Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
9bacb09
commit ab0e6fe
Showing
2 changed files
with
69 additions
and
126 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,194 +1,137 @@ | ||
| # snyk iac -- Find security issues in your Infrastructure as Code files | ||
| # snyk iac -- find security issues in Infrastructure as Code files | ||
|
|
||
| ## Usage | ||
|
|
||
| `snyk iac <COMMAND> [<OPTIONS>] [<PATH>]` | ||
|
|
||
| ## Description | ||
|
|
||
| Find security issues in your Infrastructure as Code files. | ||
| The `snyk iac` command finds security issues in Infrastructure as Code files. | ||
|
|
||
| [For more information see the help page](https://docs.snyk.io/products/snyk-infrastructure-as-code) | ||
| For more information see [Synk CLI for Infrastructure as Code](https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code). | ||
|
|
||
| ## Commands | ||
|
|
||
| ### `test` | ||
| ## Command: `test` | ||
|
|
||
| Test for any known issue. | ||
|
|
||
| ## Options | ||
| ## Exit codes | ||
|
|
||
| ### `--detection-depth=<DEPTH>` | ||
| Possible exit codes and their meaning: | ||
|
|
||
| (only in `test` command) | ||
| Indicate the maximum depth of sub-directories to search. `<DEPTH>` must be a number. | ||
| **0**: success, no vulnerabilities found<br /> | ||
| **1**: action_needed, vulnerabilities found<br /> | ||
| **2**: failure, try to re-run command<br /> | ||
| **3**: failure, no supported projects detected<br /> | ||
|
|
||
| Default: No Limit | ||
| Example: `--detection-depth=3` | ||
| Will limit search to provided directory (or current directory if no `<PATH>` provided) plus two levels of subdirectories. | ||
| ## Configure the Snyk CLI | ||
|
|
||
| ### `--severity-threshold=low|medium|high|critical` | ||
| You can use environment variables to configure the Snyk CLI and also set variables to configure the Snyk CLI to connect with the Snyk API. See [Configure the Snyk CLI](https://docs.snyk.io/features/snyk-cli/configure-the-snyk-cli). | ||
|
|
||
| Only report configuration issues with the provided severity level or higher. Please note that the Snyk Infrastructure as Code configuration issues do not currently use the `critical` severity level. | ||
| ## Debug | ||
|
|
||
| ### `--ignore-policy` | ||
| Use the `-d` option to output the debug logs. | ||
|
|
||
| Ignores all set policies. The current policy in `.snyk` file, Org level ignores and the project policy on snyk.io. | ||
| ## Options | ||
|
|
||
| ### `--json` | ||
| ### `--detection-depth=<DEPTH>` | ||
|
|
||
| Prints results in JSON format. | ||
| Use with options as documented to indicate how many sub-directories to search. `DEPTH` must be a number. | ||
|
|
||
| ### `--json-file-output=<OUTPUT_FILE_PATH>` | ||
| Default: no limit. | ||
|
|
||
| (only in `test` command) | ||
| Save test output in JSON format directly to the specified file, regardless of whether or not you use the `--json` option. | ||
| This is especially useful if you want to display the human-readable test output via stdout and at the same time save the JSON format output to a file. | ||
| Example: `--detection-depth=3` limits search to the specified directory (or the current directory if no `<PATH>` is specified) plus three levels of subdirectories. | ||
|
|
||
| ### `--org=<ORG_NAME>` | ||
|
|
||
| Specify the `<ORG_NAME>` to run Snyk commands tied to a specific organization. This will influence private tests limits. | ||
| Specify the `<ORG_NAME>` to run Snyk commands tied to a specific organization. The <ORG_NAME> influences private test limits. | ||
|
|
||
| If you have multiple organizations, you can set a default from the CLI using: | ||
|
|
||
| `$ snyk config set org=<ORG_NAME>` | ||
|
|
||
| Setting a default will ensure all newly tested projects will be tested | ||
| under your default organization. If you need to override the default, you can use the `--org=<ORG_NAME>` argument. | ||
| Default: uses `<ORG_NAME>` that sets as default in your [Account settings](https://app.snyk.io/account) | ||
|
|
||
| ### `--policy-path=<PATH_TO_POLICY_FILE>` | ||
|
|
||
| Manually pass a path to a snyk policy file. | ||
|
|
||
| ### `--sarif` | ||
|
|
||
| Return results in SARIF format. | ||
|
|
||
| ### `--sarif-file-output=<OUTPUT_FILE_PATH>` | ||
|
|
||
| (only in `test` command) | ||
| Save test output in SARIF format directly to the `<OUTPUT_FILE_PATH>` file, regardless of whether or not you use the `--sarif` option. | ||
