With Snyk Infrastructure as Code, you can scan both your static configuration files and Terraform Plan output using the CLI.
|Terraform configuration files||Terraform Plan file|
|Identify configuration issues||Yes||Yes|
|Scan Terraform Modules||No||Yes|
Terraform Configuration Files
You can scan the configuration files, e.g. `main.tf` using the CLI.
Any declared variables or external modules that are referenced will not be considered.
To scan configuration files :
You can specify either a file name or a whole directory
snyk iac test main.tf
snyk iac test .
Terraform Plan is the step run between writing your configuration files and deploying those changes. `$ terraform plan` identifies the changes that need to be made to your target environment in order to match your desired state.
As part of this planning stage, all variables and Terraform Modules are taken into consideration.
This means the Terraform plan output provides a complete artefact to be scanned from a security perspective.
You can now scan this artefact using the Snyk IaC CLI as of version `1.511.0`
The scanning of this artefact is only available behind the `--experimental` flag whilst it is in beta and execution happens locally. This file is not sent to Snyk to be processed.
To scan Terraform Plan output:
You must provide the `--experimental` flag and name the file `tf-plan.json`
snyk iac test tf-plan.json --experimental
If you do not already have your terraform plan output saved as JSON file, you may need to follow these steps:
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tf-plan.json
These files are considered sensitive and is not recommended to commit them to source control.
There are differences between scanning the static files & plan output
This could be due to the following
- Variables - Terraform Plan output considers the values stored in variables
- Terraform Modules - Terraform Plan output will include any configuration issues found from Terraform Modules that you may be using
- Delta - By default, scanning the Terraform Plan output will only scan for configuration issues on the changes that will be made, not the whole deployment. Whereas the static scan looks at all of the files.
If you have found a discrepancy that you cannot explain with the above, please raise a support ticket.