We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source
        Avoid vulnerable dependencies
      • Snyk Code
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Cloud Native SecurityDevSecOpsPartnersProduct

Snyk brings infrastructure as code security to HashiCorp Terraform Cloud

Marco Morales, Sarah ConwayMay 4, 2022

In our mission to make Terraform Cloud workflows more streamlined and secure, we’re excited to announce our new native integration into HashiCorp Terraform Cloud. This integration embeds the security expertise and developer-friendly fixes of Snyk Infrastructure as Code (Snyk IaC) directly into Terraform Cloud, making the Terraform Cloud workflow one of the safest ways to provision and manage public cloud infrastructure.

In this blog post, we’ll cover why we built this, what a workflow in Terraform Cloud with the Snyk IaC run task looks like, and offer resources to quickly get started with improving your IaC security in every Terraform run task.

Why integrate with Terraform Cloud?

As the use of infrastructure as code continues to grow, development teams are increasingly tasked with writing and maintaining more configurations. But with growing usage comes increased risk. Developers are increasingly responsible for the security and compliance of their cloud deployments as well.

The problem is that knowing how to provision infrastructure securely is a major hurdle for development teams. The Snyk State of Cloud Native Application Security Report found that 69% of respondents had a misconfiguration or known unpatched vulnerability in their cloud native applications.

We built the Snyk Terraform run task integration to help developers more easily find and fix IaC misconfigurations and noncompliant security issues while they’re coding, reducing the risk of insecure infrastructure well before it’s deployed. This developer-first approach helps Terraform Cloud users securely define and manage cloud infrastructure across all major cloud providers, including AWS, Azure, and Google Cloud.

Snyk integrates into run tasks, automating security and compliance for developers.
Snyk integrates into run tasks, automating security and compliance for developers.

How does Snyk IaC automate security and compliance in a run?

Snyk IaC scans configuration files for Terraform and provides immediate feedback related to security and compliance. This helps developers prevent cloud misconfigurations early on — and throughout the delivery process — so they can ship more secure configurations in less time.

Snyk scanning uses static analysis to compare IaC files against its predefined set of security rules, which are based on industry standards, cloud provider best practices, and threat modeling exercises of new and emerging threats from Snyk security engineers. 

Along with these rules, Snyk takes custom policies into account when scanning for potential misconfigurations in Terraform files.

What does a Snyk run task in Terraform Cloud look like?

The Snyk integration for Terraform Cloud enables development teams to scan Terraform Plan JSON files — which are previews of potential infrastructure changes — and compare the output against best practice security policies for all major public cloud providers and Kubernetes. Compatibility with Terraform Plan files also enables Snyk to improve security for other tools that output these files, such as Terragrunt and Atlantis.

More importantly, scanning Terraform Plan files, rather than individual files, allows developers to take a collective look at proposed changes to the infrastructure and minimize the risk of post-deployment surprises. The Terraform Plan file incorporates all modules and variables, offering a comprehensive picture of what the infrastructure will look like rather than relying solely on the resources specified in the individual configuration files.

In short, by using the Snyk run task in Terraform Cloud as a gate in your run, misconfigurations are automatically discovered before proposed changes are applied to the existing cloud infrastructure. This enables developers to shift IaC security left and make Terraform security an integral part of the development process.

A failed snyk-run-task prevents a publicly accessible resource from being deployed
A failed snyk-run-task prevents a publicly accessible resource from being deployed.

You can additionally customize the level of enforcement of your Snyk run task by choosing between Advisory — pausing and informing the user of failure — or Mandatory — which halts a run until a fix has been applied.

Customize enforcement level of policies to pause or prevent an Apply.
Customize enforcement level of policies to pause or prevent an Apply.

For every misconfiguration or noncompliance issue, there is structured security context and fix guidance geared towards the developer in Snyk.  Get the issue, impact, and suggest fix in-line with the Terraform code in question. 

Security context and fix guidance in code shown in Snyk
Security context and fix guidance in code shown in Snyk.

Resources for getting started with Snyk in Terraform Cloud

As part of Snyk’s effort to help developers solve configuration security issues, Snyk and HashiCorp created the 5 Best Practices for Securing Terraform Configurations cheat sheet to enable organizations to improve their IaC security and leverage policy as code with the Snyk run task for Terraform Cloud.

To get started, use our Streamline your IaC Security with Snyk and HashiCorp quick start guide to help your development teams quickly implement the Snyk and Terraform Cloud integration for detecting security vulnerabilities and enforcing security policies in minutes. 

Download quick start
Download cheat sheet

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Secure SDLC
  • Cloud Native Security
  • Cloud security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom