tessl/npm-snyk
Developer-first, cloud-native security tool to scan and monitor your software development projects for security vulnerabilities
—
Pending
infrastructure-as-code.mddocs/
Infrastructure as Code (IaC)
Security scanning for infrastructure configuration files including Terraform, Kubernetes, CloudFormation, ARM templates, and drift detection capabilities for managing infrastructure security posture.
Capabilities
IaC Testing
Command-line interface for scanning infrastructure configuration files for security misconfigurations.
# Basic IaC testing
snyk iac test # Test current directory
snyk iac test <path> # Test specific path
snyk iac test ./terraform/ # Test Terraform files
snyk iac test ./k8s/ # Test Kubernetes manifests
# Testing with options
snyk iac test <path> --org=<org-id> # Test with organization
snyk iac test <path> --json # JSON output format
snyk iac test <path> --sarif # SARIF format output
snyk iac test <path> --severity-threshold=high # Filter by severity
# Recursive scanning
snyk iac test <path> --detection-depth=5 # Control recursion depth
snyk iac test . --exclude="**/node_modules/**" # Exclude patterns
# Rule and policy options
snyk iac test <path> --rules=<custom-rules> # Custom rule files
snyk iac test <path> --var-file=<vars> # Variable files for templates
# Output options
snyk iac test <path> --json-file-output=results.json # Save JSON results
snyk iac test <path> --sarif-file-output=results.sarif # Save SARIF resultsSupported IaC Formats
Infrastructure as Code formats and frameworks supported by Snyk.
# Terraform
snyk iac test ./terraform/ # .tf files
snyk iac test ./terraform/ --var-file=terraform.tfvars # With variables
# Kubernetes
snyk iac test ./k8s/ # .yaml/.yml manifests
snyk iac test ./k8s/deployment.yaml # Single manifest file
# CloudFormation
snyk iac test ./cloudformation/ # .yaml/.json templates
snyk iac test template.yaml # Single template
# Azure Resource Manager
snyk iac test ./arm/ # .json ARM templates
snyk iac test azuredeploy.json # Single ARM template
# Google Cloud Deployment Manager
snyk iac test ./deployment-manager/ # .yaml templates
# Docker Compose
snyk iac test docker-compose.yml # Docker Compose files
# Helm Charts
snyk iac test ./helm-chart/ # Helm chart directoriesInfrastructure Drift Detection
Advanced capabilities for detecting and analyzing infrastructure drift between actual and intended state.
# Basic drift detection
snyk iac describe # Describe current infrastructure state
snyk iac describe --only-managed # Show only managed resources
snyk iac describe --only-unmanaged # Show only unmanaged resources
# Drift analysis with filtering
snyk iac describe --filter='Type=="aws_s3_bucket"' # Filter by resource type
snyk iac describe --filter='Name~="prod"' # Filter by name pattern
# State comparison
snyk iac describe --to=./terraform.tfstate # Compare to specific state
snyk iac describe --from=terraform # Specify IaC source type
# Output formats
snyk iac describe --json # JSON output
snyk iac describe --html # HTML report
snyk iac describe --html-file-output=drift-report.html # Save HTML report
# Advanced options
snyk iac describe --driftignore=.driftignore # Use drift ignore file
snyk iac describe --strict # Strict mode
snyk iac describe --tf-lockfile=.terraform.lock.hcl # Terraform lock fileCloud Provider Integration
Integration with major cloud providers for state analysis and drift detection.
# AWS integration
snyk iac describe --from=tfstate+s3://my-bucket/terraform.tfstate
snyk iac describe --service=aws # AWS resource analysis
export AWS_PROFILE=production # Use AWS profile
# Terraform Cloud integration
snyk iac describe --tfc-token=<token> # Terraform Cloud token
snyk iac describe --tfc-endpoint=<url> # Custom TFC endpoint
# Custom headers for remote state
snyk iac describe --fetch-tfstate-headers="Authorization: Bearer <token>"IaC Security Rules
Security Misconfigurations
Common security issues detected in infrastructure configurations.
# Security rule categories:
# - Access Control (IAM policies, security groups)
# - Encryption (data at rest, in transit)
# - Network Security (open ports, public access)
# - Logging and Monitoring (audit trails, CloudTrail)
# - Resource Configuration (default passwords, insecure settings)
# - Compliance (CIS benchmarks, SOC 2, PCI DSS)
# Example security issues detected:
# - S3 buckets with public read/write access
# - Security groups allowing 0.0.0.0/0 access
# - Unencrypted EBS volumes
# - RDS instances without backup enabled
# - IAM policies with overly broad permissionsCustom Rules and Policies
Configuration of custom security rules and organizational policies.
# Custom rule files
snyk iac test <path> --rules=./custom-rules/ # Directory of custom rules
snyk iac test <path> --rules=policy.yaml # Single rule file
# Policy as Code integration
# .snyk policy file for IaC
version: v1.0.0
iac:
ignore:
SNYK-CC-TF-1: # Ignore specific rule
- "*":
reason: "Accepted risk for development environment"
expires: "2024-12-31T23:59:59.999Z"Compliance Frameworks
Built-in compliance framework checks and reporting.
