SupportAPI docsProduct updatesSign up for free
Search…
Snyk User Documentation
Introducing Snyk
Implementing Snyk in your teams
Getting started
Snyk Web UI
Snyk CLI
Snyk API
Snyk for IDEs
Snyk Apps
Snyk Integrations
SNYK PRODUCTS
Snyk Open Source
Snyk Code
Snyk Container
Snyk Infrastructure as Code
Getting started with Snyk Infrastructure as Code (IaC)
Using Snyk IaC via web
Scan Terraform files
Scan CloudFormation files
Scan Kubernetes configuration files
Scan ARM configuration files
Snyk Infrastructure as code for self-hosted git (with Broker)
Snyk CLI for Infrastructure as Code
Test your configuration files
IaC ignores using the .snyk policy file
Test your Terraform files with Snyk CLI
Test your CloudFormation files with Snyk CLI
Test your AWS CDK files with Snyk CLI
Test your Kubernetes files with Snyk CLI
Test your ARM files with Snyk CLI
Test your Kustomize files with Snyk CLI
Testing Helm charts with Snyk CLI
Understanding the IaC CLI test results
Jira Integration
View Infrastructure as Code issue reports
Build your own custom rules
Detect drift and manually created resources
Share CLI results with the Snyk Web UI
Disable IaC Scans
USING SNYK
Snyk Broker
User and group management
Fixing and prioritizing issues
Reports
Snyk Tools
SNYK INFO
Disclosing vulnerabilities
How Snyk handles your data
Snyk Partner workshops
Powered By GitBook
Test your Terraform files with Snyk CLI
With Snyk Infrastructure as Code, you can scan both your static configuration files and Terraform plan output using the CLI.
​
Terraform configuration files
Terraform plan file
Identify configuration issues
Yes
Yes
Process variables
Yes
Yes
Scan Terraform modules
No
Yes - public and private

Terraform configuration files

You can scan the configuration files, for example main.tf, using the CLI.
External modules are currently not supported.
For more information about variable processing see Terraform variables support.

Scan configuration files

You can specify either a file name or a whole directory:
1
snyk iac test main.tf
2
snyk iac test .
Copied!

Terraform plan

Terraform plan is the step run between writing your configuration files and deploying those changes.
$ terraform plan identifies the changes that need to be made to your target environment in order to match your desired state.
As part of this planning stage, all variables and Terraform modules that are used in your targeted Terraform deployment are taken into consideration.
If you have written a custom Terraform module and are referencing it in your deployment, then it is included in the Terraform plan output and scanned accordingly. This means the Terraform plan output provides a complete artifact to be scanned from a security perspective.
As of Snyk CLI version 1.594.0 you can scan this artifact using the Snyk IaC CLI .
This file is not sent to Snyk to be processed; it is scanned locally with the CLI and does not leave your machine.

Scan Terraform plan output

Provide the path to your Terraform plan output which must be stored as a valid JSON file.
1
snyk iac test tf-plan.json
Copied!
By default, Snyk scans the changes that will be made to your infrastructure, not the full infrastructure.
You can change this behavior by using the --scan= option.
  • --scan=resource-changes is the default behavior. This scans only the changes that would be made to your infrastructure if you ran $ terraform apply.
  • --scan=planned-values scans the full planned state, providing results of the existing infrastructure plus changes that will be made.
If you do not already have your Terraform plan output saved as a JSON file, you may need to follow these steps:
1
terraform plan -out=tfplan.binary
2
terraform show -json tfplan.binary > tf-plan.json
Copied!
You can name the tf-plan.json file according to your needs.
These files are considered sensitive and it is not recommended to commit them to source control.

Troubleshooting

There are differences between scanning the static files and plan output. This may be due to the following:
  • Variables - Terraform plan output considers the values stored in variables.
  • Terraform modules - Terraform plan output includes any configuration issues found from Terraform modules that you may be using.
  • Delta - By default, scanning the Terraform plan output scans only for configuration issues on the changes that will be made, not the whole deployment. In contrast, the static scan looks at all of the files. Try re-running the scan with the --scan=planned-values option.
Note: The option --experimental is not required anymore when testing your Terraform projects.
If you have found a discrepancy that you cannot explain based on this information, submit a request to Support.
Previous
IaC ignores using the .snyk policy file
Next
Test your CloudFormation files with Snyk CLI
Last modified 8d ago
Export as PDF
Copy link
Edit on GitHub
Contents
Terraform configuration files
Scan configuration files
Terraform plan
Scan Terraform plan output
Troubleshooting