Snyk is exploring using the open-source Golang projectBento to read data from Kafka streams and materialize intelligence to various outputs. We are pleased to share that we are proactively helping secure the Bento project by contributing dependency fix updates.  

What is Bento?

Bento is an open-source streaming data processing tool designed for ease of use and reliability. It features declarative configuration, enabling connections to diverse data sources and sinks, and handles common data engineering tasks such as transformations, integrations, and multiplexing. Written in Go, Bento is extensible through plugins, making it adaptable to various data processing needs.

Following is an example Bento configuration file demonstrating pipeline data processing

input:  gcp_pubsub:    project: foo    subscription: barpipeline:  processors:    - mapping: |        root.message = this        root.meta.link_count = this.links.length()        root.user.age = this.user.age.number()output:  redis_streams:    url: tcp://TODO:6379    stream: baz    max_in_flight: 20

Snyk secures the Bento project

At Snyk, we like to ‘dogfood’ our products, and we use Snyk in our CI/CD pipelines as one example of leveraging Snyk’s developer-first security products.

During a container security scan of the Bento v1.5.0 binary, we detected a vulnerability ingolang.org/x/crypto/ssh.

This vulnerability, tracked viaCVE-2025-22869 in Snyk’s vulnerability database, is a denial of service attack that impacts the Golang projects that depend on the x/crypto/ssh library.

Given that Bento is an open-source project, we contacted the maintainers over Discord and were pleased to find them happy for us to contribute some fixes. We created two PRs to fix the issue:

• APull Request to update to go 1.23
• Afollowup Pull Request to bump the use of Go’s crypto library to use a safe version that does not introduce security vulnerabilities.

Both of our contributions have been merged into the main branch of the Bento project and will be part of future releases.

Snyk invitation to secure Open Source projects

Earlier this year, we launched Snyk’sSecure Developer Program—a new program that invites open source maintainers to connect their projects to Snyk and receive the full enterprise-grade and unlimited scans experience from Snyk. This includes API access, Snyk’s own DeepCode AI Fix, Service Accounts, and many more features to help you address security vulnerabilities and produce secure software.