0
# Infrastructure as Code (IaC)
1
2
Security scanning for infrastructure configuration files including Terraform, Kubernetes, CloudFormation, ARM templates, and drift detection capabilities for managing infrastructure security posture.
3
4
## Capabilities
5
6
### IaC Testing
7
8
Command-line interface for scanning infrastructure configuration files for security misconfigurations.
9
10
```bash { .api }
11
# Basic IaC testing
12
snyk iac test # Test current directory
13
snyk iac test <path> # Test specific path
14
snyk iac test ./terraform/ # Test Terraform files
15
snyk iac test ./k8s/ # Test Kubernetes manifests
16
17
# Testing with options
18
snyk iac test <path> --org=<org-id> # Test with organization
19
snyk iac test <path> --json # JSON output format
20
snyk iac test <path> --sarif # SARIF format output
21
snyk iac test <path> --severity-threshold=high # Filter by severity
22
23
# Recursive scanning
24
snyk iac test <path> --detection-depth=5 # Control recursion depth
25
snyk iac test . --exclude="**/node_modules/**" # Exclude patterns
26
27
# Rule and policy options
28
snyk iac test <path> --rules=<custom-rules> # Custom rule files
29
snyk iac test <path> --var-file=<vars> # Variable files for templates
30
31
# Output options
32
snyk iac test <path> --json-file-output=results.json # Save JSON results
33
snyk iac test <path> --sarif-file-output=results.sarif # Save SARIF results
34
```
35
36
### Supported IaC Formats
37
38
Infrastructure as Code formats and frameworks supported by Snyk.
39
40
```bash { .api }
41
# Terraform
42
snyk iac test ./terraform/ # .tf files
43
snyk iac test ./terraform/ --var-file=terraform.tfvars # With variables
44
45
# Kubernetes
46
snyk iac test ./k8s/ # .yaml/.yml manifests
47
snyk iac test ./k8s/deployment.yaml # Single manifest file
48
49
# CloudFormation
50
snyk iac test ./cloudformation/ # .yaml/.json templates
51
snyk iac test template.yaml # Single template
52
53
# Azure Resource Manager
54
snyk iac test ./arm/ # .json ARM templates
55
snyk iac test azuredeploy.json # Single ARM template
56
57
# Google Cloud Deployment Manager
58
snyk iac test ./deployment-manager/ # .yaml templates
59
60
# Docker Compose
61
snyk iac test docker-compose.yml # Docker Compose files
62
63
# Helm Charts
64
snyk iac test ./helm-chart/ # Helm chart directories
65
```
66
67
### Infrastructure Drift Detection
68
69
Advanced capabilities for detecting and analyzing infrastructure drift between actual and intended state.
70
71
```bash { .api }
72
# Basic drift detection
73
snyk iac describe # Describe current infrastructure state
74
snyk iac describe --only-managed # Show only managed resources
75
snyk iac describe --only-unmanaged # Show only unmanaged resources
76
77
# Drift analysis with filtering
78
snyk iac describe --filter='Type=="aws_s3_bucket"' # Filter by resource type
79
snyk iac describe --filter='Name~="prod"' # Filter by name pattern
80
81
# State comparison
82
snyk iac describe --to=./terraform.tfstate # Compare to specific state
83
snyk iac describe --from=terraform # Specify IaC source type
84
85
# Output formats
86
snyk iac describe --json # JSON output
87
snyk iac describe --html # HTML report
88
snyk iac describe --html-file-output=drift-report.html # Save HTML report
89
90
# Advanced options
91
snyk iac describe --driftignore=.driftignore # Use drift ignore file
92
snyk iac describe --strict # Strict mode
93
snyk iac describe --tf-lockfile=.terraform.lock.hcl # Terraform lock file
94
```
95
96
### Cloud Provider Integration
97
98
Integration with major cloud providers for state analysis and drift detection.
99
100
```bash { .api }
101
# AWS integration
102
snyk iac describe --from=tfstate+s3://my-bucket/terraform.tfstate
103
snyk iac describe --service=aws # AWS resource analysis
104
export AWS_PROFILE=production # Use AWS profile
105
106
# Terraform Cloud integration
107
snyk iac describe --tfc-token=<token> # Terraform Cloud token
108
snyk iac describe --tfc-endpoint=<url> # Custom TFC endpoint
109
110
# Custom headers for remote state
111
snyk iac describe --fetch-tfstate-headers="Authorization: Bearer <token>"
112
```
113
114
## IaC Security Rules
115
116
### Security Misconfigurations
117
118
Common security issues detected in infrastructure configurations.
