Running the Automated Security Scan

This topic describes how to use the automated security review provided by the Native Apps Framework. It also provides guidelines and best practices for creating secure application packages and applications.

Note

In some cases when an application fails an automated security review, additional manual review of the application code might be conducted to confirm the fail status or override it to approve the application.

This manual review may take up to five business days.

Caution

It is your responsibility to ensure that no personal data, sensitive data, export-controlled data, or other regulated data is entered into any files included in your application package.

About the Native Apps Framework Security Requirements

All Native Apps Framework applications that meet the conditions described in About the Automated Security Scan must conform to the security requirements outlined in the following sections:

Security Requirements for Application Code

Application code included within an application package must conform to the following security requirements:

  1. Your application must not load or execute any code from anywhere outside the application package except Snowflake-provided libraries. All the application code, including all library dependencies and setup code, must be included in the application version defined in the application package.

  2. All application code must be un-obfuscated, meaning that the code must be human readable. This requirement includes minified JavaScript code.

    Note

    If an application needs to use minified JavaScript code, it must include a corresponding source map file that can be used to recover the un-minified code.

  3. All dependencies or libraries with critical or high common vulnerabilities and exposures (CVE) must be updated to a secure version, if available.

Security Requirements for Application Functionality

The following security requirements apply to the functionality of your application:

  1. All applications must provide the following information to customers as part of a listing:

    1. All application functionality and features.

    2. All Internet endpoints and URLs that the application connects to.

    3. All external functions in the application.

    4. Any consumer data logged, collected, or stored by the application.

  2. Applications should function as advertised in the application listing.

  3. All application installation and setup instructions must be included in the application listing.

  4. Applications must not store or require any customer secrets to be in plain text.

  5. Any communication between the application and the Internet should be over an HTTPS connection with a valid TLS certificate.

  6. Applications must not have any functionality that could result in harm to Snowflake, its customers, or third parties. Harm includes but is not limited to:

    1. Data leakage and/or loss;

    2. Restricting consumer access to their data unless explicitly designed as part of the application functionality, for example, data masking for data access policies.

    3. Excessive resource consumption.

    4. Arbitrary code injection/execution.

Security Requirements for Application Permissions

The following security requirements apply to the privileges set by your application:

  1. All applications must provide the following information in the manifest file:

    1. All privileges required by the application on all objects.

    2. All API integrations.

  2. Applications should only ask for the minimum set of privileges needed for the application to function.

About the Automated Security Scan

The automated security scan is initiated when any of the following occur:

  • A provider adds a version to an application package with the DISTRIBUTION parameter set to EXTERNAL, The new version is scanned automatically.

  • A provider sets DISTRIBUTION=EXTERNAL on an application package that already has a version defined. All versions of the application package are scanned automatically.

Use the ALTER APPLICATION PACKAGE command to set the DISTRIBUTION property for an application package as shown in the following example:

ALTER APPLICATION PACKAGE HelloSnowflakePackage
  SET DISTRIBUTION = EXTERNAL;
Copy

Viewing the Status of an Automated Security Review

Use the SHOW VERSIONS command to view the status of an automated security review as shown in the following example:

SHOW VERSIONS IN APPLICATION PACKAGE HelloSnowflakePackage;
Copy

The review_status column displays one of the following statuses of the automated security review:

  • NOT_REVIEWED

  • IN_PROGRESS

  • APPROVED

  • REJECTED

Note

If an application passes the automated security scan, its status is updated to APPROVED. When an application fails the automated security scan, it is manually reviewed by Snowflake. After manual review, the application is status is updated to APPROVED or REJECTED.

Scanning Regions

When configuring a Snowflake Native App to be shared externally, providers automatically share the code in app with Snowflake for scanning. The following table maps the NAAAPS scanning regions to the corresponding provider regions:

Cloud provider

Provider region

Scanning region

AWS

US West (Oregon)

US West (Oregon)

AWS

US East (Ohio)

US East (Ohio)

AWS

US East (N. Virginia)

US East (N. Virginia)

AWS

Canada (Central)

Canada (Central)

AWS

South America (São Paulo)

South America (São Paulo)

AWS

EU (Ireland)

EU (Ireland)

AWS

Europe (London)

Europe (London)

AWS

EU (Paris)

EU (Paris)

AWS

EU (Frankfurt)

EU (Frankfurt)

AWS

EU (Zurich)

EU (Zurich)

AWS

EU (Stockholm)

EU (Stockholm)

AWS

Asia Pacific (Tokyo)

Asia Pacific (Tokyo)

AWS

Asia Pacific (Osaka)

Asia Pacific (Osaka)

AWS

Asia Pacific (Seoul)

Asia Pacific (Seoul)

AWS

Asia Pacific (Mumbai)

Asia Pacific (Mumbai)

AWS

Asia Pacific (Singapore)

Asia Pacific (Singapore)

AWS

Asia Pacific (Sydney)

Asia Pacific (Sydney)

AWS

Asia Pacific (Jakarta)

Asia Pacific (Jakarta)

Azure

  • West US 2 (Washington)

  • Central US (Iowa)

  • South Central US (Texas)

  • East US 2 (Virginia)

  • Canada Central (Toronto)

Azure East US 2 (Virginia)

Azure

  • UK South (London)

  • North Europe (Ireland)

  • West Europe (Netherlands)

  • Switzerland North (Zurich)

  • UAE North (Dubai)

Azure West Europe (Netherlands)

Azure

  • Central India (Pune)

  • Japan East (Tokyo)

  • Southeast Asia (Singapore)

  • Australia East (New South Wales)

Azure Australia East (New South Wales)

GCP

  • US Central1 (Iowa)

  • US East4 (N. Virginia)

  • Europe West2 (London)

  • Europe West4 (Netherlands)

AWS US West (Oregon)