Test your IaC files with the Snyk CLI
To use the latest IaC+, install Snyk CLI v1.1022.0 or later.
You can test your IaC files by using the Snyk CLI. There are some differences between IaC+ and the current IaC, which are summarized in the following table.
| Current IaC support | IaC+ support |
Terraform (single file) | Yes | Yes |
Terraform (modules) | No | Yes |
Terraform (plan) | Yes | Yes |
CloudFormation | Yes | Yes |
AWS CDK | Yes | Yes |
Azure Resource Manager | Yes | Yes |
Kubernetes | Yes | Coming soon |
Although IaC+ provides better support for Terraform than the current IaC, line number information is not provided in scan results for the current IaC.
Snyk Infrastructure as Code allows you to test your configuration files with the CLI. For information on how to use the
snyk iac test command, see the snyk iac test command help.An example of the output follows.
Snyk Infrastructure as Code
✔ Test completed.
Issues
Low Severity Issues: 1
[Low] API Gateway access logging disabled
Info: Amazon Api Gateway access logging is not enabled. Audit records may not be available during investigation
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-118
Path: resource > aws_api_gateway_stage[denied] > access_log_settings
File: aws_api_gateway_stage_logging.tf
Resolve: Set `access_log_settings` attribute
-------------------------------------------------------
Test Summary
Organization: demo-org
✔ Files without issues: 0
✗ Files with issues: 1
Invalid files: 0
Ignored issues: 0
Total issues: 1 [ 0 critical, 0 high, 0 medium, 1 low ]
The CLI for IaC can also scan Terraform modules, regardless of whether they are public or private. Run
terraform init before running the snyk iac test command, and the CLI will read the generated .terraform files.To see these issues displayed in the Snyk Web UI, run the following CLI command:
snyk iac test myproject --reportAn example of the output follows.
> snyk iac test myproject --report
Testing arm-file.tf...
Infrastructure as code issues:
✗ VM Agent is not provisioned automatically for Windows [Low Severity] [SNYK-CC-AZURE-667] in Compute
introduced by resource > azurerm_virtual_machine[my_terraformvm] > os_profile_windows_config > provision_vm_agent
Organization: my.org
Type: Terraform
Target file: arm-file.tf
Project name: myproject
Open source: no
Project path: myproject
Tested arm-file.tf for known issues, found 1 issues
Your test results are available at: https://snyk.io/org/my.org/cloud/issues?environment_name=my.org
Follow the link in the CLI output to see your issues in the Snyk Web UI. To learn more about the cloud issues view, see View Cloud and IaC+ issues in the Snyk Web UI.
Act on the recommendations generated by Snyk IaC+.
- 1.After you have run a test, you can see all the relevant details about where that issue exists, as well as advice on how to remediate that issue.
- 2.Fix the issue based on the remediation advice.
- 3.Run another test to see if the issue has been resolved.
- 4.Optional: View a list of all IaC+ and cloud context rules and adjust rule severity as needed. For more information, see Managing Cloud and IaC+ rules.