{"id":29253515,"url":"https://github.com/snowflake-labs/safe-app","last_synced_at":"2025-07-04T02:06:45.193Z","repository":{"id":302514606,"uuid":"1009730690","full_name":"Snowflake-Labs/safe-app","owner":"Snowflake-Labs","description":"Streamlit-based tool built by Snowflake’s SAFE team to help Admins audit and improve authentication methods across Snowflake accounts. Identifies weak auth patterns, flags policy violations, and recommends secure configurations.","archived":false,"fork":false,"pushed_at":"2025-07-02T19:18:06.000Z","size":91,"stargazers_count":7,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-02T20:28:22.585Z","etag":null,"topics":["safe","snowflake","streamlit"],"latest_commit_sha":null,"homepage":"https://github.com/snowflake-labs","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Snowflake-Labs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-27T16:02:04.000Z","updated_at":"2025-07-01T17:34:56.000Z","dependencies_parsed_at":"2025-07-02T20:40:17.057Z","dependency_job_id":null,"html_url":"https://github.com/Snowflake-Labs/safe-app","commit_stats":null,"previous_names":["snowflake-labs/safe-app"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Snowflake-Labs/safe-app","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Snowflake-Labs%2Fsafe-app","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Snowflake-Labs%2Fsafe-app/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Snowflake-Labs%2Fsafe-app/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Snowflake-Labs%2Fsafe-app/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Snowflake-Labs","download_url":"https://codeload.github.com/Snowflake-Labs/safe-app/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Snowflake-Labs%2Fsafe-app/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263432382,"owners_count":23465577,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["safe","snowflake","streamlit"],"created_at":"2025-07-04T02:03:16.490Z","updated_at":"2025-07-04T02:06:45.177Z","avatar_url":"https://github.com/Snowflake-Labs.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SAFE: Strong Authentication Flow Evaluator\n\n\n-----\n\n## Overview\n\nThe **Strong Authentication Flow Evaluator (SAFE)** is a Streamlit-based application designed to assist Snowflake Account Administrators in evaluating the authentication methods used within their Snowflake accounts. Developed and maintained by the Snowflake Security Applied Field Engineering (SAFE) team, this application helps administrators ensure their current account configurations comply with upcoming Snowflake policy changes. These changes deprecate single-factor password sign-ins and limit allowed authentication methods based on user **TYPE**.\n\nSAFE aggregates findings from `LOGIN_HISTORY`, configured authentication options, and other account metadata. This allows administrators to make informed decisions regarding a user's object **TYPE** and its required authentication methods. The **ACTIONS** section within the application empowers administrators to **SET** the appropriate **USER TYPE** and **UNSET PASSWORDS** where necessary, accelerating the creation of authentication policies and promoting adherence to best practices for user object management in Snowflake.\n\nThe tool acts as an interactive wrapper for the guidance outlined in:\n\n  * [Snowflake Perimeter Security Guidance](https://docs.snowflake.com/en/user-guide/admin-security-perimeter)\n  * [Password Eradication (SAFE app)](https://medium.com/snowflake/password-eradication-2094d4fc5a56)\n  * [Snowflake SAFE Medium List](https://medium.com/snowflake/tagged/safe)\n\n\n![image](.assets/main-ui-screenshot.png)\n\n-----\n\n## Features\n\nThe SAFE App UI enables discovery and seamless remediation by providing the following features:\n\n  * **Identifies static credentials** in Snowflake for eradication (unset) or enrollment in MFA (Passkeys, TOTP, Duo).\n  * **Discovers client authentication patterns** to help set the appropriate user type.\n  * **Highlights non-human identities** (machine-to-machine flows) that need to adopt OAuth, Workload Identity Federation, Key Pair, or Programmatic Access tokens for the **SERVICE** user type.\n  * **Provides a clear dashboard** of authentication factors across your Snowflake environment.\n  * **Lightweight and quick to deploy** using Streamlit.\n  * Low compute requirements: the application can run as a Streamlit in\n    Snowflake on an XS warehouse. The application does not store any state.\n\n-----\n\n## Use Cases\n\nAs Snowflake continues to enforce modern authentication requirements, SAFE helps shorten the time to value by:\n\n  * Running checks against `login_history` and `users` views.