运行自动安全扫描

本主题介绍如何启动自动安全扫描并查看当前状态。

安全扫描工作流程

The following diagram shows how the security scan fits within the workflow for developing and publishing a Snowflake Native App:

此工作流程包括以下步骤:

  1. 创建应用程序包。

  2. 更新应用程序代码和相关文件。

    Before running the automated security scan, ensure that the app conforms to the security requirements and best practices outline in Security requirements and best practices for a Snowflake Native App. If the app is a Snowflake Native App with Snowpark Container Services, review the additional security requirements outlined in Secure a Snowflake Native App with Snowpark Container Services.

  3. 将版本或补丁添加到应用程序包。

  4. 运行自动安全扫描。自动安全扫描会在提供商执行以下操作之一时启动:

    • Adds a new version or patch to the application package when the DISTRIBUTION property is set to EXTERNAL. The new version is scanned automatically.
    • Sets the DISTRIBUTION property to “EXTERNAL” on an application package that already has a version defined. The ten most recent versions of the application package are scanned automatically. All patches for these version are also scanned.

  5. 等待扫描结果。

如果扫描获得批准,提供商可以继续发布应用程序的过程。

如果扫描被拒绝,提供商必须根据扫描结果更新应用程序代码。或者,提供商可以对拒绝提出申诉。

  1. 创建或修改应用程序的发布指令。
  2. 为应用程序创建列表。
  3. 将列表提交给 Snowflake 以供审批。

如果列表获得批准,提供商可以在 Snowflake Marketplace 上发布该列表。

如果列表被拒绝,提供商必须更新列表并重新提交以供审批。

  1. 发布列表。

Set the DISTRIBUTION property on an application package

应用程序包的 DISTRIBUTION 属性指示提供商在使用应用程序包作为列表的数据产品时,可以创建的列表类型。此属性具有以下值:

  • INTERNAL indicates that a provider can only create a private listing within the same organization where the application package was created. The automated security scan is not performed when the DISTRIBUTION property is set to INTERNAL.
  • EXTERNAL indicates that a provider can create listings outside the same organization where the application package was created. This includes the following:
    • 提供商组织之外的专用列表。
    • 公开列表
    • Marketplace 列表。

提供商可以在创建应用程序包时或之后设置 DISTRIBUTION 属性。

To set the DISTRIBUTION property when creating an application package, run the CREATE APPLICATION PACKAGE as shown in the following example:

CREATE APPLICATION PACKAGE hello_snowflake_package
  DISTRIBUTION = EXTERNAL;

如果提供商在创建应用程序包时设置 DISTRIBUTION 属性,那么稍后添加到应用程序包的任何版本或补丁都会立即进行扫描。

To set the DISTRIBUTION property for an existing application package run the ALTER APPLICATION PACKAGE as shown in the following example:

ALTER APPLICATION PACKAGE hello_snowflake_package
  SET DISTRIBUTION = EXTERNAL;

当提供商为现有应用程序包设置 DISTRIBUTION 属性时,自动安全扫描会自动在该应用程序的十个最新版本上运行。这些版本的所有补丁也会进行扫描。

查看安全扫描的状态

为版本或补丁启动安全扫描后,提供商可以在应用程序包中查看安全扫描的状态。可能的状态如下:

  • NOT_REVIEWED indicates that the automated security scan has not been performed on this application package.
  • IN_PROGRESS indicates that the automated security scan is currently in progress.
  • APPROVED indicates that the automated security scan completed and the application package has been approved. The provider can set the release directive for the application package.
  • REJECTED indicates that the automated security scan completed, but the application package was not approved.

Note

When an automated security scan fails, the Snowflake manually reviews the application package. After the manual review is complete, the status is updated to APPROVED or REJECTED.

使用 SQL 查看安全扫描的状态

To view the status of the security scan, run the SHOW VERSIONS IN APPLICATION PACKAGE command as shown in the following example:

SHOW VERSIONS IN APPLICATION PACKAGE hello_snowflake_package;

The review_status column displays the status of the automated review scan.

使用 Snowsight 查看安全扫描的状态

  1. Sign in to Snowsight.

  2. In the navigation menu, select Projects » App packages.

  3. 选择要查看其状态的应用程序包。

    The Security Scan Status column shows the current status of the review of each version and patch associated with the application package.

  4. If the status is Rejected, select the app package to see the reason for the rejection.

对拒绝提出申诉

If critical vulnerabilities or policy violations are found after Snowflake performs a manual review, the application package is rejected and the reason for the rejection can be reviewed in the application package.

提供商可以通过打开一个严重性为 4 的支持票证来对拒绝提出申诉。在对基于 CVE 的拒绝提出申诉时,提供商必须提交详细文档,解释以下内容:

  • 为什么 CVE 在应用程序中不可利用
  • 可达性分析报告(如有)
  • 更新到固定版本的计划
  • 如果没有更新计划,应详细说明为什么无法更新易受攻击的版本

Snowflake 安全团队会审查所有申诉并做出决定。

For additional information on the appeal process, see Appeal a failed security review.

持续安全监控和修复

在应用程序获得批准并在 Snowflake Marketplace 中发布后,它会进行持续安全监控,以确保持续安全性和合规性。其中包括:

  • 定期进行镜像安全分析,以检测新的漏洞或策略违规。
  • If issues are discovered, the provider is notified and given 30 business days to patch the app or can request an exception within 15 days.