Test your configuration files
With Snyk Infrastructure as Code, you can test your configuration files with the CLI. For information on how to use the snyk iac test command, see the information on this page. For details about testing the various configuration files see the following pages:
As of CLI version 1.594.0 all configuration files are processed locally, ensuring that they do not leave your machine. Earlier versions by default send the configuration files to Snyk to be processed. Snyk recommends that you upgrade to the latest version of the CLI.
In the examples that follow, you can replace the sample file names with the names of your own files, like deployment.yaml.

Test for an issue on specified files

When you provide no arguments, the command recursively traverses the current working directory and scans every file it finds:
1
snyk iac test
Copied!
You can scan specific files under the current working directory. If you provide one or more file paths, the command scan only those files:
1
snyk iac test file-1.tf dir/file-2.tf
Copied!
The command returns with an error if you provide file paths outside the current working directory. For example, this is not a valid invocation of the command:
1
snyk iac test ../main.tf
Copied!

Test for an issue on a directory of files

When you provide no arguments, the command recursively traverses the current working directory, and scans every file it finds:
1
snyk iac test
Copied!
You can restrict the scan to a specific directory:
1
snyk iac test my-folder
Copied!
You can limit the depth of the directory traversal. The current working directory has a depth of one, directories under the current working directory have a depth of two, and so on. For example, if you want to restrict the search to the current working directory and two more levels of directories, you can invoke the command like this:
1
snyk iac test --detection-depth=3
Copied!
The command returns with an error if you provide directory paths outside the current working directory. For example, this is not a valid invocation of the command:
1
snyk iac test ../my-folder
Copied!

Output the test format as JSON

Usage:
1
snyk iac test --json
Copied!
This can be helpful if you want to store a snapshot of the results locally, or process the results in another tool for reporting and further analysis.
Example:
1
snyk iac test main.tf --json
Copied!

Output the test format as SARIF

SARIF is an open standard for the output of static analysis tools. You can view and save the results of your tests as a SARIF file for analysis in another tool.
Usage:
1
snyk iac test main.tf --sarif
Copied!
To save this to a file output, you can run:
1
snyk iac test main.tf --sarif-file-output=snyk.sarif
Copied!

Display issues only above a specific severity level

Usage:
1
snyk iac test --severity-threshold=medium
Copied!
Example:
1
snyk iac test main.tf --severity-threshold=medium
Copied!
This displays only results that have a severity value of medium or higher.

Target a specific Snyk organization

You can control the severity settings of your security rules at the organization level in the Snyk UI. By targeting a specific organization in your CLI tests, you can determine which rules should be run and the severity of them.
Usage:
1
snyk iac test --org=infrastructure
Copied!
Example:
1
snyk iac test main.tf --org=infrastructure
Copied!
You can also set the org flag in snyk config, so you do not need to use the --org option each time you want to specify the organization.
1
snyk config set org=infrastructure
Copied!