| This is especially useful if you want to display the human-readable test output via stdout and at the same time save the SARIF format output to a file. | ||
|
|
||
| ### `--scan=<TERRAFORM_PLAN_SCAN_MODE>` | ||
|
|
||
| Dedicated flag for Terraform plan scanning modes. | ||
| It enables to control whether the scan should analyse the full final state (e.g. `planned-values`), or the proposed changes only (e.g. `resource-changes`). | ||
| Default: If the `--scan` flag is not provided it would scan the proposed changes only by default. | ||
| Example #1: `--scan=planned-values` (full state scan) | ||
| Example #2: `--scan=resource-changes` (proposed changes scan) | ||
| Set a default to ensure all newly tested projects are tested under your default organization. If you need to override the default, use the `--org=<ORG_NAME>` option. | ||
|
|
||
| ### `--rules=<PATH_TO_CUSTOM_RULES_BUNDLE>` | ||
|
|
||
| Dedicated flag for Custom Rules scanning. | ||
| It enables the IaC scans to use a custom rules bundle generated via the `snyk-iac-rules` SDK. To download it and learn how to use it, go to | ||
| https://github.com/snyk/snyk-iac-rules. | ||
| This flag cannot be used if the custom rules settings were configured via the Snyk UI. | ||
| Default: If the `--rules` flag is not provided it would scan the configuration files using the internal Snyk rules only. | ||
| Example: `--rules=bundle.tar.gz` (scans the configuration files using custom rules and internal Snyk rules) | ||
|
|
||
| ### Flags available accross all commands | ||
|
|
||
| #### `--insecure` | ||
|
|
||
| Ignore unknown certificate authorities. | ||
|
|
||
| #### `-d` | ||
|
|
||
| Output debug logs. | ||
| Default: `<ORG_NAME>` that is the current preferred organization in your [Account settings](https://app.snyk.io/account). | ||
|
|
||
| #### `--quiet`, `-q` | ||
|
|
||
| Silence all output. | ||
|
|
||
| #### `--version`, `-v` | ||
|
|
||
| Prints versions. | ||
|
|
||
| #### `--help [<COMMAND>]`, `[<COMMAND>] --help`, `-h` | ||
|
|
||
| Prints a help text. You may specify a `<COMMAND>` to get more details. | ||
|
|
||
| ## Examples | ||
| ### `--ignore-policy` | ||
|
|
||
| [For more information see IaC help page](https://snyk.co/ucT6Q) | ||
| Ignore all set policies, the current policy in the `.snyk` file, Org level ignores, and the project policy on snyk.io. | ||
|
|
||
| ### `Test a CloudFormation file` | ||
| ### `--policy-path=<PATH_TO_POLICY_FILE>` | ||
|
|
||
| \$ snyk iac test /path/to/cloudformation_file.yaml | ||
| Manually pass a path to a `.snyk` policy file. | ||
|
|
||
| ### `Test a Kubernetes file` | ||
| ### `--json` | ||
|
|
||
| \$ snyk iac test /path/to/kubernetes_file.yaml | ||
| Print results in JSON format. | ||
|
|
||
| ### `Test a Terraform file` | ||
| ### `--json-file-output=<OUTPUT_FILE_PATH>` | ||
|
|
||
| \$ snyk iac test /path/to/terraform_file.tf | ||
| Save test output in JSON format directly to the specified file, regardless of whether or not you use the `--json` option. | ||
|
|
||
| ### `Test a Terraform plan file` | ||
| This is especially useful if you want to display the human-readable test output using stdout and at the same time save the JSON format output to a file. | ||
|
|
||
| \$ terraform plan -out=tfplan.binary | ||
| \$ terraform show -json tfplan.binary > tf-plan.json | ||
| \$ snyk iac test tf-plan.json | ||
| ### `--sarif` | ||
|
|
||
| ### `Test an ARM file` | ||
| Return results in SARIF format. | ||
|
|
||
| \$ snyk iac test /path/to/arm_file.json | ||
| ### `--sarif-file-output=<OUTPUT_FILE_PATH>` | ||
|
|
||
| ### `Test matching files in a directory` | ||
| Save test output in SARIF format directly to the <OUTPUT_FILE_PATH> file, regardless of whether or not you use the `--sarif` option. | ||
|
|
||
| \$ snyk iac test /path/to/directory | ||
| This is especially useful if you want to display the human-readable test output using stdout and at the same time save the SARIF format output to a file. | ||
|
|
||
| ### `Test matching files in a directory using a local custom rules bundle` | ||
| ### `--severity-threshold=low|medium|high|critical` | ||
|
|
||
| \$ snyk iac test /path/to/directory --rules=bundle.tar.gz | ||
| Report only vulnerabilities at the specified level or higher. | ||
|
|
||
| ## Environment | ||
| ### `--scan=<TERRAFORM_PLAN_SCAN_MODE>` | ||
