New Features
  1. Docs Library | Snyk
  2. Infrastructure as code
  3. Snyk CLI for Infrastructure as Code

Articles in this section

Test your Kubernetes files with our CLI tool

With Snyk Infrastructure as Code, you can test your configuration files directly from the CLI.

You can scan both your Kubernetes and Terraform files using the CLI.

Snyk Infrastructure as Code supports:

  • Deployments, Pods and Services.
  • CronJobs, Jobs, StatefulSet, ReplicaSet, DaemonSet, and ReplicationController.

You can use the CLI as follows:

To test for an issue on specified files:

snyk iac test <my-kubernetes-filepath>

For example, from the CLI enter the following:

snyk iac test deploy.yaml

You can also specify multiple files by appending the file names after each other, such as:

snyk iac test file-1.yaml file-2.yaml

the CLI also supports .json formatted files such as snyk iac test deploy.json

To test for an issue on a directory of files:

You can scan a directory of files recursively upto three levels deep.

For example, to scan all directories relative to your current path

snyk iac test

Or you can specify a specific folder to scan and recurse through

snyk iac test my-folder

To output the test format as JSON:

snyk iac test <my-configuration-filepath> --json

This can be helpful if you want to store a snapshot of the results locally, or process the results in another tool for reporting and further analysis. 

For example, from the CLI enter the following:

snyk iac test deploy.yaml --json

To output the test format as SARIF:

SARIF is an open-standard for the output of static analysis tools.

You can view and save the results of your tests as a SARIF file for analysis in another tool.

snyk iac test deploy.yaml --sarif

Or to save this to a file output, you can run

snyk iac test deploy.yaml --sarif-file-output=snyk.sarif

To only display issues above a specific severity level:

snyk iac test <my-configuration-filepath> --severity-threshold=<low|medium|high>

For example, from the CLI enter the following:

snyk iac test deploy.yaml --severity-threshold=medium

This will only display to the terminal results that have a severity value of medium or higher.

To scan a Helm chart using the CLI

You scan a Helm chart by converting the template to a rendered Kuberenetes manifest file and then scanning this using the Snyk IaC CLI. 

helm template ./iac-helm > helm.yaml
snyk iac test helm.yaml

change `iac-helm` for your Helm chart name.