# How to Use Snyk for Securing Your Azure Terraform

# What is Snyk IaC

Snyk is a misconfiguration IaC tool that identifies vulnerabilities in how people write their code. Though I am writing about its use with Terraform on Azure, it supports other IaC tools, Cloud platforms, and various coding languages.

Snyk can integrate with DevOps platforms such as Azure DevOps and GitHub to scan repositories as static code in static branches and on branches as part of the Pull Request process. It can also scan misconfiguration before code commits by installing the Snyk extension onto your IDE and giving developers inline messages stating why the code is vulnerable and how to fix the issue.

# Snyk Signup

Visit [https://snyk.io/](https://snyk.io/) and click on the signup button. Snyk has a free version that allows unlimited contributors to the codebase you want to scan but is limited to the number of tests.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1742573362528/a9642bbb-4d90-412c-b2c7-d2929dc886d7.png align="center")

There is a 300-test limit for IaC, enough for anyone starting out with IaC security to scan their codebase.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1742573595109/d4220c93-9133-41c6-9b7e-11d3b6183e13.png align="center")

# Snyk Extension on VS Code

You first need to install the Snyk extension in VS Code. You can do this by searching the extension marketplace for **Snyk**. The extension for Snyk is called **Snyk Security** and is verified with a checkmark like the one in the image below. Once found, select **Install**.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1743441194690/73dec55c-d4f4-4b68-bac5-8fa514ed3ea0.png align="center")

Once installed, you can select the Snyk icon from the side menu. You will be presented with a getting started window asking you to authenticate with Snyk. Select the **Connect & Trust Workspace** to start the login process.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1743441203349/0438f306-8af3-4c1a-9c10-6f43e874fac7.png align="center")

Once you are authenticated, you are presented with the below window where you can switch from the browser to VS Code again.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1743441210306/6ea8d7e6-c805-4604-921e-bcfea81c9294.png align="center")

You can then load a project containing Terraform and start a scan. Within the extension, select the play button to run a scan. I have demonstrated Terraform scan issues for this blog on some of my resources.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1743444221984/3b598197-6007-43cc-98ac-f2d2f8aaf4de.png align="center")

Within the **configuration issues** section, I can see the file that contains the issues with details.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1743444232245/f3fc3b11-7e57-4de0-90f3-cf8771ca2232.png align="center")

When selecting the issue, you will be taken to the section of code that is misconfigured and a definition of the issue with a recommended fix.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1743444242138/a21f966f-76be-40ec-9ae6-45344872d7e6.png align="center")

# Snyk Integrated with GitHub

When on the initial load of your Snyk account, you are presented with the code scan window. Here, you can select the integration you want. For this post, we are using **GitHub,** so we are selecting this.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1744012424611/7190d370-cb86-45cc-a589-fcdd9bdde7a7.png align="center")

We are then asked to set permissions for public or private repos. As I want it to scan my private repositories, I have selected **Private and public repositories.**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1744012466465/7a016330-1151-4a82-939d-568f8ede09f6.png align="center")

Finally, in this window, I am asked to enable features. You can select **Snyk Code** for IaC-only scans or enable additional features within GitHub. Select **Authenticate GitHub** to start authenticating to GitHub

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1744012474502/511cf090-bb4b-4163-a039-527aaeb553ee.png align="center")

Once you have authenticated to GitHub and authorised Snyk access to your repositories, you can import a repository from the list within the window it presents. Select a repository where you have Terraform code.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1744012480771/f9c0552d-4f13-4b3f-b61c-4471be0fb712.png align="center")

Once the import completes, you are presented with the configuration file's findings within a single pain. Any issues with the code will be highlighted here.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1744012487586/a99d1e99-e336-4379-83e1-7e2fa9350f9c.png align="center")

%%[buymeacoffe-butyellow]
