As Terraform and OpenTofu continue to grow in popularity within the DevOps community, the same growth is seen with developer security platforms that scan IaC code.
There are many tools that you can choose from; some of the most popular are Open Policy Agent (by Styra), Sentinel (by HashiCorp), Checkov (by Palo Alto), Terrascan (by Tenable), and Snyk. Some of the tools are specifically for static code analysis and can be plugged into your code review using something such as GitHub actions. Others, like Open Policy Agent, will review the Terraform code during the actual deployment as the Terraform plan output is required to do that.
In this blog post, we will focus on Snyk, a unique tool that can scan the static code in your VCS repository as well as the Terraform plan files, giving you two phases in which you can catch security issues. We’ll also walk through a Snyk integration in Scalr, which can be used with a simple script and Scalr custom hooks.
Snyk is a developer-first security platform that helps you find and fix security vulnerabilities in your application code, dependencies, containers, and infrastructure as code. It supports various IaC tools, including Terraform and OpenTofu.
Snyk helps you identify security issues early in the development process, before they make it to production, by scanning your Terraform files in VCS repositories such as Github or Gitlab. This dramatically improves the developer experience by catching security issues early on rather than going through a deployment before seeing them.
That being said, not everything will always be caught in the static code, so it is crucial to scan for vulnerabilities in the Terraform plan output before the Terraform apply is run, which Snyk can also do.
The difference between Snyk and some other tools, like OPA, is that Snyk has a predefined list of vulnerabilities it scans for where OPA is built more so for custom policies that match your organization's requirements.
First, you must sign up for a free account with Snyk, where you can get an API token and import repositories that you want to be scanned.
To enable static code scanning, you simply grant Snyk access to your VCS provider and then select the repositories that you want to scan. As Snyk imports the repositories containing the Terraform configuration files, they are turned into Snyk projects where you see the vulnerability reports. In this example, Snyk imports the Terraform configuration files and reviews the main.tf file that has code to create an AWS ec2 instance and identified a few vulnerabilities:
The following use case is to catch vulnerabilities in the Terraform plan. Some organizations might do early development locally before pushing code into a VCS repository, so the Snyk CLI can be introduced in this scenario to avoid pushing vulnerable code into repos.
The Terraform CLI can be used from any laptop, CI/CD tool, automation pipeline, or Terraform automation and collaboration platform, such as Scalr or HashiCorp Terraform Cloud. In these scenarios, having a VCS repository linked to the tools is recommended, but not required, which is why the extra step of enforcing the Snyk CLI is helpful.
Getting started with the Snyk CLI is easy; there are many ways to install it, depending on where you are installing it. For example, you can use NPM or homebrew (official docs):
Using npm:
npm install -g snyk
Or using Homebrew on macOS:
brew tap snyk/tap
brew install snyk
Once installed, authenticate to the Snyk SaaS service with the following command:
snyk auth
This will open a browser window where you can log in or sign up for a Snyk account.
At this point, you have two different options regarding what to scan. First, you can scan the Terraform files in your working directory by simply running the following command in the working directory:
snyk iac test
If you don’t have the Terraform files locally, maybe in a CI/CD tool or automation pipeline, you can scan the Terraform plan output by executing the following:
terraform init
terraform plan -out=tfplan.binary
terraform show -json tfplan.binary > tf-plan.json
Once you have the json, you can run a snyk iac test on that json:
snyk iac test tfplan.json
Snyk Infrastructure as Code
✔ Test completed.
Issues
No vulnerable paths were found!
-------------------------------------------------------
Test Summary
Organization: ryan-6ddqf2tX8PJz3m5NrARnnm
Project name: snyk
✔ Files without issues: 1
✗ Files with issues: 0
Ignored issues: 0
Total issues: 0 [ 0 critical, 0 high, 0 medium, 0 low ]
Integrating Snyk with Scalr follows the same steps outlined in the CLI section above, but requires Scalr custom hooks to install the CLI and then run the test since all runs are executed remotely.
First, create the following script in a VCS repository or working directory that is linked to your Scalr workspace:
wget -O /tmp/snyk https://github.com/snyk/cli/releases/download/v1.1292.2/snyk-linux && chmod +x /tmp/snyk
terraform show -json /opt/data/terraform.tfplan.bin > /tmp/tfplan.json
cd /tmp
./snyk iac test tfplan.json
Note: To use with OpenTofu, change terraform show
to tofu show
In Scalr, link the repository to the workspace that you are using and reference the script in a post-plan custom hook:
Next, click on the variables tab and add the Snyk API token as a sensitive shell variable (SNYK_TOKEN) so the Scalr container will be able to authenticate:
That’s it! Now you can execute a run and see the Snyk results directly in the Scalr UI:
Integrating Snyk with Terraform is a powerful way to enhance the security of your infrastructure as code. By catching and fixing security vulnerabilities early, you can significantly reduce the risk of security breaches and improve your developer experience. Regardless of your IaC process, Snyk gives you tools at critical steps, whether static code testing or using the CLI in a workflow to catch critical vulnerabilities. Make sure to check out the Snyk Provider on library.tf.