iac test
command, you can ignore issues that are not relevant for you by using the .snyk
policy file. Snyk recommends that you store and version the .snyk
file in the root of the working directory where you store your IaC configuration files..snyk
file are ignored..snyk
file and ignores created in the Snyk UI are not synchronized..snyk
file semantics.snyk
file has some limitations for IaC projects. (See The .snyk
file for standard functionality.)snyk iac test
against a directory, either by passing in one or more directories or using the default argument of the current working directory, the Snyk CLI looks for a file named .snyk
in each of those directories.snyk ignore
command. For details see Ignore vulnerabilities using Snyk CLI.*
object key causes the CLI to ignore all instances of the SNYK-CC-K8S-1
vulnerability. You can add multiple entries, keyed by the IaC issue ID, to ignore multiple vulnerabilities.*
to the path of that single file relative to the directory being tested that contains the .snyk
policy file.ignore
command in the Snyk CLI or manually modifying the .snyk
file.SNYK-CC-K8S-1
ID in two specific files:staging/deployment.yaml
staging/cronjob.yaml
.snyk
policy file as follows:snyk iac test
, and add it to the file path..snyk
policy file for each test. For example, the command snyk iac test dir1/ dir2/
loads dir1/.snyk
and dir2/.snyk
, but if the file dir1/foo/bar/.snyk
exists, the CLI does not load it.snyk iac test
, the CLI loads $PWD/.snyk
. One common pattern is to use a single .snyk
policy file per repository, in the root of that repository.--policy-path=...
, which overrides the location of .snyk
policy files. The path can either be a directory containing a file named .snyk
or the path to a file named .snyk
. The name of the policy file must be .snyk
.snyk iac test
is a file rather than a directory. In this case, --policy-path
must be specified in order to load policies.--ignore-policy
, which causes any found .snyk
policy files to be ignored.