119
120
```bash { .api }
121
# Security rule categories:
122
# - Access Control (IAM policies, security groups)
123
# - Encryption (data at rest, in transit)
124
# - Network Security (open ports, public access)
125
# - Logging and Monitoring (audit trails, CloudTrail)
126
# - Resource Configuration (default passwords, insecure settings)
127
# - Compliance (CIS benchmarks, SOC 2, PCI DSS)
128
129
# Example security issues detected:
130
# - S3 buckets with public read/write access
131
# - Security groups allowing 0.0.0.0/0 access
132
# - Unencrypted EBS volumes
133
# - RDS instances without backup enabled
134
# - IAM policies with overly broad permissions
135
```
136
137
### Custom Rules and Policies
138
139
Configuration of custom security rules and organizational policies.
140
141
```bash { .api }
142
# Custom rule files
143
snyk iac test <path> --rules=./custom-rules/ # Directory of custom rules
144
snyk iac test <path> --rules=policy.yaml # Single rule file
145
146
# Policy as Code integration
147
# .snyk policy file for IaC
148
version: v1.0.0
149
iac:
150
ignore:
151
SNYK-CC-TF-1: # Ignore specific rule
152
- "*":
153
reason: "Accepted risk for development environment"
154
expires: "2024-12-31T23:59:59.999Z"
155
```
156
157
### Compliance Frameworks
158
159
Built-in compliance framework checks and reporting.
160
161
```bash { .api }
162
# Supported compliance frameworks:
163
# - CIS (Center for Internet Security) benchmarks
164
# - AWS Well-Architected Framework
165
# - Azure Security Benchmark
166
# - Google Cloud Security Command Center
167
# - SOC 2 Type II requirements
168
# - PCI DSS requirements
169
# - HIPAA compliance checks
170
# - GDPR data protection requirements
171
172
# Framework-specific scanning
173
snyk iac test <path> --policy=cis-aws # CIS AWS benchmark
174
snyk iac test <path> --policy=well-architected # AWS Well-Architected
175
```
176
177
## Integration Patterns
178
179
### CI/CD Pipeline Integration
180
181
```bash { .api }
182
# GitHub Actions example
183
- name: IaC Security Scan
184
run: |
185
snyk iac test ./terraform/ --severity-threshold=medium
186
snyk iac test ./k8s/ --json > iac-results.json
187
188
# GitLab CI example
189
iac-security-scan:
190
script:
191
- snyk iac test ./infrastructure/ --sarif-file-output=iac-results.sarif
192
artifacts:
193
reports:
194
sast: iac-results.sarif
195
196
# Jenkins pipeline
197
stage('IaC Security') {
198
steps {
199
sh 'snyk iac test ./terraform/ --json > iac-scan-results.json'
200
publishHTML([
201
allowMissing: false,
202
alwaysLinkToLastBuild: true,
203
keepAll: true,
204
reportDir: '.',
205
reportFiles: 'iac-results.html',
206
reportName: 'IaC Security Report'
207
])
208
}
209
}
210
```
211
212
### Terraform Integration
213
214
```bash { .api }
215
# Terraform workflow integration
216
terraform init # Initialize Terraform
217
terraform plan -out=plan.tfplan # Create execution plan
218
snyk iac test . # Scan configuration files
219
terraform apply plan.tfplan # Apply approved changes
220
snyk iac describe --only-managed # Verify managed resources
221
222
# Pre-commit hooks
223
# .pre-commit-config.yaml
224
repos:
225
- repo: local
226
hooks:
227
- id: snyk-iac
228
name: Snyk IaC Security Scan
229
entry: snyk iac test
230
language: system
231
files: \.(tf|yaml|yml)$
232
```
233
234
### Kubernetes Integration
235
236
```bash { .api }
237
# Kubernetes manifest scanning
238
snyk iac test ./k8s-manifests/ # Scan all manifests
239
kubectl apply --dry-run=client -f deployment.yaml # Validate manifest
240
snyk iac test deployment.yaml # Security scan
241
kubectl apply -f deployment.yaml # Deploy to cluster
242
243
# Helm chart scanning
244
helm template my-chart ./chart/ > rendered-manifests.yaml
245
snyk iac test rendered-manifests.yaml # Scan rendered templates
246
helm install my-release ./chart/ # Install chart
247
248
# Admission controller integration
249
# Snyk can integrate with admission controllers to:
250
# - Block deployments with critical security issues
251
# - Add security annotations to resources
252
# - Validate policies before deployment
253
```
254
255
## Advanced IaC Features
256
257
### Variable File Support
258
259
Support for template variables and environment-specific configurations.
