This workshop will take you through a series of exercises created with one purpose in mind: to provide you with hands-on examples that demonstrate how you can integrate Snyk into your Red Hat workflows in order to identify and fix potential vulnerabilities in your applications.
The examples presented in these modules will require some supporting infrastructure deployed and available for you to use. This will consist of a Red Hat OpenShift cluster, a Red Hat Quay.io private registry, a Snyk account, and some supporting sample code available in our GitHub repository.
The recommended deployment method for this workshop is to install Red Hat OpenShift 4 in your account on any of the supported public cloud providers. Detailed guidance on the steps needed to do this are available on Red Hat's Get started with OpenShift site.
There are a few ways to deploy Quay. While functionally the steps contained in these modules will be the same irrespective of how you deploy this registry, we have opted for the cloud.
To get vulnerability details about your Kubernetes workloads running on OpenShift, you must first install the Snyk controller onto your cluster. The Snyk monitor requires some minimal configuration items in order to work correctly. The necessary steps are detailed in Snyk's Knowledge Center.
If you do not already have VSCode, you should download it for free. We will leverage Red Hat Dependency Analytics extension available in the Visual Studio Marketplace. Dependency Analytics is powered by Snyk Intel Vulnerability DB, it is the most advanced and accurate open source vulnerability database in the industry. That adds value with the latest, fastest and more number of vulnerabilities derived from numerous sources.
In our examples, we will build a container image for Snyk's vulnerable demo app, Goof. You will need to
git clone the repository in order to complete these exercises.