snyk-iac
Safeguard articles tagged "snyk-iac" — guides, analysis, and best practices for software supply chain and application security.
10 articles
Comparing Terraform security scanners: Snyk IaC, Checkov, tfsec
Snyk IaC, Checkov, and tfsec take different approaches to Terraform scanning — and one of them stopped getting new checks in 2023. Here's how they actually compare.
How Snyk IaC scans Kubernetes manifests and Helm charts f...
A technical walkthrough of how Snyk IaC parses Kubernetes manifests, renders Helm charts, and checks them against CIS benchmarks before deployment.
How to write a custom Snyk IaC rule in Rego using the Rul...
A technical walkthrough of Snyk's IaC Rules SDK: scaffolding, writing Rego deny rules, local testing, bundling, and org-wide enforcement via OCI registries.
How Snyk IaC's Terraform Cloud run tasks gate infrastruct...
How Snyk IaC uses Terraform Cloud's run tasks to scan plan output and block infrastructure changes before apply — the mechanics, enforcement levels, and limits.
How Snyk IaC correlates code-level misconfigurations with...
How Snyk's Cloud Context feature joins Terraform and CloudFormation misconfigurations to live AWS, Azure, and GCP resources — and where that correlation model breaks down.
How Snyk IaC's severity scoring weighs the exploitability...
A mechanical look at how Snyk IaC assigns Critical-to-Low severity to misconfigurations, and how exploitability factors like exposure and privilege requirements shape the rating.
How an organization's custom policy set overrides Snyk Ia...
How Snyk IaC's Rego-based custom rules layer onto, disable, or supplement default policies — and what that means for enforcing org-specific IaC standards.
How Snyk IaC detects overly permissive IAM policies in Te...
A mechanical walkthrough of how Snyk IaC parses Terraform and CloudFormation, normalizes IAM policies into one model, and flags wildcard actions, resources, and principals before deploy.
How Snyk IaC identifies unencrypted storage resources acr...
Snyk IaC flags unencrypted S3 buckets, Azure Storage, and GCP disks by parsing Terraform and CloudFormation for missing encryption attributes before deployment.
How Snyk IaC's admission-time Kubernetes scanning differs...
How Snyk IaC's static manifest scanning, the Snyk Controller's in-cluster monitoring, and true Kubernetes admission control mechanically differ — and why the gap between them matters.