Once your integration is set up, Snyk scans Terraform plans for each run triggered in your workspace.
View Terraform plan scanning results
For each run triggered in the Terraform Cloud workspace, the result of Snyk Terraform plan scanning appears under the
run tasksstep, which triggers after the
The scan results in either a
failedstatus. If Snyk finds issues in your Terraform plan file, the scan results in a failure.
Click on the Details link of the run task results in Terraform Cloud to view further details in Snyk.
You can also find the results under the Projects tab in Snyk by searching for terraform-plan.json which will be under a Target named by
You can also use the filter in the left pane to show only Terraform Cloud projects
A single project in Snyk (
terraform-plan.json) is created for each workspace which uses the Snyk integration. Every project page shows the latest scanning results.
To see historical scan results, navigate into the History tab under the relevant project and choose the historic snapshot you wish to view.
Customize Terraform plan scanning
Snyk Terraform Cloud integration provides the following levels of customization:
Severity Threshold: Set the minimum level of severity for failure. This can be set on the integration page in Snyk.
Custom Severities: Set custom severities for issues that overwrite the defaults (for example, SNYK-CC-00172).
Enforcement Level: Determine whether a failure blocks the apply or not. This setting is controlled via Terraform Cloud. For example, the
Advisorylevel does not block the apply even if Snyk finds issues within the minimum severity threshold.
Notes and limitations
Snyk receives an event from Terraform Cloud for each
planstage finished within the latest run in Terraform Cloud.
The only way to trigger a scan is through Terraform Cloud by triggering a new run.
You cannot trigger a re-scan of the Terraform plan file through the Snyk Web UI.
If you customize the Snyk integration (for example, change severity threshold or customize policy severities), you must trigger a new run in Terraform Cloud for the changes to take effect in Snyk.