Visual Studio extension
The Visual Studio extension (Snyk Security - Code and Open Source Dependencies) helps you find and fix security vulnerabilities in your projects. Within a few seconds, the extension provides a list of all the different types of security vulnerabilities identified together with actionable fix advice. The extension combines the power of two Snyk products: Snyk Open Source and Snyk Code.
  1. 1.
    Snyk Open Source finds known vulnerabilities in both the direct and indirect (transitive) open source dependencies you are pulling into the project.
  2. 2.
    Snyk Code finds known security vulnerabilities and code quality issues at blazing speed looking at the code you and your team wrote.

Software requirements

  • Operating system - Windows
  • Supported versions of Visual Studio: 2015, 2017, 2019, 2022. Compatible with Community, Professional, and Enterprise

Supported languages, package managers, and frameworks

Install the extension

You can install the Snyk extension directly from the IDE; open Extensions > Manage Extensions.
Manage extensions menu
Search for Snyk and select Download to download the Snyk Security - Code and Open Source Dependencies extension.
Once installed, use Snyk via the Extensions > Snyk menu (on Visual Studio versions older than 2019, Snyk will be part of the top menu bar).
You can also open the Snyk tool window using View > Other Windows > Snyk.
Once the tool window opens, wait while the Snyk extension downloads the latest Snyk CLI version.
Snyk tool window, CLI downloading
After you install the extension and the CLI you must authenticate. You can use the Connect Visual Studio to Snyk link. For more information and additional ways to authenticate see Authentication.

Configuration

To analyze projects the plugin uses the Snyk CLI, which requires environment variables:
  • PATH: specify the path to needed binaries, for example, to Maven
  • JAVA_HOME: specify the path to the JDK you want to use for analysis of Java dependencies
  • http_proxy and https_proxy: set if you are behind a proxy server, using the value in the format http://username:[email protected]:proxyport Note: the leading http:// in the value does not change to https:// for https_proxy
You can set the variables using the GUI or on the command line using the setx tool.

Authentication

Authenticate using Connect Visual Studio to Snyk link on Overview page.
Connect Visual Studio to Snyk
You can also authenticate using Options. Open Visual Studio Options and go to the General Settings of the Snyk extension or use the Settings button in the toolbar.
Options and settings button
If the automated method does not work, you can trigger authentication by pressing the Authenticate button or enter the user API token manually. You can also submit a request to Snyk support.
Token field and Authenticate button
Click the Authenticate button or enter your API token
On the Snyk website, verify your identity and connect to the IDE extension. Click the Authenticate button.
Once the authentication has been confirmed, close the browser and go back to the IDE extension. The Token field has been populated with the authentication token and authentication is complete.
Token filed populated with the authentication token

Run analysis

Open your solution and run Snyk scan. Depending on the size of your solution and the time needed to build a dependency graph, it takes less than a minute to a couple of minutes to get the vulnerabilities.
The extension provides the user with two kinds of results:
  • Open Source vulnerabilities
  • Snyk Code issues

Open Source vulnerabilities

  • Note that your solution will have to be built successfully in order to allow the CLI to pick up the dependencies and find the vulnerabilities.
  • If you see only npm vulnerabilities or vulnerabilities that are not related to your C#/.NET projects, that can mean your project was not built successfully and was not detected by the CLI. If you have difficulty or questions, submit a request to Snyk support.
Run scan
Open Source vulnerabilities

Snyk Code issues

Snyk Code analysis shows a list of security vulnerabilities and code issues found in the application code. For more details and examples of how others fixed the issue, select a security vulnerability or a code security issue and examine the Snyk suggestion information in the panel.
Snyk suggestion panel
The Snyk suggestion panel shows the recommendation of the Snyk engine using, for example, variable names of your code and the line numbers in red. You can also see:
  • Links to external resources to explain the bug pattern in more detail.
  • Tags that were assigned by Snyk, such as Security (the issue found is a security issue), Database (the issue is related to database interaction), or In Test (the issue is within the test code).
  • Code from open source repositories that can be of help to see how others have fixed the issue.

View analysis results

You can filter vulnerabilities by name or by severity.
Filter by name by typing the name of the vulnerability in the search bar.
Filter by name
Filter by severity by selecting one or more of the severities when you open the search bar filter.
Filter by severity
Users can configure Snyk extension by Project settings.
Note that the “Scan all projects” option is enabled by default. It adds the --all-projects option for Snyk CLI. This option scans all projects by default.
Scan all projects enabled

Extension configuration

After the plugin is installed, you can set the following configurations for the extension:
  • Token: Enter the token the extension uses to connect to Snyk. You can manually replace it, if you need to switch to another account.
  • Custom endpoint: Specify the custom Snyk API endpoint for your organization.
  • Ignore unknown CA: Ignore unknown certificate authorities.
  • Organization: Specify the ORG_ID to run Snyk commands tied to a specific organization. This setting also allows you to specify the ORG_NAME, that is, the organization slug name, to run tests for that organization. If you specify the ORG_NAME, the value must match the URL slug as displayed in the URL of your org in the Snyk UI: https://app.snyk.io/org/[orgslugname]. If an ORG is not specified, the preferred organization as defined in your web account settings is used to run tests.
  • Send usage analytics: To help Snyk improve the extension, let your Visual Studio send Snyk information about how the extension is working.
  • Project settings: Specify any additional Snyk CLI parameters.
  • Scan all projects: Auto-detect all projects in the working directory, enabled by default.

Organization setting

This setting allows you to specify an organization slug name to run tests for that organization. The value must match the URL slug as displayed in the URL of your org in the Snyk UI: https://app.snyk.io/org/[orgslugname].
If not specified, the Preferred Organization (as defined in your web account settings) is used to run tests.

Product selection

In the settings, you can also choose which results you want to receive:
  • Open Source vulnerabilities
  • Snyk Code Security vulnerabilities
  • Snyk Code Quality issues

Known issue

Could not detect supported target files
Solution Open Visual Studio Options to go to the Project Settings of the Snyk extension and check Scan all projects.
The system cannot find the file specified
Solution This issue related to CLI file. Close and open Snyk tool window for start CLI download.
The specified executable is not a valid application for this OS platform
Solution This issue related to CLI file and its integrity. Remove CLI from in %HOMEPATH%\AppData\Local\Snyk\snyk-win.exe. Close and open Snyk tool window for start CLI download.

How tos

Snyk Code no supported code available
Solution Check .gitignore and .dcignore file rules. Check if there are any rules that exclude your project's source files.

How tos

How to find the log files

Logs can be found in the user AppData directory:
1
%HOMEPATH%\AppData\Local\Snyk\snyk-extension.log
Copied!

Build process

Clone this repository locally:
1
git clone https://github.com/snyk/snyk-visual-studio-plugin.git
Copied!
Restore Nuget packages:
1
nuget restore
Copied!
Run build:
1
msbuild -t:Build
Copied!

Useful links

Support and contact information

Need more help? Submit a request to Snyk support.
Share your experience.
Snyk continuously strives to improve the Snyk plugins experience. Would you like to share with us your feedback about the Snyk Visual Studio extension? Schedule a meeting.