When scanning your IaC configuration files using the Snyk CLI with snyk iac test you can ignore issues that are not relevant to you.
You can do this by using the .snyk policy file, which we recommend is stored and versioned in the root of your working directory for where you store your IaC configuration files.
For rest runs using the Snyk CLI, only issues defined in the .snyk file are ignored.
For test runs from imported git repositories:
Issues can be ignored in the Snyk UI - note these ignores will only apply to scans conducted using the Snyk UI.
Important: These two sources of ignores are not synchronized.
.snyk file semantics
The .snyk file has some limitations for IaC projects (see The .snyk file for standard functionality):
The patches section is not yet supported and will be ignored.
There are no IaC-supported language settings. This section will be ignored.
When running snyk iac test against a directory, either by passing in one or more directories or using the default argument of the current working directory, the Snyk CLI looks for a file named .snyk in each of those directories.
There cannot be more than one policy file per directory under test. For example, snyk iac test dir1/ dir2/ will load dir1/.snyk and dir2/.snyk, but if the file dir1/foo/bar/.snyk exists, the CLI will not load it.
When running snyk iac test, the CLI loads $PWD/.snyk. One common pattern is to use a single policy file per repository, in the root of that repository.
The CLI accepts a flag --policy-path=..., which overrides the location of policy files. The path can either be a directory containing a file named .snyk, or the path to a file named .snyk. The policy file’s actual name must be .snyk.
Policies are not loaded automatically when the argument to snyk iac test is a file rather than a directory. In this case, --policy-path must be specified in order to load policies.
The CLI accepts a flag --ignore-policy, which will cause any found .snyk policy files to be ignored.