What is Snyk IaC

Snyk is a misconfiguration IaC tool that identifies vulnerabilities in how people write their code. Though I am writing about its use with Terraform on Azure, it supports other IaC tools, Cloud platforms, and various coding languages.

Snyk can integrate with DevOps platforms such as Azure DevOps and GitHub to scan repositories as static code in static branches and on branches as part of the Pull Request process. It can also scan misconfiguration before code commits by installing the Snyk extension onto your IDE and giving developers inline messages stating why the code is vulnerable and how to fix the issue.

Snyk Signup

Visit https://snyk.io/ and click on the signup button. Snyk has a free version that allows unlimited contributors to the codebase you want to scan but is limited to the number of tests.

There is a 300-test limit for IaC, enough for anyone starting out with IaC security to scan their codebase.

Snyk Extension on VS Code

You first need to install the Snyk extension in VS Code. You can do this by searching the extension marketplace for Snyk. The extension for Snyk is called Snyk Security and is verified with a checkmark like the one in the image below. Once found, select Install.

Once installed, you can select the Snyk icon from the side menu. You will be presented with a getting started window asking you to authenticate with Snyk. Select the Connect & Trust Workspace to start the login process.

Once you are authenticated, you are presented with the below window where you can switch from the browser to VS Code again.

You can then load a project containing Terraform and start a scan. Within the extension, select the play button to run a scan. I have demonstrated Terraform scan issues for this blog on some of my resources.

Within the configuration issues section, I can see the file that contains the issues with details.

When selecting the issue, you will be taken to the section of code that is misconfigured and a definition of the issue with a recommended fix.

Snyk Integrated with GitHub

When on the initial load of your Snyk account, you are presented with the code scan window. Here, you can select the integration you want. For this post, we are using GitHub, so we are selecting this.

We are then asked to set permissions for public or private repos. As I want it to scan my private repositories, I have selected Private and public repositories.

Finally, in this window, I am asked to enable features. You can select Snyk Code for IaC-only scans or enable additional features within GitHub. Select Authenticate GitHub to start authenticating to GitHub

Once you have authenticated to GitHub and authorised Snyk access to your repositories, you can import a repository from the list within the window it presents. Select a repository where you have Terraform code.

Once the import completes, you are presented with the configuration file's findings within a single pain. Any issues with the code will be highlighted here.