Introducing Snyk developer-first security into the Terraform Cloud workflow

With the rise in popularity of technologies such as HashiCorp Terraform, Docker, and Kubernetes, developers are writing and maintaining more and more configurations in addition to building the application itself. The growing use of infrastructure as code presents security complexity and the potential for risk that developers often struggle with as their workloads increase and more advanced skills are required.

We are excited to announce a new partnership with HashiCorp and the availability of a Snyk integration to HashiCorp Terraform Cloud to help developers solve major configuration security challenges that arise when delivering infrastructure as code. Terraform Cloud enables organizations to better collaborate on infrastructure as code. Terraform Cloud users can now integrate third-party tools into the Terraform workflow using a feature called run tasks. Snyk Infrastructure as Code (Snyk IaC) now offers one of the first integrations into this workflow, to detect configuration issues directly in code and reduce risk to infrastructure deployments. To enable this functionality, available via an invite-only beta, sign up for access to the Terraform Cloud beta here: https://hashi.co/tfc-beta.

Knowing how to provision infrastructure securely with Terraform can be challenging. In the recent State of Cloud Native Application security report, Snyk research found that more than half of respondents suffered from a misconfiguration or known unpatched vulnerabilities in their cloud native applications. Another industry report found that misconfigurations are now the #1 error leading to security breaches. This is clear evidence that configuration files can lead to security problems if not handled correctly.

The solution: infrastructure security built for developers that provides instant feedback early in the software application development lifecycle.

“With misconfigurations and known vulnerabilities being the top concern and incident driver, we need to rethink how developer teams should prioritize security work. With Snyk IaC for Terraform Cloud, developers can quickly and easily eliminate misconfigurations at the beginning of the development lifecycle,” said Jill Wilkins, Senior Director, Global Technical Alliances, at Snyk.

Bringing developer-first security to HashiCorp users

HashiCorp Terraform OSS is an open source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services. Terraform provides an automated provisioning tool that can be used to provision and manage infrastructure across a wide variety of platforms and products. The vast HashiCorp Terraform provider ecosystem allows interaction with more than 1,000 products/tools. HashiCorp’s Terraform Cloud is Terraform offered as a managed service to provide everything practitioners, teams, and global businesses need to create and collaborate on infrastructure and manage risks for security, compliance, and operational constraints.

HashiCorp is partnering with Snyk to leverage our hallmark developer-first security that addresses vulnerabilities early in development to infrastructure as code. The new partnership will make it as easy as possible for organizations to adopt IaC and eliminate misconfigurations.

The new Snyk integration provides high-level Snyk IaC configuration fixes and security advice in the terraform plan stage to detect potentially risky configurations before submitting code for review.

This enables developers to fix issues before they are deployed to their production environments. For greater IaC security insights and context on misconfigurations presented in the Terraform Cloud UI, developers are directed back to Snyk to quickly fix insecure configurations and continue coding. By empowering developers to not only be aware of issues, Snyk also helps them take action with context and advice around remediation.

“We’re excited to have Snyk as a technology partner,'' said Asvin Ramesh, Senior Director, Alliances at HashiCorp. “Snyk provides a simple and free way to proactively ensure applications and infrastructure specifications are safe for organizations using Terraform across their development teams.”

Snyk documentation on integrating Snyk with Terraform Cloud can be found here.

For more information on Snyk’s IaC security, check out these resources:

• View and report on all of your Snyk Infrastructure as Code configuration issues

• Snyk IaC scanning enhancements include Azure and AWS infrastructure as code

• How do we secure Infrastructure as Code tools?

• Snyk IaC

In addition to providing a view into configuration issues in Terraform files, a free Snyk IaC account allows developers to automatically find, fix and monitor vulnerabilities in code, open source, containers to give developers a complete view of application security.

To get started, simply create a free Snyk account and follow the instructions to create a project from your repository— within minutes you’ll have actionable fix advice for any issues that it finds. In order to use Snyk with Terraform Cloud, talk to the HashiCorp Sales team.