search
SupportSnyk LearnAPI referenceProduct updatesSign up for free
githubEdit

IaC describe

hashtag
Usage

Note: This feature is available in Snyk CLI version v1.876.0 or greater.

snyk iac describe [<OPTIONS>]

hashtag
Description

The snyk iac describe command detects unmanaged infrastructure resources. It compares resources in your Terraform state file against actual resources in your cloud provider and outputs a report.

  • Resources in your Terraform state files are managed resources.

  • Resources that exist but are not in your Terraform state file are unmanaged resources.

For detailed information and examples, see IaC describe command examplesarrow-up-right

For a list of related commands see the snyk iac help; iac --help

hashtag
Exit codes

Possible exit codes and their meaning:

0: success, no unmanaged resources found 1: unmanaged resources found 2: failure

hashtag
Configure the Snyk CLI

You can use environment variables and set variables for connecting with the Snyk API; see Configure the Snyk CLIarrow-up-right

hashtag
Configure the Terraform provider

You can set environment variables to configure the Terraform provider used by the describe command; see Configure cloud providersarrow-up-right

hashtag
Debug

Use the -d option to output the debug logs.

hashtag
Optional arguments

hashtag
--org=<ORG_ID>

Specify the <ORG_ID> to run Snyk commands tied to a specific Snyk Organization. Overrides the default <ORG_ID> that is the current preferred Organization in your Account settingsarrow-up-right

Note that you can also use --org=<orgslugname>. The ORG_ID works in both the CLI and the API. The Organization slug name works in the CLI, but not in the API.

For more information, see the article How to select the Organization to use in the CLIarrow-up-right

hashtag
--from=<STATE>[,<STATE>...]

Specify multiple Terraform state files to be read. Glob patterns are supported.

For more information, including a list of supported IaC sources and how to use them, see IAC Sources usagearrow-up-right

hashtag
--to=<PROVIDER+TYPE>

Specify the cloud provider to scan (default: AWS with Terraform).

Supported providers:

  • github+tf (GitHub with Terraform)

  • aws+tf (Amazon Web Services with Terraform)

  • gcp+tf (Google Cloud Platform with Terraform)

  • azure+tf (Azure with Terraform)

hashtag
--tf-provider-version

Specify a Terraform provider version to use. If none is specified, default versions are used as follows:

hashtag
--tf-lockfile

Read the Terraform lock file (.terraform.lock.hcl) from a custom path (default: current directory).

If parsing the lockfile fails, errors are logged and scan continues.

Note: When you are using both the --tf-lockfile and --tf-provider-version options together, --tf-provider-version takes precedence.

hashtag
--fetch-tfstate-headers

Use a specific HTTP header or headers for the HTTP backend when fetching Terraform state.

hashtag
--tfc-token

Specify an API token to authenticate to the Terraform Cloud or Enterprise API.

hashtag
--tfc-endpoint

Read the current state for a given workspace from Terraform Enterprise by passing the tfc-endpoint value that is specific to your org's Terraform Enterprise installation.

hashtag
--config-dir

Change the directory path used for iac describe configuration (default $HOME). This can be useful, for example, if you want to invoke this command in an AWS Lambda function where you can only use the /tmp folder.

hashtag
Options for including and excluding resources

hashtag
--service=<SERVICE>[,<SERVICE>...]

Specify the services to inspect for unmanaged resources.

This option cannot be used with a .snyk unmanaged resource ignore rule; the content in .snyk will be ignored.

Supported services: aws_s3, aws_ec2, aws_lambda, aws_rds, aws_route53, aws_iam , aws_vpc, aws_api_gateway, aws_apigatewayv2, aws_sqs, aws_sns, aws_ecr, aws_cloudfront, aws_kms, aws_dynamodb, azure_base, azure_compute, azure_storage, azure_network, azure_container, azure_database, azure_loadbalancer, azure_private_dns, google_cloud_platform, google_cloud_storage, google_compute_engine, google_cloud_dns, google_cloud_bigtable, google_cloud_bigquery, google_cloud_functions, google_cloud_sql, google_cloud_run

hashtag
--filter

Use filter rules.

Filter rules allow you to build a JMESPath expression to include or exclude a set of resources from the report.

For more information, see Filter resultsarrow-up-right

hashtag
--strict

Enable strict mode.

The iac describe command ignores service-linked resources by default (like service-linked AWS IAM roles, their policies, and policy attachments). To include those resources in the report you can enable strict mode. Note that this can create noise when used with an AWS account.

hashtag
Options for policies

hashtag
--ignore-policy

Ignore all set policies, the current policy in the .snyk file, org level ignores, and the project policy in the Snyk Web UI.

hashtag
--policy-path=<PATH_TO_POLICY_FILE>

Manually pass a path to a .snyk policy file.

hashtag
Options for output

hashtag
--quiet

Output only the scan result to stdout.

hashtag
--json

Output the report as a JSON data structure to stdout.

hashtag
--html

Output the report as html to stdout.

hashtag
--html-file-output=<OUTPUT_FILE_PATH>

Output the report as html into a file.

hashtag
Examples for snyk iac describe command

For more examples, see IaC describe command examplesarrow-up-right

hashtag
Detect unmanaged resources on AWS with a single local Terraform state

hashtag
Specify AWS credentials

hashtag
Use an AWS named profile

hashtag
Use a single Terraform state stored on an S3 backend

hashtag
Aggregate multiple Terraform states

hashtag
Aggregate many Terraform states using glob pattern

PreviousIaC testNextIaC update-exclude-policy

Last updated

Was this helpful?