|
|
||
| You can set these environment variables to change CLI settings. | ||
| Use this dedicated option for Terraform plan scanning modes to control whether the scan analyze the full final state (for example, `planned-values`), or the proposed changes only (for example, `resource-changes`). | ||
|
|
||
| ### `SNYK_TOKEN` | ||
| Default: If the `--scan` option is not specified, scan the proposed changes only by default. | ||
| Example 1: `--scan=planned-values` (full state scan) | ||
| Example 2: `--scan=resource-changes` (proposed changes scan) | ||
|
|
||
| Snyk authorization token. Setting this envvar will override the token that may be available in your `snyk config` settings. | ||
| ### `--rules=<PATH_TO_CUSTOM_RULES_BUNDLE>` | ||
|
|
||
| [How to get your account token](https://snyk.co/ucT6J)<br /> | ||
| [How to use Service Accounts](https://snyk.co/ucT6L)<br /> | ||
| Use this dedicated option for Custom Rules scanning to enable the IaC scans to use a custom rules bundle generated with the `snyk-iac-rules` SDK. See [Download learn how to use the SDK](https://github.com/snyk/snyk-iac-rules). | ||
|
|
||
| ### `SNYK_CFG_KEY` | ||
| This option cannot be used if the custom rules settings were configured with the Snyk UI. | ||
| Default: If the `--rules` flag is not specified, scan the configuration files using the internal Snyk rules only. | ||
|
|
||
| Allows you to override any key that's also available as `snyk config` option. | ||
| Example: `--rules=bundle.tar.gz` (Scan the configuration files using custom rules and internal Snyk rules.) | ||
|
|
||
| E.g. `SNYK_CFG_ORG=myorg` will override default org option in `config` with "myorg". | ||
| ## Examples for the iac test command | ||
|
|
||
| ### `SNYK_REGISTRY_USERNAME` | ||
| [For more information see [Synk CLI for Infrastructure as Code](https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code). | ||
|
|
||
| Specify a username to use when connecting to a container registry. Note that using the `--username` flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. | ||
| ### Test a CloudFormation file | ||
|
|
||
| ### `SNYK_REGISTRY_PASSWORD` | ||
| `$ snyk iac test /path/to/cloudformation_file.yaml` | ||
|
|
||
| Specify a password to use when connecting to a container registry. Note that using the `--password` flag will override this value. This will be ignored in favour of local Docker binary credentials when Docker is present. | ||
| ### Test a Kubernetes file | ||
|
|
||
| ### Connecting to Snyk API | ||
| `$ snyk iac test /path/to/kubernetes_file.yaml` | ||
|
|
||
| By default Snyk CLI will connect to `https://snyk.io/api/v1`. | ||
| ### Test a Terraform file | ||
|
|
||
| #### `SNYK_API` | ||
| `$ snyk iac test /path/to/terraform_file.tf` | ||
|
|
||
| Sets API host to use for Snyk requests. Useful for on-premise instances and configuring proxies. If set with `http` protocol CLI will upgrade the requests to `https`. Unless `SNYK_HTTP_PROTOCOL_UPGRADE` is set to `0`. | ||
| ### Test a Terraform plan file | ||
|
|
||
| #### `SNYK_HTTP_PROTOCOL_UPGRADE=0` | ||
| `$ terraform plan -out=tfplan.binary` | ||
| `$ terraform show -json tfplan.binary > tf-plan.json` | ||
| `$ snyk iac test tf-plan.json` | ||
|
|
||
| If set to the value of `0`, API requests aimed at `http` URLs will not be upgraded to `https`. If not set, the default behavior will be to upgrade these requests from `http` to `https`. Useful e.g., for reverse proxies. | ||
| ### Test an ARM file | ||
|
|
||
| #### `HTTPS_PROXY` and `HTTP_PROXY` | ||
| `$ snyk iac test /path/to/arm_file.json` | ||
|
|
||
| Allows you to specify a proxy to use for `https` and `http` calls. The `https` in the `HTTPS_PROXY` means that _requests using `https` protocol_ will use this proxy. The proxy itself doesn't need to use `https`. | ||
| ### Test matching files in a directory | ||
|
|
||
| ## Exit codes | ||
| `$ snyk iac test /path/to/directory` | ||
|
|
||
| Possible exit codes and their meaning: | ||
| ### Test matching files in a directory using a local custom rules bundle | ||
|
|
||
| **0**: success, no vulns found<br /> | ||
| **1**: action_needed, vulns found<br /> | ||
| **2**: failure, try to re-run command<br /> | ||
| **3**: failure, no supported projects detected<br /> | ||
| `$ snyk iac test /path/to/directory --rules=bundle.tar.gz` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters