snyk iac describe [<OPTIONS>]
snyk iac describe
command detects, tracks, and alerts on infrastructure drift and unmanaged resources.describe
command.-d
option to output the debug logs.describe
command, you must use one of these options:--only-unmanaged
Report resources not found in any Terraform states.--only-managed
or --drift
Scan managed resources found in Terraform states for changes.--all
Scan both managed and unmanaged resources.--from=<STATE>[,<STATE>...]
snyk iac describe
command supports reading Terraform states.--from=
followed by a comma-separated list. You can also use glob patterns to match multiple state files at once.$ snyk iac describe --all --from="tfstate+s3://statebucket/states"
$ snyk iac describe --all --from="tfstate://directory/*.tfstate"
terraform
to pipe your state in a file and then use this file:$ terraform state pull > state.tfstate
$ snyk iac describe --all --from="tfstate://state.tfstate"
--to=<PROVIDER+TYPE>
iac describe
command supports multiple cloud providers. By default the describe
command scans AWS, but you can change this using the --to
option.$ snyk iac describe --to="PROVIDER+TYPE"
$ snyk iac describe --to="aws+tf"
github+tf
(GitHub with Terraform)aws+tf
(Amazon Web Services with Terraform)gcp+tf
(Google Cloud Platform with Terraform)azure+tf
(Azure with Terraform)--service=<SERVICE>[,<SERVICE]...>
$ snyk iac describe --all --service="aws_s3,aws_ec2"
.snyk
drift ignore rule; the content in .snyk
will be ignored.aws_s3
, aws_ec2
, aws_lambda
, aws_rds
, aws_route53
, aws_iam
, aws_vpc
, aws_api_gateway
, aws_apigatewayv2
, aws_sqs
, aws_sns
, aws_ecr
, aws_cloudfront
, aws_kms
, aws_dynamodb
, azure_base
, azure_compute
, azure_storage
, azure_network
, azure_container
, azure_database
, azure_loadbalancer
, azure_private_dns
, google_cloud_platform
, google_cloud_storage
, google_compute_engine
, google_cloud_dns
, google_cloud_bigtable
, google_cloud_bigquery
, google_cloud_functions
, google_cloud_sql
, google_cloud_run
--quiet
--filter
--json
$ snyk iac describe --json > report.json
--html
--html-file-output=<OUTPUT_FILE_PATH>
--fetch-tfstate-headers
--tfc-token
--tfc-endpoint
tfc-endpoint
value that is specific to your org's Terraform Enterprise installation.--tf-provider-version
$ DCTL_TF_PROVIDER_VERSION=3.43.0 snyk iac describe --only-unmanaged
$ DCTL_TF_PROVIDER_VERSION=4.10.1 snyk iac describe --all --to="github+tf"
--strict
iac describe
command ignores service-linked resources by default (like service-linked AWS IAM roles, their policies and policy attachments). To include those resources in the report you can enable strict mode.$ snyk iac describe --all --strict
--deep
--all
.$ snyk iac describe --all --deep
--tf-lockfile
snyk iac describe
reads the Terraform lock file (.terraform.lock.hcl
) from the current directory, so it can automatically detect which provider to use, according to the --to
flag. You can specify a custom path for that file using the --tf-lockfile
option.--tf-lockfile
and --tf-provider-version
options together, --tf-provider-version
takes precedence overall.$ snyk iac describe --all --to="aws+tf" --tf-lockfile="/path/to/.terraform.lock.hcl"
--org=<ORG_ID>
<ORG_ID>
to run Snyk commands tied to a specific organization. The <ORG_ID>
influences some features availability and private test limits.$ snyk config set org=<ORG_ID>
--org=<ORG_ID>
option.--config-dir
$HOME
directory./tmp
folder.--ignore-policy
.snyk
file, org level ignores, and the project policy on snyk.io.--policy-path=<PATH_TO_POLICY_FILE>
.snyk
policy file.