This repo contains example custom rules for Snyk IaC. They were generated using snyk-iac-rules and OPA Policy Language. To understand more about the custom rules, read through the public documentation.
The prerequisites to using the rules in this repo are:
- Installing snyk-iac-rules
- Installing snyk
- Having Custom Rules enabled (for this, contact our team)
The example rules in this repo include:
- ./rules/CUSTOM-RULE-1: A simple boolean rule that checks if a Terraform
aws_redshift_cluster
has anowner
tag - ./rules/CUSTOM-RULE-2: A rule using logical AND that checks if a Terraform
aws_redshift_cluster
has both anowner
tag and adescription
tag - ./rules/CUSTOM-RULE-3: A rule using logical OR that checks if a Terraform
aws_redshift_cluster
has at least anowner
tag or adescription
tag - ./rules/CUSTOM-RULE-4: A rule using strings that checks if a Terraform
aws_redshift_cluster
has at least anowner
tag or adescription
tag and theowner
tag does not belong to the@corp-domain.com
domain - ./rules/CUSTOM-RULE-5: A rule using XOR that checks if a Terraform
aws_redshift_cluster
has either anowner
tag or aserviceDescription
tag, depending on thetype
./rules/CUSTOM-RULE-6
: A rule using grouped resources that checks if a Kubernetes RoleBinding configuration was defined on a set of namespaces configured in a denylist- ./rules/CUSTOM-RULE-7: A rule using grouped resources that checks if a Kubernetes ConfigMap configuration contains keys located in a denylist
./rules/CUSTOM-RULE-8
: A rule that flags up if an IAM Role is missing one of the required tags:owner
,description
ortype
./rules/CUSTOM-RULE-9
: A rule that flags up if a Vendor or Service does not have at least anowneralternate
or aticketgroup
tag./rules/CUSTOM-RULE-10
: A rule that flags up if an IAM user is missing one of the required tags:owner
,description
ortype
The existing rules can be:
- tested using
snyk-iac-rules test
- built into a bundle using
snyk-iac-rules build
- verified locally using
snyk iac test --rules
- pushed to an OCI registry using
snyk-iac-rules push
An example workflow for adding a new rule would involve:
- Templating the rule using
snyk-iac-rules template
- Filling in the rule logic using Policy Language
- Testing the rules locally using
snyk-iac-rules test
- Building the rules locally and testing them with
snyk iac test --rules=bundle.tar.gz
- Opening a PR for a rule and letting the CI/CD run the tests, which block the PR from being merged if they fail
- Merging the PR once the PR check passes
- Waiting for the bundle to be published to an OCI registry
- Configuring a separate repo to use
snyk
together with the custom rules in this repo by configuring the following environment variables:
export SNYK_CFG_OCI_REGISTRY_URL=<OCI registry url without a protocol>
export SNYK_CFG_OCI_REGISTRY_USERNAME=<OCI registry username>
export SNYK_CFG_OCI_REGISTRY_PASSWORD=<OCI registry password>
There are two GitHub Actions configured for this repo:
- One that tests the rules when PRs are opened
- One that publishes the rules to an OCI registry when PRs are merged
The rules get published to a private DockerHub repository.