Getting started with current IaC
The information on this page applies to current IaC. If you are using IaC+, see Getting started with IaC+ and cloud scans .
You can use Snyk IaC (Infrastructure as Code) in the Snyk Web UI to find, view, and fix issues in configuration files. You can also use Snyk IaC in the Snyk CLI. For details, see Snyk CLI for Infrastructure as Code.
On this page, you will find steps to find, view, and fix issues in configuration files for the supported environments: Terraform, AWS CloudFormation, Kubernetes, including Helm, and Azure Resource Manager (ARM). These steps are specific to the current IaC. See also Getting started with IaC and cloud scans.
Prerequisites for Snyk IaC
Before using Snyk IaC, be sure you have the prerequisites as follows:
A Snyk account. For details, see Getting started.
An existing Terraform, CloudFormation, Kubernetes, or ARM environment to work in.
A Git repository you have integrated with Snyk in the same way as for other Snyk products. For details, see Git repository (SCM).
For more information about IaC and supported environments, see the following pages:
You must use the Snyk CLI to scan ARM configuration files. See Scan ARM configuration files.
Import IaC Projects
You will start by importing Projects you want to scan with Snyk. In these steps, you choose repositories for Snyk to test and re-test:
Log in to Snyk and on your dashboard, select Projects from the navigation.
On the Projects page, from the Add projects dropdown, select the SCM where the repositories and projects that you want to scan are; for example, select GitHub.
From the list of Personal and Organization repositories, select the Git repositories and projects you want to import for scanning. You can select one or more repositories or projects in a repository.
Click Add selected repositories to import the selected SCM projects and repositories into Snyk.
Select View import Log to see the results on the import log. You can scan multiple types of configuration files simultaneously. The import completes and the Projects page displays the Snyk Project imported.
After you have imported an IaC Project, Snyk re-tests your Project once a week by default. You can de-activate recurring tests on the Settings tab of the Projects page; Set Test & Automated Pull Request Frequency to Test never.
View configuration file issues in IaC
On the Projects page, you can view the results for configuration files in the imported Projects.
If Group by targets is selected, a list of Targets is displayed. These are the repositories with the Projects you imported. Select a Target to expand its list of Projects.
If Group by none is selected: A list of all Projects is displayed.
In your Projects listing, select the Project to open to display detailed information about that Project.
Each Project detail page has a snapshot showing when the Project was last tested, the name of the user who imported the Project, and, on the Issues tab, the number of critical, high, medium, and low-severity issues found and issue cards for each scanned configuration file. You can also select the Overview, History, and Settings options. Choose History to see previous snapshots of the Project.
Issue card details for Snyk IaC
Each issue card shows information about the resource and the path by which it was introduced.
The information on the issue cards includes the following:
The severity level, for example, H for high, and the name of the issue, for example, Non-encrypted S3 Bucket
The ID of the security rule, for example, SNYK-CC-00172. Click the link to view more information on the Snyk Security Rules.
A snippet of your code showing the exact area that is vulnerable
The exact path of the issue
More details, such as:
brief description of the issue
impact of the issue
remediation advice to resolve the issue
Click Full details to see a preview of the full code:
Click Ignore to ignore this vulnerability. For details, see Ignore Issues.
Fix configuration files in IaC
The steps to act on recommendations produced by Snyk IaC follow.
On a Project detail page, select an issue to see the details for that issue and specific recommendations from Snyk IaC.
Based on the recommendations, edit the configuration file to fix the issue identified and then commit the change. Snyk automatically rescans the changed file.
View the change reflected in the issue display.
Examples of IaC results
Examples follow of results displayed for current IaC.
Terraform Cloud and Helm examples
Terraform Cloud and Helm do not show a code snippet, only the path details. There is no Full details button to show the preview of the full code.
Example showing the code preview is not available
If Snyk can not identify the exact line of the vulnerable path in the file, Snyk does not show a code snippet, only a message and the path details. If possible, Snyk shows the Full details button so you can see a preview of the full code.
Last updated