{% hint style="info" %} The information on this page applies to current IaC. If you are using IaC+, see Getting started with IaC+ and cloud scans . {% endhint %}
You can use Snyk IaC (Infrastructure as Code) in the Snyk Web UI to find, view, and fix issues in configuration files. You can also use Snyk IaC in the Snyk CLI. For details, see Snyk CLI for Infrastructure as Code.
On this page, you will find steps to find, view, and fix issues in configuration files for the supported environments: Terraform, AWS CloudFormation, Kubernetes, including Helm, and Azure Resource Manager (ARM). These steps are specific to the current IaC. See also Getting started with IaC and cloud scans.
Before using Snyk IaC, be sure you have the prerequisites as follows:
- A Snyk account. For details, see Create a Snyk account.
- An existing Terraform, CloudFormation, Kubernetes, or ARM environment to work in.
- A Git repository you have integrated with Snyk in the same way as for other Snyk products. For details, see Git repository (SCM).
For more information about IaC and supported environments, see the following pages:
- Configure your integration to find security issues in your Terraform files
- Configure your integration to find security issues in your CloudFormation files
- Configure your integration to find security issues in your Kubernetes configuration files
{% hint style="info" %} You must use the Snyk CLI to scan ARM configuration files. See Scan ARM configuration files. {% endhint %}
You will start by importing Projects you want to scan with Snyk. In these steps, you choose repositories for Snyk to test and re-test:
- Log in to Snyk and on your dashboard, select Projects from the navigation.
- On the Projects page, from the Add projects dropdown, select the SCM where the repositories and projects that you want to scan are; for example, select GitHub.
- From the list of Personal and Organization repositories, select the Git repositories and projects you want to import for scanning.
You can select one or more repositories or projects in a repository. - Click Add selected repositories to import the selected SCM projects and repositories into Snyk.
- Select View import Log to see the results on the import log.
You can scan multiple types of configuration files simultaneously.
The import completes and the Projects page displays the Snyk Project imported.
{% hint style="info" %} After you have imported an IaC Project, Snyk re-tests your Project once a week by default. You can de-activate recurring tests on the Settings tab of the Projects page; Set Test & Automated Pull Request Frequency to Test never. {% endhint %}
On the Projects page, you can view the results for configuration files in the imported Projects.
- If Group by targets is selected, a list of Targets is displayed. These are the repositories with the Projects you imported. Select a Target to expand its list of Projects.
- If Group by none is selected: A list of all Projects is displayed.
In your Projects listing, select the Project to open to display detailed information about that Project.
List of Snyk Projects
Each Project detail page has a snapshot showing when the Project was last tested, the name of the user who imported the Project, and, on the Issues tab, the number of critical, high, medium, and low-severity issues found and issue cards for each scanned configuration file. You can also select the Overview, History, and Settings options. Choose History to see previous snapshots of the Project.
Snyk Project issue card
{% hint style="info" %} If you encounter any errors during import, see the Importing Projects information in the support articles. {% endhint %}
Each issue card shows information about the resource and the path by which it was introduced.
Issue card details
The information on the issue cards includes the following:
- The severity level, for example, H for high, and the name of the issue, for example, Non-encrypted S3 Bucket
- The ID of the security rule, for example, SNYK-CC-00172.
Click the link to view more information on the Snyk Security Rules. - A snippet of your code showing the exact area that is vulnerable
- The exact path of the issue
- More details, such as:
- brief description of the issue
- impact of the issue
- remediation advice to resolve the issue
Click Full details to see a preview of the full code:
Preview of the full code
Click Ignore to ignore this vulnerability. For details, see Ignore Issues.
The steps to act on recommendations produced by Snyk IaC follow.
- On a Project detail page, select an issue to see the details for that issue and specific recommendations from Snyk IaC.
- Based on the recommendations, edit the configuration file to fix the issue identified and then commit the change.
Snyk automatically rescans the changed file. - View the change reflected in the issue display.
Example of an IaC issues that has been fixed
Examples follow of results displayed for current IaC.
Terraform Cloud and Helm do not show a code snippet, only the path details. There is no Full details button to show the preview of the full code.
Details for Helm
Details for Terraform Cloud
If Snyk can not identify the exact line of the vulnerable path in the file, Snyk does not show a code snippet, only a message and the path details. If possible, Snyk shows the Full details button so you can see a preview of the full code.
Issue card without code snippet
Full code display