feat: use SNYK_CFG for IaC OCI registry env vars [CFG-1165]

help/commands-docs/_EXAMPLES.md

@@ -30,6 +30,15 @@ See `snyk iac --help` for more details and examples:
     $ snyk iac test /path/to/tf-plan.json
     $ snyk iac test /path/to/arm_file.json
 
+To use your own custom rules to scan IaC configuration files, download the `snyk-iac-rules` SDK from https://github.com/snyk/snyk-iac-rules. Follow the
+instructions there to write, build, and push a custom rules bundle and then
+either use the Snyk UI to configure your custom rules settings or configure
+a remote OCI registry locally by running the following commands:
+
+    $ snyk config set oci-registry-url=https://registry-1.docker.io/username/repo:tag
+    $ snyk config set oci-registry-username=username
+    $ snyk config set oci-registry-password=password
+
 ### Static code analysis (SAST) scanning
 
 See `snyk code --help` for more details and examples:

help/commands-docs/config.md

@@ -36,3 +36,12 @@ This command does not manage the `.snyk` file that's part of your project. See `
 
 - `disable-analytics`:
   Turns off analytics reporting.
+
+- `oci-registry-url`:
+  Configures the OCI registry used in IaC scannings with custom rules.
+
+- `oci-registry-username`:
+  Configures the username for an OCI registry used in IaC scannings with custom rules.
+
+- `oci-registry-password`:
+  Configures the password for an OCI registry used in IaC scannings with custom rules.

help/commands-docs/iac-examples.md

@@ -19,3 +19,6 @@
 
 - `Test matching files in a directory`:
   \$ snyk iac test /path/to/directory
+
+- `Test matching files in a directory using a local custom rules bundle`:
+  \$ snyk iac test /path/to/directory --rules=bundle.tar.gz

help/commands-docs/iac.md

@@ -66,3 +66,11 @@ Find security issues in your Infrastructure as Code files.
   Default: If the `--scan` flag is not provided it would scan the proposed changes only by default.  
   Example #1: `--scan=planned-values` (full state scan)
   Example #2: `--scan=resource-changes` (proposed changes scan)
+
+- `--rules=`<PATH_TO_CUSTOM_RULES_BUNDLE>:
+  Dedicated flag for Custom Rules scanning.  
+  It enables the IaC scans to use a custom rules bundle generated via the `snyk-iac-rules` SDK. To download it and learn how to use it, go to
+  https://github.com/snyk/snyk-iac-rules.
+  This flag cannot be used if the custom rules settings were configured via the Snyk UI.
+  Default: If the `--rules` flag is not provided it would scan the configuration files using the internal Snyk rules only.  
+  Example: `--rules=bundle.tar.gz` (scans the configuration files using custom rules and internal Snyk rules)

help/commands-man/snyk-auth.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-AUTH" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-AUTH" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-auth\fR \- Authenticate Snyk CLI with a Snyk account
 .SH "SYNOPSIS"

help/commands-man/snyk-code.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-CODE" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-CODE" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-code\fR \- Find security issues using Static code analysis
 .SH "SYNOPSIS"

help/commands-man/snyk-config.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-CONFIG" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-CONFIG" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-config\fR \- Manage Snyk CLI configuration
 .SH "SYNOPSIS"
@@ -33,6 +33,15 @@ Defines the API endpoint to use\.
 .TP
 \fBdisable\-analytics\fR
 Turns off analytics reporting\.
+.TP
+\fBoci\-registry\-url\fR
+Configures the OCI registry used in IaC scannings with custom rules\.
+.TP
+\fBoci\-registry\-username\fR
+Configures the username for an OCI registry used in IaC scannings with custom rules\.
+.TP
+\fBoci\-registry\-password\fR
+Configures the password for an OCI registry used in IaC scannings with custom rules\.
 .SS "Flags available accross all commands"
 .TP
 \fB\-\-insecure\fR

help/commands-man/snyk-container.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-CONTAINER" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-CONTAINER" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-container\fR \- Test container images for vulnerabilities
 .SH "SYNOPSIS"

help/commands-man/snyk-help.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-HELP" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-HELP" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-help\fR \- Prints help topics
 .SH "SYNOPSIS"

help/commands-man/snyk-iac.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-IAC" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-IAC" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-iac\fR \- Find security issues in your Infrastructure as Code files
 .SH "SYNOPSIS"
@@ -62,6 +62,13 @@ It enables to control whether the scan should analyse the full final state (e\.g
 Default: If the \fB\-\-scan\fR flag is not provided it would scan the proposed changes only by default\.
 .br
 Example #1: \fB\-\-scan=planned\-values\fR (full state scan) Example #2: \fB\-\-scan=resource\-changes\fR (proposed changes scan)
+.TP
+\fB\-\-rules=\fR\fIPATH_TO_CUSTOM_RULES_BUNDLE\fR
+Dedicated flag for Custom Rules scanning\.
+.br
+It enables the IaC scans to use a custom rules bundle generated via the \fBsnyk\-iac\-rules\fR SDK\. To download it and learn how to use it, go to https://github\.com/snyk/snyk\-iac\-rules\. This flag cannot be used if the custom rules settings were configured via the Snyk UI\. Default: If the \fB\-\-rules\fR flag is not provided it would scan the configuration files using the internal Snyk rules only\.
+.br
+Example: \fB\-\-rules=bundle\.tar\.gz\fR (scans the configuration files using custom rules and internal Snyk rules)
 .SS "Flags available accross all commands"
 .TP
 \fB\-\-insecure\fR
@@ -98,6 +105,9 @@ $ snyk iac test /path/to/arm_file\.json
 .TP
 \fBTest matching files in a directory\fR
 $ snyk iac test /path/to/directory
+.TP
+\fBTest matching files in a directory using a local custom rules bundle\fR
+$ snyk iac test /path/to/directory \-\-rules=bundle\.tar\.gz
 .SH "EXIT CODES"
 Possible exit codes and their meaning:
 .P

