snyk

# IAC test ## Usage `snyk iac test [<OPTIONS>] [<PATH>]` ## Description The `snyk iac test` command tests for any known security issue. See also the help for [`iac describe`](https://docs.snyk.io/snyk-cli/commands/iac-describe) and [`iac-gendriftignore`](https://docs.snyk.io/snyk-cli/commands/iac-gen-driftignore)`` For more information see [Snyk CLI for Infrastructure as Code](https://docs.snyk.io/products/snyk-infrastructure-as-code/snyk-cli-for-infrastructure-as-code). ## Exit codes Possible exit codes and their meaning: **0**: success, no vulnerabilities found\ **1**: action_needed, vulnerabilities found\ **2**: failure, try to re-run command\ **3**: failure, no supported projects detected ## Configure the Snyk CLI You can use environment variables to configure the Snyk CLI and also set variables to configure the Snyk CLI to connect with the Snyk API. See [Configure the Snyk CLI](https://docs.snyk.io/snyk-cli/configure-the-snyk-cli). ## Debug Use the `-d` option to output the debug logs. ## Options ### `--detection-depth=<DEPTH>` Use to indicate how many sub-directories to search. `DEPTH` must be a number. Default: no limit. Example: `--detection-depth=3` limits search to the specified directory (or the current directory if no `<PATH>` is specified) plus three levels of subdirectories. ### `--org=<ORG_ID>` Specify the `<ORG_ID>` to run Snyk commands tied to a specific organization. The `<ORG_ID>` influences private test limits. If you have multiple organizations, you can set a default from the CLI using: `$ snyk config set org=<ORG_ID>` Set a default to ensure all newly tested projects are tested under your default organization. If you need to override the default, use the `--org=<ORG_ID>` option. Default: `<ORG_ID>` that is the current preferred organization in your [Account settings](https://app.snyk.io/account). For more information see the article [How to select the organization to use in the CLI](https://support.snyk.io/hc/en-us/articles/360000920738-How-to-select-the-organization-to-use-in-the-CLI). ### `--ignore-policy` Ignore all set policies, the current policy in the `.snyk` file, Org level ignores, and the project policy on snyk.io. ### `--policy-path=<PATH_TO_POLICY_FILE>` Manually pass a path to a `.snyk` policy file. ### `--json` Print results in JSON format. Example: `$ snyk iac test --json-file-output=vuln.json` ### `--json-file-output=<OUTPUT_FILE_PATH>` Save test output in JSON format directly to the specified file, regardless of whether or not you use the `--json` option. This is especially useful if you want to display the human-readable test output using stdout and at the same time save the JSON format output to a file. ### `--sarif` Return results in SARIF format. ### `--sarif-file-output=<OUTPUT_FILE_PATH>` Save test output in SARIF format directly to the \<OUTPUT_FILE_PATH> file, regardless of whether or not you use the `--sarif` option. This is especially useful if you want to display the human-readable test output using stdout and at the same time save the SARIF format output to a file. ### `--project-business-criticality=<BUSINESS_CRITICALITY>[,<BUSINESS_CRITICALITY>]...>` This can be used in combination with the `--report` option. Set the project business criticality project attribute to one or more values (comma-separated). To clear the project business criticality set `--project-business-criticality=`. Allowed values: `critical, high, medium, low` For more information see [Project attributes](https://docs.snyk.io/getting-started/introduction-to-snyk-projects/view-project-information/project-attributes). ### `--project-environment=<ENVIRONMENT>[,<ENVIRONMENT>]...>` This can be used in combination with the `--report` command. Set the project environment project attribute to one or more values (comma-separated). To clear the project environment set `--project-environment=`. Allowed values: `frontend, backend, internal, external, mobile, saas, onprem, hosted, distributed` For more information see [Project attributes](https://docs.snyk.io/getting-started/introduction-to-snyk-projects/view-project-information/project-attributes). ### `--project-lifecycle=<LIFECYCLE>[,<LIFECYCLE>]...>` This can be used in combination with the `--report` command. Set the project lifecycle project attribute to one or more values (comma-separated). To clear the project lifecycle set `--project-lifecycle=`. Allowed values: `production, development, sandbox` For more information see [Project attributes](https://docs.snyk.io/getting-started/introduction-to-snyk-projects/view-project-information/project-attributes). ### `--project-tags=<TAG>[,<TAG>]...>` This can be used in combination with the `--report` command. Set the project tags to one or more values (comma-separated key value pairs with an "=" separator), for example, `--project-tags=department=finance,team=alpha`. To clear the project tags set `--project-tags=` ### `--report` Share results with the Snyk App. This creates a project in your Synk account with a snapshot of the current configuration issues. After running this command, log in to the Snyk website and view your projects to see the monitor. Example: `$ snyk iac test --report` Note: This option cannot be used in combination with the `--rules` option. ### `--rules=<PATH_TO_CUSTOM_RULES_BUNDLE>` Use this dedicated option for Custom Rules scanning to enable the IaC scans to use a custom rules bundle generated with the `snyk-iac-rules` SDK. See [`snyk-iac-rules` SDK](https://github.com/snyk/snyk-iac-rules#readme). This option cannot be used if the custom rules settings were configured with the Snyk UI. Default: If the `--rules` flag is not specified, scan the configuration files using the internal Snyk rules only. Example: `--rules=bundle.tar.gz` (Scan the configuration files using custom rules and internal Snyk rules.) Note: This option can not be used in combination with the `--report` option. ### `--severity-threshold=<low|medium|high|critical>` Report only vulnerabilities at the specified level or higher. ### `--scan=<TERRAFORM_PLAN_SCAN_MODE>` Use this dedicated option for Terraform plan scanning modes to control whether the scan analyzes the full final state (for example, `planned-values`), or the proposed changes only (for example, `resource-changes`). Default: If the `--scan` option is not specified, scan the proposed changes only by default. Example 1: `--scan=planned-values` (full state scan)\ Example 2: `--scan=resource-changes` (proposed changes scan) ### `--target-reference=<TARGET_REFERENCE>` This can be used in combination with the `--report` command. Specify a reference which differentiates this project, for example, a branch name or version. Projects having the same reference can be grouped based on that reference. Example setting to the current Git branch: `snyk iac test myproject/ --report --target-reference="$(git branch --show-current)"` \ Example setting to the latest Git tag : `snyk iac test myproject/ --report --target-reference="$(git describe --tags --abbrev=0)"` ## Examples for snyk iac test command For more information see Synk CLI for Infrastructure as Code. ### Test a CloudFormation file ``` $ snyk iac test /path/to/cloudformation_file.yaml ``` ### Test a Kubernetes file ``` $ snyk iac test /path/to/kubernetes_file.yaml ``` ### Test a Terraform file ``` $ snyk iac test /path/to/terraform_file.tf ``` ### Test a Terraform plan file ``` $ terraform plan -out=tfplan.binary $ terraform show -json tfplan.binary > tf-plan.json $ snyk iac test tf-plan.json ``` ### Test an ARM file ``` $ snyk iac test /path/to/arm_file.json ``` ### Test matching files in a directory ``` $ snyk iac test /path/to/directory ``` ### Test matching files in a directory using a local custom rules bundle ``` $ snyk iac test /path/to/directory --rules=bundle.tar.gz ```