Safeguard
Infrastructure Security

Snyk and HashiCorp Terraform Cloud partnership

Snyk's HashiCorp Terraform Cloud integration gates IaC risk at plan time — here's what it covers, what it misses, and how reachability closes the gap.

Michael
Cloud Security Architect
6 min read

SAN FRANCISCO — Infrastructure-as-code security reached another inflection point when Snyk deepened its integration with HashiCorp's Terraform Cloud (now HCP Terraform), embedding automated policy scanning directly into the Terraform run pipeline via Run Tasks. The partnership, which earned Snyk HashiCorp's "Partner of the Year for Collaboration Technology" recognition at HashiConf 2022, has since expanded to cover Terraform Enterprise's self-hosted distribution — pushing IaC security checks against more than 400 built-in policies covering AWS, Azure, GCP, and Kubernetes configurations before a single terraform apply ever touches production.

The move reflects a broader shift in how security and platform teams think about infrastructure risk: rather than auditing cloud environments after they're provisioned, the goal is to catch misconfigurations at the plan stage, inside the same workflow developers already use to ship infrastructure changes. For security teams evaluating Snyk Terraform Cloud integration options — or comparable tooling from Wiz, Aqua Security, and others — the announcement is a useful case study in where shift-left IaC scanning is heading, and where the approach still leaves gaps that matter for real-world defense.

What Actually Changed

The core mechanic is HashiCorp's Run Task framework, a webhook-based extension point that lets third-party tools inject checks into a Terraform Cloud or Terraform Enterprise run lifecycle. When a Run Task is configured, Terraform Cloud sends the generated Terraform Plan JSON — the machine-readable preview of every resource that would be created, modified, or destroyed — to Snyk's IaC scanning engine before the apply stage executes.

Snyk evaluates that plan against its policy library, which spans:

  • Cloud provider misconfigurations — overly permissive IAM policies, public S3 buckets, unencrypted storage volumes, open security groups, and similar patterns across AWS, Azure, and GCP.
  • Kubernetes manifest risk — privileged containers, missing resource limits, and insecure pod security contexts when Terraform is used to provision K8s objects.
  • Compliance mapping — policy violations tied to frameworks like CIS Benchmarks, NIST, and SOC 2 control families, which platform teams increasingly need to report on regardless of whether the underlying infrastructure change was security-motivated.

If the scan finds violations above a configured severity threshold, the Run Task can block the apply outright, forcing a human decision point before infrastructure ships. That's a meaningful architectural choice: it moves the enforcement boundary from "post-deployment audit" to "pre-provisioning gate," which is the same philosophy driving policy-as-code tools like Open Policy Agent and Sentinel.

Why the Timing Matters

Terraform's adoption curve has made this integration point unusually high-leverage. HashiCorp has reported Terraform downloads well into the hundreds of millions, and Terraform Cloud/HCP Terraform has become the default control plane for organizations managing multi-account, multi-cloud estates. Every misconfiguration that reaches production through Terraform is, by definition, a misconfiguration that was defined in code and reviewed — at least nominally — before it shipped. That makes the plan stage one of the highest-value places to intervene in the entire cloud security lifecycle, and it's why IaC scanning has become table stakes for the CNAPP category rather than a niche add-on.

Industry misconfiguration data backs up why this matters. Cloud security incident reports have consistently pointed to misconfiguration — not novel exploits — as the leading root cause of cloud breaches for several years running, with identity and access misconfigurations and publicly exposed storage among the most recurring findings in incident post-mortems. An integration that intercepts these patterns at the Terraform plan stage, before they become live resources, directly targets the most common failure mode in the data.

The Competitive Backdrop

Snyk's HashiCorp partnership doesn't exist in isolation. Wiz has built out its own Terraform and IaC scanning capabilities tied into its agentless cloud graph, emphasizing runtime context over pure plan-time policy checks. Aqua Security's Trivy and cloud-native security posture management tooling similarly scan Terraform and CloudFormation templates, often bundled with broader container and Kubernetes runtime protection. HashiCorp itself ships Sentinel as a native policy-as-code framework for Terraform Cloud/Enterprise customers who want enforcement without a third-party dependency at all.

The practical differentiator among these approaches is less "does it scan Terraform" — most mature platforms do — and more where the scan result gets its risk score from. A plan-time scan that flags every public security group or every IAM wildcard as high severity, without visibility into whether that resource is internet-facing in practice, whether the workload it attaches to actually runs exploitable code, or whether a compensating control already exists downstream, tends to generate the alert volume that erodes trust in the tool. Terraform Cloud Run Tasks and comparable IaC gates are good at catching policy violations; they are not, by themselves, designed to tell a security team which of those violations represents exploitable exposure once the infrastructure is live and interacting with running workloads.

What This Means for Security Teams Evaluating IaC Tooling

For teams researching Snyk's Terraform Cloud integration specifically, a few practical takeaways stand out:

  1. Plan-time gating reduces — but doesn't eliminate — drift risk. Terraform Cloud enforces the Run Task at apply time for changes made through Terraform itself, but infrastructure modified out-of-band (console changes, other IaC tools, manual kubectl edits) can still drift out of policy compliance without triggering a re-scan until the next plan.
  2. Policy count is not the same as risk prioritization. A library of 400+ policies is useful for coverage, but coverage breadth doesn't tell a security team which of the dozens of findings on a given plan actually matter most for their specific environment and threat model.
  3. IaC scanning is one layer of a much longer pipeline. The Terraform plan is upstream of the actual runtime environment — container images, application dependencies, and the code paths that make a misconfigured resource actually reachable by an attacker all sit downstream of the Terraform apply, in territory that plan-time IaC scanners don't cover.

How Safeguard Helps

Safeguard approaches this same problem from the other end of the pipeline: instead of stopping at policy conformance for a Terraform plan, Safeguard's reachability analysis correlates infrastructure findings with the application code and dependencies actually deployed onto that infrastructure, so security teams can tell which misconfigurations sit in front of exploitable, reachable code paths versus which are theoretical. Griffin AI, Safeguard's autonomous triage engine, ingests IaC scan output alongside SBOM and vulnerability data to cut through alert volume and rank exposures by real-world exploitability rather than raw policy-violation counts. Safeguard generates and ingests SBOMs across the software supply chain — including artifacts produced or consumed by Terraform-provisioned workloads — to maintain a continuously accurate inventory tying infrastructure to the software actually running on it. When a fixable misconfiguration or vulnerable dependency is confirmed reachable, Safeguard can open an auto-fix pull request directly against the offending Terraform or application code, closing the loop from detection to remediation without waiting on a manual backlog. Together, these capabilities extend the shift-left IaC gate that partnerships like Snyk-HashiCorp popularized into a full-lifecycle defense that follows infrastructure from plan to production.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.