Skip to main content

Snyk IaC public beta introduces Terraform plan analysis

Written by:
Ron Tal
Ron Tal
wordpress-sync/Blog-iac-header-1

April 22, 2021

0 mins read

We’re happy to share new beta features of Snyk Infrastructure as Code (Snyk IaC) inside the Snyk CLI, adding support for Terraform plan scanning, plus performance and security improvements.

Adding support for scanning Terraform plans

The Snyk CLI already allows users to scan Terraform and Kubernetes files locally or in CI/CD, so you can get instant feedback as you write and commit your configurations. That works well for individual changes, but if you want to get a collective look at all the changes you’re about to apply to your existing infrastructure, taking into account variables, etc., scanning the Terraform plan file is the way to go.

This CLI beta for Snyk IaC can now be provided with a terraform plan JSON file to detect if the proposed changes will introduce any new security vulnerabilities to your current cloud infrastructure. In the example below, you can see a simple workflow where I’ve created a tfplan file, converted it to JSON format, and then run Snyk IaC against the JSON. Notice the --experimental flag in the Snyk command—that’s all you need to do to try out this feature if you have the latest version of the Snyk CLI.

1$ snyk -v
21.563.0
3
4$ terraform plan -out=tfplan
5$ terraform show --json tfplan > tfplan.json
6
7$ snyk iac test tfplan.json --experimental 
8Testing tfplan.json...
9
10Infrastructure as code issues:
11  ✗ S3 Bucket is publicly readable and writable [High Severity] [SNYK-CC-TF-19] in S3
12    introduced by resource > aws_s3_bucket[pictures-of-snyky-dogs] > acl
13
14  ✗ S3 bucket MFA delete control disabled [Low Severity] [SNYK-CC-TF-127] in S3
15    introduced by aws_s3_bucket[pictures-of-snyky-dogs] > versioning > mfa_delete
16
17  ✗ S3 bucket versioning disabled [Low Severity] [SNYK-CC-TF-124] in S3
18    introduced by aws_s3_bucket[pictures-of-snyky-dogs] > versioning > enabled
19
20Organization:      purple-dobie
21Type:              Terraform
22Target file:       tfplan.json
23Project name:      iac-tfplan-demo
24Open source:       no
25Project path:      tfplan.json
26
27Tested tfplan.json for known issues, found 3 issues

Another benefit of being able to scan the Terraform plan is that tools in the Terraform ecosystem can easily work with Snyk IaC, too. We have several customers using tools like Terragrunt and Atlantis, and since both of them can output a Terraform plan, we can scan them with Snyk IaC. If you’re using tools like these from the Terraform ecosystem, we’d love to hear if scanning the plan output helps in your workflows.

Keeping your IaC configuration and secrets confidential

Scanning a Terraform plan is great for visibility across the larger configuration changes, and for incorporating modules and variables. But in most cases, this stage also involves handling sensitive infrastructure data and secrets and we know it’s critical that this information is handled securely. Scans you run using the --experimental flag    are now run locally, ensuring your sensitive configuration data never leaves your environment. This applies to any IaC scan you run with the CLI, including Terraform or Kubernetes file scanning or when using Snyk IaC in your CI pipelines and will become the default behavior when the beta period wraps up. The change in how we scan also boosts our scanning performance, so if you have directories with 100s of individual Terraform files (or Kubernetes definitions, for that matter), we’d love to have you run tests with this beta and hear your feedback.

Latest IaC security rules and custom severities

Our static analysis detection mechanism will scan the proposed resource changes in the provided terraform execution plan, and will assert them against our ever-growing set of security rules, which are publicly documented on Snyk’s website (another new Snyk IaC feature from our security research team!). These rules are based on the latest security standards from all modern cloud providers such as AWS, GCP, and Azure. Upon running snyk iac test --experimental, the Snyk CLI automatically consumes the latest set of security rules from our servers, including any custom severities you may have configured, without compromising security of your sensitive infrastructure as code files, having all static analysis and processing happen locally on your machine.

How to get started with the Snyk IaC beta

The beta features are available to everyone to try, including users on free plans. Getting started is simple:

  1. If you don’t already have a Snyk account, sign up for free.

  2. Install the Snyk CLI. If you already have the Snyk CLI installed, verify you have CLI 1.563.0 or newer to get the latest beta features.

  3. Scan your Terraform and Kubernetes files!

    1. The main command for scanning IaC with the new beta features is:snyk iac test --experimental <path-to-file-or-folder>You can learn more about the various scanning options we support in our Snyk IaC docs or via the CLI docs by running:snyk iac --help

    2. To scan Terraform plans, you’ll need to generate a JSON formatted output which you can get via terraform show, as shown in the examples above and documented by Terraform.

In addition to local CLI scans, you can use Snyk IaC for more use cases like:

  • SCM integration for recurring auto-scanning of your Git repositories, in order to detect Terraform and Kubernetes misconfigurations in your source control.

  • Incorporating Snyk IaC in your CI/CD pipelines for shifting left security and making it a part of your ongoing SDLC.

We’d love to hear your feedback! If you’re already a Snyk customer your customer success team is a great route for product feedback, but we welcome comments in our Snyk Community forum from all.

Posted in: