Start using Snyk IaC

The information on this page applies to the original IaC and to IaC+, with some exceptions. If you are using the original IaC, follow the steps on this page. If you are using IaC+, see Getting started with IaC+.
You can use Snyk IaC (Infrastructure as Code) in the Snyk Web UI to find, view, and fix issues in configuration files. You can also use Snyk IaC in the Snyk CLI. For details, see Snyk CLI for Infrastructure as Code.
On this page, you will find steps to find, view, and fix issues in configuration files for the supported environments: Terraform, AWS CloudFormation, Kubernetes, including Helm, and Azure Resource Manager (ARM). These steps are specific to the original IaC. See also Getting started with IaC+.

Prerequisites for Snyk IaC

Before using Snyk IaC, be sure you have the prerequisites as follows:
  • A Snyk account. For details, see Create a Snyk account.
  • An existing Terraform, CloudFormation, Kubernetes, or ARM environment to work in.
  • A Git repository you have integrated with Snyk in the same way as for other Snyk products. For details, see Git repository (SCM).
For more information about IaC and supported environments, see the following pages:
You must use the Snyk CLI to scan ARM configuration files. See Scan ARM configuration files.

Import IaC Projects

You will start by importing Projects you want to scan with Snyk. In these steps, you choose repositories for Snyk to test and re-test:
  1. 1.
    Log in to Snyk and on your dashboard, select Projects from the navigation.
  2. 2.
    On the Projects page, from the Add projects dropdown, select the SCM where the repositories and projects are that you want to scan, for example, select GitHub.
  3. 3.
    From the list of Personal and Organization repositories, select the Git respsitories and projects you want to import for scanning. You can select one or more repositories or projects in a repository.
  4. 4.
    Click Add selected repositories to import the selected SCM projects and repositories into Snyk.
  5. 5.
    Select View import Log to see the results on the import log. You can scan multiple types of configuration files simultaneously. The import completes and the Projects page displays the Snyk Project imported.
After you have imported an IaC Project, Snyk re-tests your Project once a week by default. You can de-activate recurring tests on the Settings tab of the Projects page; Set Test & Automated Pull Request Frequency to Test never.

View configuration file issues in IaC

On the Projects page, you can view the results for configuration files in the imported Projects.
  • If Group by targets is selected, a list of Targets is displayed. These are the repositories with the Projects you imported. Select a Target to expand its list of Projects.
  • If Group by none is selected: A list of all Projects is displayed.
In your Projects listing, select the Project to open to display detailed information about that Project.
A list of Snyk IaC Projects
List os Snyk Projects
Each Project detail page has a snapshot showing when the Project was last tested, the name of the user who imported the Project, and, on the Issues tab, the number of critical, high, medium, and low-severity issues found and issue cards for each scanned configuration file. You can also select the Overview, History, and Settings options. Choose History to see previous snapshots of the Project.
Snyk Project issue card
Snyk Project issue card
If you encounter any errors during import, see the Importing Projects information in the support articles.

Issue card details for Snyk IaC

Each issue card shows information about the resource and the path by which it was introduced.
Issue card details
Issue card details
The information on the issue cards includes the following:
  • The severity level, for example, H for high, and the name of the issue, for example, Non-encrypted S3 Bucket
  • The ID of the security rule, for example, SNYK-CC-00172. Click the link to view more information on the Snyk Security Rules.
  • A snippet of your code showing the exact area that is vulnerable
  • The exact path of the issue
  • More details, such as:
    • brief description of the issue
    • impact of the issue
    • remediation advice to resolve the issue
Click Full details to see a preview of the full code:
Preview of the full code
Preview of the full code
Click Ignore to ignore this vulnerability. For details, see Ignore Issues.

Fix configuration files in IaC

The steps to act on recommendations produced by Snyk IaC follow.
  1. 1.
    On a Project detail page, select an issue to see the details for that issue and specific recommendations from Snyk IaC.
  2. 2.
    Based on the recommendations, edit the configuration file to fix the issue identified and then commit the change. Snyk automatically rescans the changed file.
  3. 3.
    View the change reflected in the issue display.
Example of an IaC issues that has been fixed
Example of an IaC issues that has been fixed