Ever wondered how secure the apps you install from the Snap Store are? A new website from Ubuntu alumnus Alan Pope makes it easy to find out.
The Snapscope website uses open-source security tool Grype to scan Snap package for CVEs and security vulnerabilities (critical, high, medium, low, actively exploited) which might affect those using them.
You can “search for any snap package, see its security posture, and dig into the CVEs”, with its maker noting that the site presents “no judgement, just facts”.
Snapscope make it easy to see: :
- Search by package name or organisation/developer
- Recently Scanned and Highest Vulnerabilities charts
- Links to learn more about any vulnerabilities listed
- Ability to queue Snap packages for re-scanning
Alan shares a video walkthrough of how his vibe-coded website functions so that anyone struggling to figure it out (or, more likely, simply wanting to hear Alan’s dulcet tones) can follow along:
However scary the results may look, it’s worth maintaining perspective.
Firstly, most of the vulnerabilities in the snaps I looked up were not issues related to the Snap format, but libraries (many outdated) that are bundled inside to allow it to work.
Snap maintainers can ship libraries rather than rely on system‑wide ones. This is a strength of the format (as it helps newer apps run on older distros, or older apps run on newer ones) but also a weakness: if a bundled library in a snap has a vulnerability, it can only be patched by the maintainer.
Secondly, most of the vulnerabilities that are listed will affect the same version of that whatever library, tool or app are concerned, irrespective of their packaging format. If configured, this tool could easily flag the same issue in a DEB or an AppImage etc.
Ubuntu provides base snaps to reduce duplication of key libraries and simplify the security surface which assuage concerns, like those raised in Darren Horrocks’ Snap Unsnapped article (and some of the reasons Linux Mint prevents snap installs by default).
Plus, the Snap sandbox confinement limits the impact of any exploit, so even in worst-case scenario the security measures – unless overridden – ensure things can’t ripple out, reaching beyond the confines of the sandboxed environ.
Transparency in the way Snaps are built and maintained is part of what makes a site possible. Despite the scare-factor it may induce, it’s a demonstrably good thing.
Finally, keep in mind than an awfully large number of packages on the Snap store have no been updated in years. Indeed, many are just test snaps from developers playing around with the format (creating a ‘hello world’ often publishes it on the store for anyone to install).
Feedback isn’t (always) criticism
Snapscope’s website says that it presents “no judgement, just facts” and I want to loop back to that because it is important to emphasise.
Why?
Because people who love{$preferred_thing} often bristle at the suggestion (factual or otherwise) that it might not be perfect. This is true of almost anything: K-Pop band, football team, operating system, or (bizarrely to me) packaging format.
Snapscope doesn’t prove Snap is less secure than other formats – it shows why audibility matters
Emotional investment isn’t bad (enthusiasm drives communities forward), but sensitivity cam lead to a militant defensiveness that is counterproductive.
Take the oft-repeated refrain that “Snaps are slower than other formats”. Long since solved, yes, but the perception lingers. Why?
Early feedback on snap’s arts for improvement were ignored due to the ardent Snap cheerleader viewing it as veiled criticism driven by ‘haters’.
It was only when the “no, really; they do launch slower” claims grew louder, with people less easily hand-waved away as moaners joining in, that led to the issue making it through the doors of the Snap engineering team’s bunker.
Turns out, Snaps were slower. Did acknowledging that fact kill the format off? No. It but it did make it better – because feedback isn’t always criticism.
Snaps, speed wise, are now on-par with native formats, and the engineering and investigation that led to that, led to other optimisations too. Had the feedback been taken on board sooner, the format may have found its footing faster.
Which is all to say, Snapscope doesn’t prove Snap is less secure than any other format, but it shows why this kind of audibility matters – and the ‘feedback’ it subtly provides may lead to snap maintainers updating their apps more often going forward.
If you want to check it, point your browser at snapscope.popey.com.