\n  * Setting the appropriate user type (**HUMAN**, **SERVICE**, **LEGACY\\_SERVICE**).\n  * Flagging non-compliant authentication flows.\n  * Facilitating discovery to plan remediation or automation updates to authentication patterns.\n  * Eradicating static credentials where applicable.\n  \n  * A recent customer feedback summary.\n\n   ![image](https://github.com/user-attachments/assets/f8b0c88b-05ad-41f0-b7a1-7c035ee8ef2e)\n\n\n\n-----\n\n## Roadmap\n\n  * **CIDR discovery** for Account and User Level Network Policy discovery, enforcement, and least privilege measurement.\n\n-----\n\n## Contributions \u0026 Support\n\nFor contributions or support, please contact: [safe@snowflake.com](mailto:safe@snowflake.com).\n\n-----\n\n## Authors \u0026 Acknowledgements\n\nA special thank you to the maintainers:\n\n  * Vladimir Timofeenko\n  * Peter Horrigan\n\nAnd the Snowflake Security Applied Field Engineering Team - Americas:\n\n  * Ryan O’Connell\n  * Mike Mitrowski\n  * Eugene Choi\n  * Nick Nieves\n  * Amir Durrani\n  * Sean Cooper\n  * Jake Berkowsky\n  * Matt Barreiro\n\n-----\n\n## Requirements\n\nThe application can be run as a Streamlit in Snowflake or locally.\n\nTo run the application locally you will need:\n\n- **Python 3.8+**\n- **Snowflake account** with `ACCOUNTADMIN` or sufficient privileges to query `login_history` and `users`.\n- [**Snowflake Python Connector**](https://docs.snowflake.com/en/developer-guide/python-connector)\n- [**Streamlit**](https://streamlit.io/)\n- `toolz`\n- A Streamlit connection set up through [Streamlit secrets][streamlit-secret-setup].\n\n\n-----\n\n## Installation\n\n### Streamlit in Snowflake application (git integration)\n\nTo run the application and keep it up to date, you may use Snowflake git\nintegration:\n\n```sql\n\nUSE ROLE ACCOUNTADMIN;\nCREATE OR REPLACE API INTEGRATION gh_snowflake_labs\n    API_PROVIDER = GIT_HTTPS_API\n    API_ALLOWED_PREFIXES = ('https://github.com/Snowflake-Labs')\n    ENABLED = TRUE;\n\nUSE ROLE sysadmin;\nCREATE OR REPLACE DATABASE safe_app;\nCREATE OR REPLACE GIT REPOSITORY safe_app.public.safe_app_repo\n    API_INTEGRATION = GH_SNOWFLAKE_LABS\n    ORIGIN = 'https://github.com/Snowflake-Labs/safe-app/';\n\nUSE ROLE accountadmin;  -- or a privileged role\nCREATE OR REPLACE STREAMLIT safe_app.public.safe_app\n    ROOT_LOCATION = '@safe_app.public.safe_app_repo/branches/main'  -- Optional: pin to a specific tagged version by specifying `/tags/vX.Y.Z`\n    MAIN_FILE = '/streamlit_app.py'\n    QUERY_WAREHOUSE = ; -- Replace the warehouse\n\n-- Optional: GRANT USAGE ON STREAMLIT safe_app.public.safe_app TO ROLE custom_role\n-- Optional: CREATE TASK that will keep the code up to date by running ALTER GIT REPOSITORY FETCH: https://docs.snowflake.com/en/developer-guide/git/git-operations#fetch-from-the-remote-git-repository\n```\n\n### Streamlit in Snowflake application (copy paste)\n\nThe application code is contained in [a single file][./streamlit_app.py].\n1. Using `ACCOUNTADMIN` or another account with privileges to operate on users,\n   create a blank Streamlit application\n2. Add `toolz` to the list of dependencies\n3. Copy and paste the code from the [`./streamlit_app.py` file](./streamlit_app.py)\n\n\n### Local Streamlit application\n\nThis project is designed to run as a **Streamlit Native App** inside your Snowflake account.\n1. Using your preferred python package management tool, install the dependencies\n   from `pyproject.toml`\n2. Set up [Streamlit secrets][streamlit-secret-setup] so the application can\n   access Snowflake as a role with privileges to read from\n   `SNOWFLAKE.ACCOUNT_USAGE` views (e.g., `login_history`, `users`) and the\n   ability to operate on users.\n3. Run the application: `streamlit run streamlit_app.py`\n\n**Important Disclaimer:**\n\nCustomers should leverage internal policies and standards in addition to Snowflake guidance, including Snowflake’s Trust Center or the Cloud Security Posture Management (CSPM) tool of their choice, to guide any remediation effort. This resource is not a substitute for a thorough, services-led engagement, nor does it supersede any other obligations you may have to Snowflake, your organization, your outside regulators, or other bodies to which you owe compliance or conformance.\n\n-----\n\n## License\n\nThis project is licensed under the Apache-2.0 license.\n\n-----\n\n[streamlit-secret-setup]: https://docs.streamlit.io/develop/concepts/connections/secrets-management\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnowflake-labs%2Fsafe-app","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsnowflake-labs%2Fsafe-app","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsnowflake-labs%2Fsafe-app/lists"}