How to Use Snyk with Terraform: Securing Your Infrastructure as Code

As Terraform and OpenTofu have grown more popular with DevOps teams, so have the security platforms that scan IaC code for problems.

You have plenty of tools to choose from. Some of the most popular are Open Policy Agent (by Styra), Sentinel (by HashiCorp), Checkov (by Palo Alto), Terrascan (by Tenable), and Snyk. A few are built only for static code analysis and plug into your code review through something like GitHub Actions. Others, like Open Policy Agent, review the Terraform code during the actual deployment, since they need the Terraform plan output to do their work.

This post focuses on Snyk. It can scan the static code in your VCS repository and also the Terraform plan files, which gives you two phases in which to catch security issues. We'll also walk through a Snyk integration in Scalr, which runs from a short script and Scalr custom hooks.

What is Snyk?

Snyk is a developer-first security platform that helps you find and fix security vulnerabilities in your application code, dependencies, containers, and infrastructure as code. It supports various IaC tools, including Terraform and OpenTofu.

Snyk scans your Terraform files in VCS repositories such as GitHub or GitLab, so you catch security issues early in development, before they reach production. That helps the developer experience: you see the problem at code-review time instead of after a deployment.

Static code won't catch everything, though. You also want to scan the Terraform plan output for vulnerabilities before the Terraform apply runs, and Snyk can do that too.

The difference between Snyk and some other tools, like OPA, is that Snyk has a predefined list of vulnerabilities it scans for where OPA is built more so for custom policies that match your organization's requirements.

Getting Started with Snyk and Terraform

First, you must sign up for a free account with Snyk, where you can get an API token and import repositories that you want to be scanned.

Use Case 1: Scan Static Code in VCS Repositories

To enable static code scanning, you simply grant Snyk access to your VCS provider and then select the repositories that you want to scan. As Snyk imports the repositories containing the Terraform configuration files, they are turned into Snyk projects where you see the vulnerability reports. In this example, Snyk imports the Terraform configuration files and reviews the main.tf file that has code to create an AWS ec2 instance and identified a few vulnerabilities:

Enabling Snyk in your VCS provider

Use Case 2: Using the Snyk CLI

The following use case is to catch vulnerabilities in the Terraform plan. Some organizations might do early development locally before pushing code into a VCS repository, so the Snyk CLI can be introduced in this scenario to avoid pushing vulnerable code into repos.

The Snyk CLI can be used from any laptop, CI/CD tool, automation pipeline, or Terraform automation and collaboration platform, such as Scalr or HashiCorp Terraform Cloud. In these scenarios, having a VCS repository linked to the tools is recommended, but not required, which is why the extra step of enforcing the Snyk CLI is helpful.

Setting up the CLI

Getting started with the Snyk CLI is easy; there are many ways to install it, depending on where you are installing it. For example, you can use NPM or homebrew (official docs):

Using npm:

Or using Homebrew on macOS:

Authentication

Once installed, authenticate to the Snyk SaaS service with the following command:

This will open a browser window where you can log in or sign up for a Snyk account.

Scanning

At this point, you have two different options regarding what to scan. First, you can scan the Terraform files in your working directory by simply running the following command in the working directory:

If you don't have the Terraform files locally, maybe in a CI/CD tool or automation pipeline, you can scan the Terraform plan output by executing the following:

Once you have the json, you can run a snyk iac test on that json:

Use Case 3: Integrating with Scalr

Integrating Snyk with Scalr follows the same steps outlined in the CLI section above, but requires Scalr custom hooks to install the CLI and then run the test since all runs are executed remotely.

First, create the following script in a VCS repository or working directory that is linked to your Scalr workspace:

Note: To use with OpenTofu, change terraform show to tofu show

In Scalr, link the repository to the workspace that you are using and reference the script in a post-plan custom hook:

Scalr Custom Hooks setup

Next, click on the variables tab and add the Snyk API token as a sensitive shell variable (SNYK_TOKEN) so the Scalr container will be able to authenticate:

Scalr Variable Creation

That's it! Now you can execute a run and see the Snyk results directly in the Scalr UI:

Scalr Run Dashboard

Conclusion

Running Snyk against your Terraform code helps you find and fix vulnerabilities before they ship, which lowers the chance of a security problem reaching production. Whatever your IaC process looks like, Snyk gives you a place to check: static code in the repo, plan output in a pipeline, or both. For a Terraform-native option, check out the Snyk Provider on library.tf.