Detecting CloudFormation configuration files using Snyk Broker (Custom)
CloudFormation in Snyk Broker
By default, some file types used by Infrastructure-as-Code (IaC) are not enabled. To grant the Broker access to IaC files in your repository, for example, CloudFormation, you can add an environment variable, ACCEPT_IAC, with any combination of tf,yaml,yml,json,tpl.
Otherwise, you can edit your accept.json, add the relevant IaC specific rules, and load the customized accept file into the container. Note that if a custom accept file (from a separate folder) is used (using ACCEPT environment variable), the ACCEPT_IAC mechanism cannot be used.
These are the instructions if you require a custom allow-list and want to add CloudFormation files into the files Snyk can scan for.
Writing the configuration
The CloudFormation scanning features require access to the YAML or JSON files in the repository. This requires specific API permissions. These API permissions are slightly different depending on the source control system.
Find the appropriate accept.json sample file for the correct source control system and download from the Broker repository.
Rename the file accept.json and add to the private array in the JSON file, add the rules that follow as appropriate to your SCM .
{
"//": "used to determine Infrastructure as Code issues",
"method": "GET",
"path": "/api/v4/projects/:project/repository/files*/*.yaml",
"origin": "https://${GITLAB}"
},
{
"//": "used to determine Infrastructure as Code issues",
"method": "GET",
"path": "/api/v4/projects/:project/repository/files*%2F*.yaml",
"origin": "https://${GITLAB}"
},
{
"//": "used to determine Infrastructure as Code issues",
"method": "GET",
"path": "/api/v4/projects/:project/repository/files*/*.yml",
"origin": "https://${GITLAB}"
},
{
"//": "used to determine Infrastructure as Code issues",
"method": "GET",
"path": "/api/v4/projects/:project/repository/files*%2F*.yml",
"origin": "https://${GITLAB}"
},
{
"//": "used to determine Infrastructure as Code issues",
"method": "GET",
"path": "/api/v4/projects/:project/repository/files*/*.json",
"origin": "https://${GITLAB}"
},
{
"//": "used to determine Infrastructure as Code issues",
"method": "GET",
"path": "/api/v4/projects/:project/repository/files*%2F*.json",
"origin": "https://${GITLAB}"
},
Configuring Broker
Broker takes the path to the accept.json file, with the applicable rules added, in the ACCEPT environment variable. The following provides an example of passing that variable to the GitHub Broker.
Note that this gives Snyk the ability to query for any .yaml, .yml, or .json files. If you would prefer to be stricter, you can alter the paths in the preceding examples to be more restrictive for certain projects or file layouts.