testing (IAST) is a method that scrutinizes applications for vulnerabilities while they are actively running.

IDE: Integrated Development Environment (IDE) is an application that provides functionalities for software development, commonly featuring a source code editor, automation tools for building software, and a debugger.

Image: A container image is the saved form that contains a collection of software necessary to operate an application.

Image layer: Container images generally comprise multiple distinct file system layers, which are integrated into a single file system during runtime.

Integrations: Third-party software, applications, and platforms that are compatible with Snyk, such as source control management (SCM) systems, including GitHub.

Issue: An issue related to licensing, vulnerability, or misconfiguration that has been detected and documented by Snyk.

L

Library: A distinct category of package.

License policy: A collection of standards for assessing open-source license problems. License policies allow you to establish the severity level and outline legal instructions for each license.

M

Manifest: A file that holds metadata regarding the other files within a package.

Monitor: Executing the snyk monitor command assesses a Project and sends the findings to Snyk for analysis.

O

OCI: Open Container Initiative. An autonomous entity established to foster collaboration on container standardization, promoting interoperability among different vendor solutions.

Organization: An Organization in Snyk serves as a means to gather and organize your Projects, with members of the Organization granted access to them.

Origin or source: The designation for the ecosystem where a Target is situated. Snyk can analyze Projects from various integrations, such as CLI, API, GitHub, Kubernetes, and others.

P

Package: A collection of files accompanied by supplementary metadata, utilized by package managers for managing software packages.

Package manager: A collection of tools designed to automate and manage bundled files, typically tailored to a particular programming language, such as npm for JavaScript.

Package registry: A service for hosting software packages and code, providing a unified platform for customers.

Pinnable: A type of fix: specifying and "pinning" a particular version of an indirect dependency to prevent a direct dependency from importing a vulnerable version.

Policy (Snyk AppRisk): A method for automating actions based on specific conditions, such as categorizing and tagging assets with contextual information. This can also involve configuring actions like sending alerts or adjusting coverage gap controls using a Policy builder UI.

PR: Pull Request is a feature that enables users to share modifications made to source code and collaborate with others on the same branch.

PR Checks: Employ Snyk PR Checks to prevent the introduction of new security issues into your codebase by automatically examining code modifications in real-time as soon as a pull request (PR) is submitted in your source code manager (SCM).

Priority Score: Snyk assigns scores to issues, such as vulnerabilities and open-source licenses, to aid in prioritizing their resolution. The scores, which range from 0 (low) to 1000 (high), are determined by multiple factors, including the CVSS score.

Project: An external entity scanned by Snyk with specific configurations to dictate the scanning process. These entities are listed under the Projects menu on the Snyk dashboard.

R

Reachability: Whether an application's code includes elements that will interact with a vulnerable code path during execution.

Repository: A storage region that encompasses all components required for the distribution of an application.

Resource: A cloud infrastructure component, such as an AWS S3 bucket, Identity and Access Management (IAM) role, or Virtual Private Cloud (VPC) flow log.

Risk score: A value assigned to an issue, spanning from 0 to 1,000, indicating the degree of risk imposed on your environment.

Rule: A security policy that examines cloud infrastructure and infrastructure as code (IaC) for misconfigurations that may result in security issues, or a security guideline employed by Snyk Code when scanning your source code for vulnerabilities.

S

SARIF: Static Analysis Results Interchange Format (SARIF): A standardized, JSON-based format for the output generated by static analysis tools.

SAST: Static Application Security Testing (SAST): A strategy for securing software through the examination of the source code of your proprietary software, with the aim of detecting potential vulnerabilities.

SBOM: Software Bill of Materials (SBOM): An inventory of components that constitute a software product.

SCA: Software Composition Analysis (SCA): A technology that detects and catalogs open-source and third-party components employed in an application, along with any known security vulnerabilities and potential licensing restrictions.

SCM: Source Code Management (SCM), also known as a code repository (repo) or version control system, refers to the method used by developers to maintain their source code and monitor modifications. SCM facilitates the resolution of conflicts when integrating updates from multiple contributors. GitHub is an illustration of a prevalent SCM system.

SDLC: Software Development Lifecycle (SDLC): A structured process adhered to by a development team outlining the steps for creating and sustaining software.

Security policy: A collection of standards for assessing open-source vulnerabilities. Security policies allow you to establish custom rules that automatically prioritize or deprioritize particular vulnerabilities.

Severity: A vulnerability or license issue is assigned a severity level to signify the risk it poses within an application.

Snapshot: A specific entry in the test history of a Project, containing a dependency tree and a list of vulnerabilities that were current at the time of the test.

.snyk policy: A policy file that Snyk employs to determine specific analysis behaviors and to specify patches for the command-line interface (CLI) and CI/CD plugins.

Snyk: A platform offering Cloud Native Application Security (CNAS) solutions, empowering developers to take charge of and establish security across the entire application, encompassing code, open source components, containers, and cloud infrastructure. Snyk is the company behind the Snyk platform.

Snyk API: A Snyk tool that facilitates programmatic integration with the Snyk platform.

Snyk Apps: Snyk Apps represent the contemporary and favored approach for constructing integrations with Snyk, providing refined scopes for accessing resources via Snyk APIs, underpinned by OAuth 2.0 for a user-friendly developer experience.

Snyk Code:A Snyk product. A Static Application Security Testing (SAST) solution that allows developers to identify and remediate vulnerabilities within their proprietary application code.

Snyk Container: A Snyk product. A solution that empowers developers to detect and resolve vulnerabilities in container images and Kubernetes applications.

Snyk Open Source: A Snyk product. A solution that allows developers to identify and remediate vulnerabilities in open-source components.

Snyk plugin: A library utilized by the Snyk command-line interface (CLI) to analyze a specific programming language or build system.

Snyk Security Intelligence: An integral element of the Snyk cloud-native application security platform. Includes the Snyk Intel Vulnerability DB, which is the database housing vulnerabilities, offering comprehensive details and guidance on addressing known vulnerabilities.

Snyk Web UI: The web-based interface that grants users access to Snyk's capabilities.

Social Trends: Snyk displays a 'Trending' label on issues that are currently a topic of discussion on Twitter.

SPDX: Software Package Data Exchange (SPDX): A file format utilized to record details about the software licenses governing the distribution of a computer software package.

Static Code Analysis: A debugging technique that involves reviewing source code prior to executing a program.

T

Target: Depiction of an external resource scanned by Snyk. Each Snyk Project is linked to a parent Target, with a single Target potentially connected to multiple Projects. The configuration of the Target varies based on its source.

Tags (Snyk AppRisk): A classification method for resources. Facilitates distinguishing or managing resources differently based on shared attributes. Resources can be sorted using tags in the inventory or when establishing policy rules. Tags can be automatically applied to resources or manually assigned based on your policies. GitHub and GitLab topics function as resource tags, enabling policy creation based on them.