IaC test

Usage

snyk iac test [<OPTIONS>] [<PATH>]

Description

The snyk iac test command tests for any known security issue.

For a list of related commands see the snyk iac help; iac --help

For more information see Snyk CLI for IaC

Exit codes

Possible exit codes and their meaning:

0: success (scan completed), no vulnerabilities found 1: action_needed (scan completed), vulnerabilities found 2: failure, try to re-run the command. Use -d to output the debug logs. 3: failure, no supported projects detected

Configure the Snyk CLI

You can use environment variables to configure the Snyk CLI and set variables for connecting with the Snyk API. See Configure the Snyk CLI

Debug

Use the -d option to output the debug logs.

Options

--detection-depth=<DEPTH>

Indicate how many subdirectories to search. DEPTH must be a number, 1 or greater; zero (0) is the current directory.

Default: no limit.

Example: --detection-depth=3 limits search to the specified directory (or the current directory if no <PATH> is specified) plus three levels of subdirectories; zero (0) is the current directory.

--org=<ORG_ID>

Specify the <ORG_ID> to run Snyk commands tied to a specific Snyk Organization. The <ORG_ID> influences private test limits.

If you have multiple Organizations, you can set a default from the CLI using:

$ snyk config set org=<ORG_ID>

Set a default to ensure all newly tested projects are tested under your default Organization. If you need to override the default, use the --org=<ORG_ID> option.

Default: <ORG_ID> that is the current preferred Organization in your Account settings

Note that you can also use --org=<orgslugname>. The ORG_ID works in both the CLI and the API. The Organization slug name works in the CLI, but not in the API.

--ignore-policy

Ignore all set policies, the current policy in the .snyk file, rg level ignores, and the project policy on snyk.io.

--policy-path=<PATH_TO_POLICY_FILE>

Manually pass a path to a .snyk policy file.

--json

Print results on the console as a JSON data structure.

Example: $ snyk iac test --json

--json-file-output=<OUTPUT_FILE_PATH>

Save test output as a JSON data structure directly to the specified file, regardless of whether or not you use the --json option.

Use to display the human-readable test output using stdout and at the same time save the JSON data structure output to a file.

Example: $ snyk iac test --json-file-output=vuln.json

--sarif

Return results in SARIF format.

--sarif-file-output=<OUTPUT_FILE_PATH>

Save test output in SARIF format directly to the <OUTPUT_FILE_PATH> file, regardless of whether or not you use the --sarif option.

This is especially useful if you want to display the human-readable test output using stdout and at the same time save the SARIF format output to a file.

Note: If you use an option that sets project attributes and your role lacks permission to edit project attributes the iac test command fails. For instructions on how to proceed see Editing project attributes from the Snyk CLI

--project-business-criticality=<BUSINESS_CRITICALITY>[,<BUSINESS_CRITICALITY>]...>

This can be used in combination with the --report option.

Set the project business criticality project attribute to one or more values (comma-separated). To clear the project business criticality set --project-business-criticality=

Allowed values: critical, high, medium, low

For more information see Project attributes

This option is not supported for IaC+.

--project-environment=<ENVIRONMENT>[,<ENVIRONMENT>]...>

This can be used in combination with the --report option.

Set the project environment project attribute to one or more values (comma-separated). To clear the project environment set --project-environment=

Allowed values: frontend, backend, internal, external, mobile, saas, onprem, hosted, distributed

For more information see Project attributes

This option is not supported for IaC+.

--project-lifecycle=<LIFECYCLE>[,<LIFECYCLE>]...>

This can be used in combination with the --report option.

Set the project lifecycle project attribute to one or more values (comma-separated). To clear the project lifecycle set --project-lifecycle=

Allowed values: production, development, sandbox

For more information see Project attributes

This option is not supported for IaC+.

--project-tags=<TAG>[,<TAG>]...>

This can be used in combination with the --report option.