260
261
```bash { .api }
262
# Terraform variable files
263
snyk iac test . --var-file=production.tfvars # Production variables
264
snyk iac test . --var-file=staging.tfvars # Staging variables
265
snyk iac test . --var-file=terraform.tfvars # Default variables
266
267
# Multiple variable files
268
snyk iac test . --var-file=common.tfvars --var-file=env-specific.tfvars
269
270
# Environment variable support
271
export TF_VAR_environment=production
272
snyk iac test . # Uses environment variables
273
```
274
275
### Configuration Directories
276
277
Scanning of complex directory structures and multi-environment setups.
278
279
```bash { .api }
280
# Multi-environment scanning
281
snyk iac test ./environments/dev/ # Development environment
282
snyk iac test ./environments/staging/ # Staging environment
283
snyk iac test ./environments/prod/ # Production environment
284
285
# Module scanning
286
snyk iac test ./modules/vpc/ # Terraform modules
287
snyk iac test ./modules/security-groups/ # Security-focused modules
288
289
# Recursive scanning with depth control
290
snyk iac test . --detection-depth=3 # Limit recursion depth
291
snyk iac test . --exclude="**/examples/**" # Exclude example directories
292
```
293
294
### State File Analysis
295
296
Analysis of Terraform state files for drift detection and security assessment.
297
298
```bash { .api }
299
# Local state file analysis
300
snyk iac describe --to=./terraform.tfstate
301
302
# Remote state analysis
303
snyk iac describe --to=s3://bucket/path/terraform.tfstate
304
snyk iac describe --to=gcs://bucket/path/terraform.tfstate
305
306
# State comparison
307
snyk iac describe --from=terraform --to=./current.tfstate
308
```
309
310
## Types
311
312
### IaC Types
313
314
```typescript { .api }
315
interface IacTestResult {
316
/** Infrastructure security issues */
317
infrastructureAsCodeIssues: IacIssue[];
318
/** Scan summary */
319
summary: IacSummary;
320
/** File path scanned */
321
targetFile: string;
322
/** Project name */
323
projectName: string;
324
/** Organization ID */
325
org: string;
326
}
327
328
interface IacIssue {
329
/** Issue identifier */
330
id: string;
331
/** Issue title */
332
title: string;
333
/** Issue description */
334
description: string;
335
/** Severity level */
336
severity: 'critical' | 'high' | 'medium' | 'low';
337
/** Rule that detected the issue */
338
rule: string;
339
/** File path where issue was found */
340
path: string[];
341
/** Line number in file */
342
lineNumber: number;
343
/** Impact description */
344
impact: string;
345
/** Remediation guidance */
346
resolve: string;
347
/** References and links */
348
references: string[];
349
/** Compliance frameworks affected */
350
compliance?: ComplianceFramework[];
351
}
352
353
interface IacSummary {
354
/** Total issues found */
355
total: number;
356
/** Issues by severity */
357
bySeverity: {
358
critical: number;
359
high: number;
360
medium: number;
361
low: number;
362
};
363
/** Files scanned */
364
filesScanned: number;
365
/** Issues by file type */
366
byFileType: Record<string, number>;
367
}
368
369
interface DriftAnalysis {
370
/** Analysis summary */
371
summary: DriftSummary;
372
/** Managed resources */
373
managed?: DriftResource[];
374
/** Unmanaged resources */
375
unmanaged?: DriftResource[];
376
/** Missing resources */
377
missing?: DriftResource[];
378
/** Analysis alerts */
379
alerts?: DriftAlert[];
380
/** Coverage percentage */
381
coverage: number;
382
/** Scan duration */
383
scanDuration: number;
384
/** Provider information */
385
providerName: string;
386
/** Provider version */
387
providerVersion: string;
388
}
389
390
interface DriftResource {
391
/** Resource identifier */
392
id: string;
393
/** Resource type */
394
type: string;
395
/** Human-readable attributes */
396
humanReadableAttributes?: Record<string, unknown>;
397
/** Resource source */
398
source?: DriftSource;
399
}
400
401
interface DriftSource {
402
/** Source file/location */
403
source: string;
404
/** Namespace */
405
namespace: string;
406
/** Internal name */
407
internalName: string;
408
}
409
410
interface DriftSummary {
411
/** Total resources */
412
totalResources: number;
413
/** Unmanaged resources */
414
totalUnmanaged: number;
415
/** Missing resources */
416
totalMissing: number;
417
/** Managed resources */
418
totalManaged: number;
419
/** IaC source count */
420
totalIacSourceCount: number;
421
}
422
423
interface ComplianceFramework {
424
/** Framework name */
425
name: string;
426
/** Framework version */
427
version: string;
428
/** Control identifier */
429
controlId: string;
430
/** Control description */
431
controlDescription: string;
432
}
433
```