Forem: VICTOR WILLIAMS CRUZ MAMANI

Securing Terraform Infrastructure with Snyk IaC: A Practical SAST Example

VICTOR WILLIAMS CRUZ MAMANI — Thu, 04 Dec 2025 18:56:15 +0000

https://github.com/Vlkair/terraform-snyk-iac-demo

Infrastructure as Code (IaC) allows teams to define and provision cloud resources using code, but that code can also contain security misconfigurations that put environments at risk. This article presents a simple example of how to use Snyk Infrastructure as Code (Snyk IaC) as a SAST tool to scan Terraform files, find issues, and fix them before deployment.

What is Snyk IaC and why use it?

Snyk IaC is a static analysis tool that scans IaC configuration files such as Terraform, CloudFormation, and ARM templates to detect security and compliance issues. It analyzes the code against security best practices and policies, and provides actionable guidance on how to harden infrastructure definitions.

According to the OWASP list of Source Code Analysis Tools, Snyk IaC is designed to reduce risk by automating IaC security checks and detecting misconfigurations early in the development workflow. Integrating this type of SAST tool into the development process helps teams apply DevSecOps and "shift-left" security principles for cloud infrastructure.

Sample Terraform project

A very small Terraform project is enough to demonstrate this workflow. A typical configuration may define basic cloud resources but introduce insecure settings, such as security groups allowing ingress from 0.0.0.0/0 or storage resources without encryption.

Although these configurations are convenient for quick tests, they can be dangerous in real environments because they expose services broadly and weaken data protection. Using Snyk IaC, these misconfigurations can be detected directly from the Terraform files before running terraform apply.

Installing and running Snyk IaC

A Snyk account and the Snyk CLI are required to execute IaC scans from the terminal. After installing the CLI and authenticating with a personal token, Snyk commands become available to analyze local projects.

Snyk Infrastructure as Code can scan Terraform configuration files such as main.tf directly. The basic command to analyze the current directory is:

snyk iac test .
This command recursively discovers Terraform .tf files in the folder and evaluates them for misconfigurations.

Snyk can also scan a Terraform plan output in JSON format, which represents the changes to be applied to the cloud environment. A common sequence is:

terraform plan -out=tfplan.binary terraform show -json tfplan.binary > tf-plan.json snyk iac test tf-plan.json

By examining the plan, Snyk gains visibility into the final state, including modules and variable resolution, before the changes are applied.

Interpreting the scan results

After running snyk iac test, the CLI outputs the detected issues grouped by severity, such as high, medium, or low. For each misconfiguration, Snyk displays a rule identifier, a description of the risk, and a recommendation on how to remediate it.

For example, an overly permissive security group that allows ingress from 0.0.0.0/0 on a specific port is typically flagged as a high-severity issue because it exposes the service to the entire internet. Storage resources may also be reported if encryption is disabled or if buckets are inadvertently exposed publicly.

These results highlight the exact Terraform resources and attributes that require modification before the infrastructure is provisioned.

Fixing the Terraform code

Once misconfigurations are identified, the Terraform code can be updated according to the recommendations. In the case of security groups, instead of using 0.0.0.0/0, ingress rules can be restricted to a known IP range, VPN network, or bastion host.

After applying these changes to the configuration, running snyk iac test again verifies whether the issues have been resolved. When the problematic rules disappear from the report, it indicates that the Terraform code now complies with the security policy enforced by Snyk IaC.

This iterative "scan → fix → re-scan" process illustrates how a SAST tool for IaC supports continuous improvement of infrastructure code security.

Integrating Snyk IaC into CI/CD

Local scans are useful, but integrating Snyk IaC into CI/CD pipelines makes security checks consistent and automated across the entire development team. Snyk can be connected to Git repositories so that every new commit or pull request triggers an IaC scan.

There is also integration with Terraform Cloud through run tasks, enabling Snyk to evaluate Terraform runs and optionally block those that introduce critical misconfigurations. Combining IaC scanning with continuous integration helps enforce security policies, reduce configuration drift, and prevent risky infrastructure changes from reaching production.

