SupportSnyk LearnAPI referenceProduct updatesSign up for free

Getting started with Snyk IaC

You can use Snyk IaC (Infrastructure as Code) in the Snyk Web UI to find, view, and fix issues in configuration files. You can also use Snyk IaC in the Snyk CLI. For details, see Snyk CLI for Infrastructure as Code.

On this page, you will find steps to find, view, and fix issues in configuration files for the supported environments: Terraform, AWS CloudFormation, Kubernetes, including Helm, and Azure Resource Manager (ARM). These steps are specific to the current IaC.

Prerequisites for Snyk IaC

Before using Snyk IaC, be sure you have the prerequisites as follows:

  • A Snyk account. For details, see Getting started.

  • An existing Terraform, CloudFormation, Kubernetes, or ARM environment to work in.

  • A Git repository you have integrated with Snyk in the same way as for other Snyk products. For details, see Git repository (SCM).

For more information about IaC and supported environments, see the following pages:

You must use the Snyk CLI to scan ARM configuration files. See Scan ARM configuration files.

Import IaC Projects

You will start by importing Projects you want to scan with Snyk. In these steps, you choose repositories for Snyk to test and re-test:

  1. Log in to Snyk and on your dashboard, select Projects from the navigation.

  2. On the Projects page, from the Add projects dropdown, select the SCM where the repositories and projects that you want to scan are; for example, select GitHub.

  3. From the list of Personal and Organization repositories, select the Git repositories and projects you want to import for scanning. You can select one or more repositories or projects in a repository.

  4. Click Add selected repositories to import the selected SCM projects and repositories into Snyk.

  5. Select View import Log to see the results on the import log. You can scan multiple types of configuration files simultaneously. The import completes and the Projects page displays the Snyk Project imported.

After you have imported an IaC Project, Snyk re-tests your Project once a week by default. You can de-activate recurring tests on the Settings tab of the Projects page; Set Test & Automated Pull Request Frequency to Test never.

View configuration file issues in IaC

On the Projects page, you can view the results for configuration files in the imported Projects.

  • If Group by targets is selected, a list of Targets is displayed. These are the repositories with the Projects you imported. Select a Target to expand its list of Projects.

  • If Group by none is selected: A list of all Projects is displayed.

In your Projects listing, select the Project to open to display detailed information about that Project.

A list of Snyk IaC Projects
List of Snyk Projects

Each Project detail page has a snapshot showing when the Project was last tested, the name of the user who imported the Project, and, on the Issues tab, the number of critical, high, medium, and low-severity issues found and issue cards for each scanned configuration file. You can also select the Overview, History, and Settings options. Choose History to see previous snapshots of the Project.

Snyk Project issue card
Snyk Project issue card

Issue card details for Snyk IaC

Each issue card shows information about the resource and the path by which it was introduced.

Issue card details
Issue card details

The information on the issue cards includes the following:

  • The severity level, for example, H for high, and the name of the issue, for example, Non-encrypted S3 Bucket

  • The ID of the security rule, for example, SNYK-CC-TF-99. Click the link to view more information on the Snyk Security Rules.

  • A snippet of your code showing the exact area that is vulnerable

  • The exact path of the issue

  • More details, such as:

    • brief description of the issue

    • impact of the issue

    • remediation advice to resolve the issue

Click Full details to see a preview of the full code:

Preview of the full code
Preview of the full code

Click Ignore to ignore this vulnerability. For details, see Ignore Issues.

Fix configuration files in IaC

The steps to act on recommendations produced by Snyk IaC follow.

  1. On a Project detail page, select an issue to see the details for that issue and specific recommendations from Snyk IaC.

  2. Based on the recommendations, edit the configuration file to fix the issue identified and then commit the change. Snyk automatically rescans the changed file.

  3. View the change reflected in the issue display.

Example of an IaC issues that has been fixed
Example of an IaC issues that has been fixed

Examples of IaC results

Examples follow of results displayed for current IaC.

Terraform Cloud and Helm examples

Terraform Cloud and Helm do not show a code snippet, only the path details. There is no Full details button to show the preview of the full code.

Details for Helm
Details for Helm
Details for Terraform Cloud
Details for Terraform Cloud

Example showing the code preview is not available

If Snyk can not identify the exact line of the vulnerable path in the file, Snyk does not show a code snippet, only a message and the path details. If possible, Snyk shows the Full details button so you can see a preview of the full code.

Issue card without code snippet
Issue card without code snippet
Full code display
Full code display
PreviousSupported Google resources for cloud contextNextScan your IaC source code

Last updated

Was this helpful?