Running the Automated Security Scan

This topic describes how to use the automated security review provided by the Native Apps Framework. It also provides guidelines and best practices for creating secure application packages and applications.


In some cases when an application fails an automated security review, additional manual review of the application code might be conducted to confirm the fail status or override it to approve the application.

This manual review may take up to five business days.

About the Native Apps Framework Security Requirements

All Native Apps Framework applications that meet the conditions described in About the Automated Security Scan must conform to the security requirements outlined in the following sections:

Security Requirements for Application Code

Application code included within an application package must conform to the following security requirements:

  1. Your application must not load or execute any code from anywhere outside the application package except Snowflake-provided libraries. All the application code, including all library dependencies and setup code, must be included in the application version defined in the application package.

  2. All application code must be un-obfuscated, meaning that the code must be human readable. This requirement includes minified JavaScript code.


    If an application needs to use minified JavaScript code, it must include a corresponding source map file that can be used to recover the un-minified code.

  3. All dependencies or libraries with critical or high common vulnerabilities and exposures (CVE) must be updated to a secure version, if available.

Security Requirements for Application Functionality

The following security requirements apply to the functionality of your application:

  1. All applications must provide the following information to customers as part of a listing:

    1. All application functionality and features.

    2. All Internet endpoints and URLs that the application connects to.

    3. All external functions in the application.

    4. Any consumer data logged, collected, or stored by the application.

  2. Applications should function as advertised in the application listing.

  3. All application installation and setup instructions must be included in the application listing.

  4. Applications must not store or require any customer secrets to be in plain text.

  5. Any communication between the application and the Internet should be over an HTTPS connection with a valid TLS certificate.

  6. Applications must not have any functionality that could result in harm to Snowflake, its customers, or third parties. Harm includes but is not limited to:

    1. Data leakage and/or loss;

    2. Restricting consumer access to their data unless explicitly designed as part of the application functionality, for example, data masking for data access policies.

    3. Excessive resource consumption.

    4. Arbitrary code injection/execution.

Security Requirements for Application Permissions

The following security requirements apply to the privileges set by your application:

  1. All applications must provide the following information in the manifest file:

    1. All privileges required by the application on all objects.

    2. All API integrations.

  2. Applications should only ask for the minimum set of privileges needed for the application to function.

About the Automated Security Scan

The automated security scan is initiated when any of the following occur:

  • A provider adds a version to an application package with the DISTRIBUTION parameter set to EXTERNAL, The new version is scanned automatically.

  • A provider sets DISTRIBUTION=EXTERNAL on an application package that already has a version defined. All versions of the application package are scanned automatically.

Use the ALTER APPLICATION PACKAGE command to set the DISTRIBUTION property for an application package as shown in the following example:


Viewing the Status of an Automated Security Review

Use the SHOW VERSIONS command to view the status of an automated security review as shown in the following example:


The review_status column displays one of the following statuses of the automated security review:






If an application passes the automated security scan, its status is updated to APPROVED. When an application fails the automated security scan, it is manually reviewed by Snowflake. After manual review, the application is status is updated to APPROVED or REJECTED.