Set the project tags to one or more values (comma-separated key value pairs with an "=" separator).

Example: --project-tags=department=finance,team=alpha

To clear the project tags set --project-tags=

This option is not supported for IaC+.

For more information including allowable characters see Project tags

--remote-repo-url=<URL>

Set or override the remote URL for the repository.

Groups all Projects found under a single Target.

Can be used in combination with the --report option.

--report

NEW option: Share results with the Snyk Web UI.

This creates a project in your Snyk account with a snapshot of the current configuration issues or appends the snapshot to an existing project.

After using this option, log in to the Snyk website and view your projects to see the snapshot.

Example: $ snyk iac test --report

Note: This option cannot be used in combination with the --rules option.

--rules=<PATH_TO_CUSTOM_RULES_BUNDLE>

Use this dedicated option for Custom Rules scanning to enable the IaC scans to use a custom rules bundle generated with the snyk-iac-rules SDK. See snyk-iac-rules SDK

This option cannot be used if the custom rules settings were configured with the Snyk UI. Default: If the --rules option is not specified, scan the configuration files using the internal Snyk rules only.

Example: Scan the configuration files using custom rules and internal Snyk rules.

--rules=bundle.tar.gz

Note: This option can not be used in combination with the --report option.

This option is not supported for IaC+.

--severity-threshold=<low|medium|high|critical>

Report only vulnerabilities at the specified level or higher.

--scan=<TERRAFORM_PLAN_SCAN_MODE>

Use this dedicated option for Terraform plan scanning modes to control whether the scan analyzes the full final state (for example, planned-values), or the proposed changes only (for example, resource-changes).

Default: If the --scan option is not specified, scan the proposed changes only by default. Example 1: --scan=planned-values (full state scan) Example 2: --scan=resource-changes (proposed changes scan)

--target-name=<TARGET_NAME>

This can be used in combination with the --report option.

Set or override the project name for the repository.

Note: This option supersedes--remote-repo-url, if both options are used together.

--target-reference=<TARGET_REFERENCE>

This can be used in combination with the --report option.

Specify a reference that differentiates this project, for example, a branch name or version. Projects having the same reference can be grouped based on that reference.

Example, setting to the current Git branch:

snyk iac test myproject/ --report --target-reference="$(git branch --show-current)"

Example, setting to the latest Git tag:

snyk iac test myproject/ --report --target-reference="$(git describe --tags --abbrev=0)"

--var-file=<PATH_TO_VARIABLE_FILE>

Load a terraform variable definitions file that is located in a different directory from the scanned one.

Example:

$ snyk iac test myproject/staging/networking --var-file=myproject/vars.tf

--snyk-cloud-environment=<ENVIRONMENT_ID>

Use the last scan from your Snyk Cloud Environment to suppress issues. For more information, see Adding cloud context to your IaC test

This option is only supported for IaC+.

Example:

$ snyk iac test --snyk-cloud-environment=0d19dc1a-c2aa-4719-89ee-5f281dd92a20

Examples for snyk iac test command

For more information see Snyk CLI for Infrastructure as Code

Test a CloudFormation file

$ snyk iac test /path/to/cloudformation_file.yaml

Test a Kubernetes file

$ snyk iac test /path/to/kubernetes_file.yaml

Test a Terraform file

$ snyk iac test /path/to/terraform_file.tf

Test a Terraform plan file

$ terraform plan -out=tfplan.binary
$ terraform show -json tfplan.binary > tf-plan.json
$ snyk iac test tf-plan.json

Test an ARM file

$ snyk iac test /path/to/arm_file.json

Test matching files in a directory

$ snyk iac test /path/to/directory

Test matching files in a directory using a local custom rules bundle

$ snyk iac test /path/to/directory --rules=bundle.tar.gz

Last updated

More information

Snyk privacy policy

© 2023 Snyk Limited | All product and company names and logos are trademarks of their respective owners.