Links

Add the Snyk Orb to your CircleCI Config

In the CircleCI Academy Orbs module you learned about Orbs, packages of configuration that simplify your builds. Snyk's Orb exposes the Snyk CLI, allowing you to find and fix known vulnerabilities in app dependencies, container images, and infrastructure as code.

Add the Snyk Orb to your CircleCI configuration YML

In your fork of the learn-iac repo, open the .circleci/config.yml file. Add the Snyk Orb to the top replacing @x.y.z with the latest version of the Snyk Orb from the Orb Registry.
version: 2.1
orbs:
snyk: snyk/[email protected]
jobs:
...
Adding the Orb exposes the snyk commands and jobs to your workflow. Consider your requirements when choosing where in the workflow to add them.

Add the Scan IAC Job to the Workflow

For this example, add the snyk/scan-iac job before the gke-create-cluster job to check Terraform files are correctly configured before creating the cloud infrastructure. The args parameter points to which files to check for misconfigurations and can also be used to pass other Snyk CLI arguments.
workflows:
build_test:
jobs:
- run_tests
- build_docker_image
- snyk/scan-iac:
args: part03/iac_gke_cluster/
- gke_create_cluster:
requires:
- run_tests
- build_docker_image
- snyk/scan-iac
Snyk Infrastructure as Code can also check Kubernetes and AWS CloudFormation files for misconfigurations. Learn more in the Snyk IAC documentation.
When ready, commit and merge your changes to trigger the workflow run.

Working with results

When the workflow runs, the output will be displayed in your CircleCI project run. The job fails because issues are found in the main.tf file scanned.
Snyk Orb output in the CircleCI UI
Visit Understanding configuration scan issues in the Snyk Docs to learn more about interpreting the output of the Snyk IAC CLI powering the Snyk Orb.

Viewing results in the Snyk UI

Import your fork of the learn-iac repo to the Snyk UI using the GitHub integration. Visit the Snyk IAC documentation to learn how. Once imported, you'll see the manifest files in the Snyk UI.
Clicking on the main.tf file will show you an in-line view of the issues found, with additional information such as the impact of the configuration and how to fix it.
In the next section we'll show how you can tune this analysis to adjust the test's pass/fail criteria.