Using FIPS-validated cryptography
Last updated
Last updated
More information
Snyk privacy policy© 2024 Snyk Limited | All product and company names and logos are trademarks of their respective owners.
Support for use of FIPS-validated cryptography is limited to the Windows and Linux operating systems.
| Operating System | FIPS support |
|---|---|
To optimize the developer experience, Snyk is combining the Snyk Language Server and the Snyk CLI. As a first step, Snyk is bringing FIPS binaries under one application. Later also non-FIPS CLI binaries will be used for Snyk Language Server.
The Snyk Language Server can now be executed as a CLI command.
As a consequence, instructions for using FIPS-validated cryptography are the same for the CLI and the Language Server.
Linux operating systems
On Linux, Snyk supports FIPS-validated cryptography through OpenSSL and its validated FIPS provider.
Ensure that your Linux system has OpenSSL installed and configured to meet FIPS validation requirements. For information about how to accomplish this, see the documentation from the OpenSSL project.
Windows operating systems
On Windows, Snyk supports FIPS-validated cryptography through the Windows CNG API.
To enable FIPS on Windows, use the Windows FIPS policy.
For testing, FIPS can be enabled using the following registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy by setting the value of Enabled to 1.
Snyk binaries are available with and without FIPS support. They are all hosted on downloads.snyk.io, differentiated by their Base URL.
FIPS Base URL: https://downloads.snyk.io/fips/
Regular Base URL: https://downloads.snyk.io/
All instructions on how to install and use Snyk remain the same. The only required change is using the appropriate Base URL.
The example that follows uses a Microsoft Mariner image to download and run the FIPS-enabled Snyk CLI.
not in FIPS mode errors indicate that the underlying cryptography library is not in FIPS mode. To solve these issues ensure that the prerequisites are met.
To make use of FIPS-validated cryptography in the Snyk Visual Studio Code integration, do the following:
Ensure the prerequisites are met.
Disable automatic binary management in the Snyk settings.
Configure the integration to use the binary by setting the Language Server Path and the CLI Path to the same binary.
To make use of FIPS-validated cryptography in the Snyk Eclipse integration, do the following:
Ensure the prerequisites are met
Disable automatic binary management in the Snyk preferences.
Configure the integration to use the binary by setting the Language Server Path and the CLI Path to the same executable.
Configure the Java Runtime to use a FIPS-validated JCE (Java Cryptography Extension).
To make use of FIPS-validated cryptography in the Snyk JetBrains integration, do the following:
Ensure the prerequisites are met.
Disable automatic binary management in the Snyk preferences.
Configure the integration to use the binary by setting the CLI Path.
Configure the Java Runtime to use a FIPS-validated JCE (Java Cryptography Extension).
To make use of FIPS-validated cryptography in the Snyk Visual Studio integration do the following:
Ensure the prerequisites are met.
Disable automatic binary management.
Configure the integration to use the binary, by setting the CLI Path.
FIPS in CI/CD Integrations is available only by using a FIPS-enabled CLI directly.
The Snyk Nexus Repository Manager Gatekeeper plugin and the Artifactory Gatekeeper plugin use the Snyk API and run on a Java VM. To make use of FIPS-validated cryptography, configure the Java Runtime to use a FIPS-validated JCE (Java Cryptography Extension).
Windows
✅
Linux
✅
Alpine
⛔
macOS
⛔