With Snyk Infrastructure as Code, you can test your configuration files directly from the CLI.
You can scan both your Kubernetes and Terraform files using the CLI.
Snyk Infrastructure as Code supports:
- Deployments, Pods and Services.
- CronJobs, Jobs, StatefulSet, ReplicaSet, DaemonSet, and ReplicationController.
You can use the CLI as follows:
To test for an issue on specified files:
snyk iac test <my-kubernetes-filepath>
For example, from the CLI enter the following:
snyk iac test deploy.yaml
You can also specify multiple files by appending the file names after each other, such as:
snyk iac test file-1.yaml file-2.yaml
the CLI also supports .json
formatted files such as snyk iac test deploy.json
To test for an issue on a directory of files:
You can scan a directory of files recursively upto three levels deep.
For example, to scan all directories relative to your current path
snyk iac test
Or you can specify a specific folder to scan and recurse through
snyk iac test my-folder
To output the test format as JSON:
snyk iac test <my-configuration-filepath> --json
This can be helpful if you want to store a snapshot of the results locally, or process the results in another tool for reporting and further analysis.
For example, from the CLI enter the following:
snyk iac test deploy.yaml --json
To output the test format as SARIF:
SARIF is an open-standard for the output of static analysis tools.
You can view and save the results of your tests as a SARIF file for analysis in another tool.
snyk iac test deploy.yaml --sarif
Or to save this to a file output, you can run
snyk iac test deploy.yaml --sarif-file-output=snyk.sarif
To only display issues above a specific severity level:
snyk iac test <my-configuration-filepath> --severity-threshold=<low|medium|high>
For example, from the CLI enter the following:
snyk iac test deploy.yaml --severity-threshold=medium
This will only display to the terminal results that have a severity value of medium or higher.
To scan a Helm chart using the CLI
You scan a Helm chart by converting the template to a rendered Kuberenetes manifest file and then scanning this using the Snyk IaC CLI.
helm template ./iac-helm > helm.yaml snyk iac test helm.yaml
change `iac-helm` for your Helm chart name.