Conclusion

Snyk IaC, used as a SAST tool for Terraform, provides an effective way to detect misconfigurations such as open security groups or unencrypted storage directly in IaC definitions. Incorporating these checks into the development and CI/CD workflow strengthens cloud security, supports DevSecOps practices, and contributes to maintaining secure and compliant infrastructure over time.

Snyk Infrastructure as Code can scan Terraform configuration files such as main.tf directly. The basic command to analyze the current directory is:

Catching .NET Vulnerabilities Early: A Hands-On Guide with Puma Scan

VICTOR WILLIAMS CRUZ MAMANI — Thu, 04 Dec 2025 18:50:22 +0000

Catching .NET Vulnerabilities Early: A Hands-On SAST Demo with Puma Scan

Static Application Security Testing (SAST) helps developers find security flaws directly in source code—before they reach production. In this article, I demonstrate how to use Puma Scan, a .NET-focused SAST tool listed by OWASP, to detect real vulnerabilities in a minimal C# application. The entire workflow—including code, automation script, and scan results—is publicly available on GitHub.

🔗 GitHub Demo Repository:

https://github.com/Vlkair/dotnet-sast-pumascan-demo

Why Puma Scan?

From the official OWASP Source Code Analysis Tools list, many SAST tools exist—but this assignment excluded Sonar, Snyk, Semgrep, and Veracode. Among the remaining options for C#/.NET, Puma Scan stood out because:

It’s designed specifically for .NET and C#
It integrates with Visual Studio, VS Code, and the command line
It detects common OWASP Top 10 issues like SQL Injection and Cross-Site Scripting (XSS)
A Community Edition is available for free learning and testing

The Vulnerable Code Sample

To keep the demo simple and reproducible, I created a minimal C# class with a classic SQL injection vulnerability:

// TestVuln.cs
using System;
using System.Data.SqlClient;

public class VulnerableClass
{
    public void UnsafeQuery(string userInput)
    {
        // ⚠️ SQL Injection: user input concatenated directly into query
        string query = "SELECT * FROM Users WHERE Id = " + userInput;
        SqlCommand cmd = new SqlCommand(query);
    }
}

If an attacker inputs 1 OR 1=1, the query becomes:

SELECT * FROM Users WHERE Id = 1 OR 1=1

→ All user records are exposed.

This matches CWE-89 and OWASP Top 10: A03:2021 – Injection.

Automated Detection with Puma Scan
Step 1: Add Puma Scan to your project
dotnet add package Puma.Security.Rules

I created a simple PowerShell script (scan.ps1):

# scan.ps1 - PumaScan SAST Analysis Script
Write-Host "======================================" -ForegroundColor Cyan
Write-Host " PumaScan - SAST Security Analysis" -ForegroundColor Cyan
Write-Host "======================================" -ForegroundColor Cyan
Write-Host ""

# Build the project with PumaScan analysis
Set-Location PumaScanner
dotnet clean | Out-Null
dotnet build

Write-Host ""
Write-Host "======================================" -ForegroundColor Green
Write-Host " Analysis Complete!" -ForegroundColor Green
Write-Host "======================================" -ForegroundColor Green
Write-Host ""
Write-Host "Look for security warnings above:" -ForegroundColor Yellow
Write-Host "  - SEC0107: SQL Injection vulnerability" -ForegroundColor Yellow
Write-Host ""
Set-Location ..

Step 3: See the result
When you run powershell -ExecutionPolicy Bypass -File .\scan.ps1, you get this clear warning:

this is insane

VICTOR WILLIAMS CRUZ MAMANI — Wed, 03 Dec 2025 22:05:53 +0000

🚀 Building Your First MCP Server: A Step-by-Step Guide

Sebastian Nicolas Fuentes Avalos ・ Dec 1

#mcp #python

interesting!!

VICTOR WILLIAMS CRUZ MAMANI — Wed, 03 Dec 2025 22:03:53 +0000

Building and Deploying a Remote MCP Server to Google Cloud Run in Under 10 Minutes

ANDY MICHAEL CALIZAYA LADERA ・ Nov 28

#google #serverless #tutorial #mcp