# Supported compliance frameworks:
# - CIS (Center for Internet Security) benchmarks
# - AWS Well-Architected Framework
# - Azure Security Benchmark
# - Google Cloud Security Command Center
# - SOC 2 Type II requirements
# - PCI DSS requirements
# - HIPAA compliance checks
# - GDPR data protection requirements
# Framework-specific scanning
snyk iac test <path> --policy=cis-aws # CIS AWS benchmark
snyk iac test <path> --policy=well-architected # AWS Well-ArchitectedIntegration Patterns
CI/CD Pipeline Integration
# GitHub Actions example
- name: IaC Security Scan
run: |
snyk iac test ./terraform/ --severity-threshold=medium
snyk iac test ./k8s/ --json > iac-results.json
# GitLab CI example
iac-security-scan:
script:
- snyk iac test ./infrastructure/ --sarif-file-output=iac-results.sarif
artifacts:
reports:
sast: iac-results.sarif
# Jenkins pipeline
stage('IaC Security') {
steps {
sh 'snyk iac test ./terraform/ --json > iac-scan-results.json'
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: '.',
reportFiles: 'iac-results.html',
reportName: 'IaC Security Report'
])
}
}Terraform Integration
# Terraform workflow integration
terraform init # Initialize Terraform
terraform plan -out=plan.tfplan # Create execution plan
snyk iac test . # Scan configuration files
terraform apply plan.tfplan # Apply approved changes
snyk iac describe --only-managed # Verify managed resources
# Pre-commit hooks
# .pre-commit-config.yaml
repos:
- repo: local
hooks:
- id: snyk-iac
name: Snyk IaC Security Scan
entry: snyk iac test
language: system
files: \.(tf|yaml|yml)$Kubernetes Integration
# Kubernetes manifest scanning
snyk iac test ./k8s-manifests/ # Scan all manifests
kubectl apply --dry-run=client -f deployment.yaml # Validate manifest
snyk iac test deployment.yaml # Security scan
kubectl apply -f deployment.yaml # Deploy to cluster
# Helm chart scanning
helm template my-chart ./chart/ > rendered-manifests.yaml
snyk iac test rendered-manifests.yaml # Scan rendered templates
helm install my-release ./chart/ # Install chart
# Admission controller integration
# Snyk can integrate with admission controllers to:
# - Block deployments with critical security issues
# - Add security annotations to resources
# - Validate policies before deploymentAdvanced IaC Features
Variable File Support
Support for template variables and environment-specific configurations.
# Terraform variable files
snyk iac test . --var-file=production.tfvars # Production variables
snyk iac test . --var-file=staging.tfvars # Staging variables
snyk iac test . --var-file=terraform.tfvars # Default variables
# Multiple variable files
snyk iac test . --var-file=common.tfvars --var-file=env-specific.tfvars
# Environment variable support
export TF_VAR_environment=production
snyk iac test . # Uses environment variablesConfiguration Directories
Scanning of complex directory structures and multi-environment setups.
# Multi-environment scanning
snyk iac test ./environments/dev/ # Development environment
snyk iac test ./environments/staging/ # Staging environment
snyk iac test ./environments/prod/ # Production environment
# Module scanning
snyk iac test ./modules/vpc/ # Terraform modules
snyk iac test ./modules/security-groups/ # Security-focused modules
# Recursive scanning with depth control
snyk iac test . --detection-depth=3 # Limit recursion depth
snyk iac test . --exclude="**/examples/**" # Exclude example directoriesState File Analysis
Analysis of Terraform state files for drift detection and security assessment.
# Local state file analysis
snyk iac describe --to=./terraform.tfstate
# Remote state analysis
snyk iac describe --to=s3://bucket/path/terraform.tfstate
snyk iac describe --to=gcs://bucket/path/terraform.tfstate
# State comparison
snyk iac describe --from=terraform --to=./current.tfstateTypes
IaC Types
interface IacTestResult {
/** Infrastructure security issues */
infrastructureAsCodeIssues: IacIssue[];
/** Scan summary */
summary: IacSummary;
/** File path scanned */
targetFile: string;
/** Project name */
projectName: string;
/** Organization ID */
org: string;
}
interface IacIssue {
/** Issue identifier */
id: string;
/** Issue title */
title: string;
/** Issue description */
description: string;
/** Severity level */
severity: 'critical' | 'high' | 'medium' | 'low';
/** Rule that detected the issue */
rule: string;
/** File path where issue was found */
path: string[];
/** Line number in file */
lineNumber: number;
/** Impact description */
impact: string;
/** Remediation guidance */
resolve: string;
/** References and links */
references: string[];
/** Compliance frameworks affected */
compliance?: ComplianceFramework[];
}
interface IacSummary {
/** Total issues found */
total: number;
/** Issues by severity */
bySeverity: {
critical: number;
high: number;
medium: number;
low: number;
};
/** Files scanned */
filesScanned: number;
/** Issues by file type */
byFileType: Record<string, number>;
}
interface DriftAnalysis {
/** Analysis summary */
summary: DriftSummary;
/** Managed resources */
managed?: DriftResource[];
/** Unmanaged resources */
unmanaged?: DriftResource[];
/** Missing resources */
missing?: DriftResource[];
/** Analysis alerts */
alerts?: DriftAlert[];
/** Coverage percentage */
coverage: number;
/** Scan duration */
scanDuration: number;
/** Provider information */
providerName: string;
/** Provider version */
providerVersion: string;
}
interface DriftResource {
/** Resource identifier */
id: string;
/** Resource type */
type: string;
/** Human-readable attributes */
humanReadableAttributes?: Record<string, unknown>;
/** Resource source */
source?: DriftSource;
}
interface DriftSource {
/** Source file/location */
source: string;
/** Namespace */
namespace: string;
/** Internal name */
internalName: string;
}
interface DriftSummary {
/** Total resources */
totalResources: number;
/** Unmanaged resources */
totalUnmanaged: number;
/** Missing resources */
totalMissing: number;
/** Managed resources */
totalManaged: number;
/** IaC source count */
totalIacSourceCount: number;
}
interface ComplianceFramework {
/** Framework name */
name: string;
/** Framework version */
version: string;
/** Control identifier */
controlId: string;
/** Control description */
controlDescription: string;
}Install with Tessl CLI
npx tessl i tessl/npm-snyk