help/commands-man/snyk-ignore.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-IGNORE" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-IGNORE" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-ignore\fR \- Modifies the \.snyk policy to ignore stated issues
 .SH "SYNOPSIS"

help/commands-man/snyk-monitor.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-MONITOR" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-MONITOR" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-monitor\fR \- Snapshot and continuously monitor your project
 .SH "SYNOPSIS"

help/commands-man/snyk-policy.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-POLICY" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-POLICY" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-policy\fR \- Display the \.snyk policy for a package
 .SH "SYNOPSIS"

help/commands-man/snyk-protect.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-PROTECT" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-PROTECT" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-protect\fR \- Applies the patches specified in your \.snyk file to the local file system
 .SH "SYNOPSIS"

help/commands-man/snyk-test.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-TEST" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-TEST" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-test\fR \- test local project for vulnerabilities
 .SH "SYNOPSIS"

help/commands-man/snyk-wizard.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-WIZARD" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-WIZARD" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-wizard\fR \- Configure your policy file to update, auto patch and ignore vulnerabilities
 .SH "SYNOPSIS"

help/commands-man/snyk-woof.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK\-WOOF" "1" "October 2021" "Snyk.io"
+.TH "SNYK\-WOOF" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\-woof\fR \- W00f
 .SH "SYNOPSIS"

help/commands-man/snyk.1

@@ -1,6 +1,6 @@
 .\" generated with Ronn-NG/v0.9.1
 .\" http://github.com/apjanke/ronn-ng/tree/0.9.1
-.TH "SNYK" "1" "October 2021" "Snyk.io"
+.TH "SNYK" "1" "November 2021" "Snyk.io"
 .SH "NAME"
 \fBsnyk\fR \- CLI and build\-time tool to find & fix known vulnerabilities in open\-source dependencies
 .SH "SYNOPSIS"
@@ -282,6 +282,15 @@ $ snyk iac test /path/to/tf\-plan\.json
 $ snyk iac test /path/to/arm_file\.json
 .fi
 .IP "" 0
+.P
+To use your own custom rules to scan IaC configuration files, download the \fBsnyk\-iac\-rules\fR SDK from https://github\.com/snyk/snyk\-iac\-rules\. Follow the instructions there to write, build, and push a custom rules bundle and then either use the Snyk UI to configure your custom rules settings or configure a remote OCI registry locally by running the following commands:
+.IP "" 4
+.nf
+$ snyk config set oci\-registry\-url=https://registry\-1\.docker\.io/username/repo:tag
+$ snyk config set oci\-registry\-username=username
+$ snyk config set oci\-registry\-password=password
+.fi
+.IP "" 0
 .SS "Static code analysis (SAST) scanning"
 See \fBsnyk code \-\-help\fR for more details and examples:
 .IP "" 4

help/commands-md/snyk-config.md

@@ -37,6 +37,15 @@ This command does not manage the `.snyk` file that's part of your project. See `
 - `disable-analytics`:
   Turns off analytics reporting.
 
+- `oci-registry-url`:
+  Configures the OCI registry used in IaC scannings with custom rules.
+
+- `oci-registry-username`:
+  Configures the username for an OCI registry used in IaC scannings with custom rules.
+
+- `oci-registry-password`:
+  Configures the password for an OCI registry used in IaC scannings with custom rules.
+
 
 
 

help/commands-md/snyk-iac.md

@@ -67,6 +67,14 @@ Find security issues in your Infrastructure as Code files.
   Example #1: `--scan=planned-values` (full state scan)
   Example #2: `--scan=resource-changes` (proposed changes scan)
 
+- `--rules=`<PATH_TO_CUSTOM_RULES_BUNDLE>:
+  Dedicated flag for Custom Rules scanning.  
+  It enables the IaC scans to use a custom rules bundle generated via the `snyk-iac-rules` SDK. To download it and learn how to use it, go to
+  https://github.com/snyk/snyk-iac-rules.
+  This flag cannot be used if the custom rules settings were configured via the Snyk UI.
+  Default: If the `--rules` flag is not provided it would scan the configuration files using the internal Snyk rules only.  
+  Example: `--rules=bundle.tar.gz` (scans the configuration files using custom rules and internal Snyk rules)
+
 
 
 
@@ -110,6 +118,9 @@ Find security issues in your Infrastructure as Code files.
 - `Test matching files in a directory`:
   \$ snyk iac test /path/to/directory
 
+- `Test matching files in a directory using a local custom rules bundle`:
+  \$ snyk iac test /path/to/directory --rules=bundle.tar.gz
+
 
 ## EXIT CODES
 

help/commands-md/snyk.md

@@ -324,6 +324,15 @@ See `snyk iac --help` for more details and examples:
     $ snyk iac test /path/to/tf-plan.json
     $ snyk iac test /path/to/arm_file.json
 
+To use your own custom rules to scan IaC configuration files, download the `snyk-iac-rules` SDK from https://github.com/snyk/snyk-iac-rules. Follow the
+instructions there to write, build, and push a custom rules bundle and then
+either use the Snyk UI to configure your custom rules settings or configure
+a remote OCI registry locally by running the following commands:
+
+    $ snyk config set oci-registry-url=https://registry-1.docker.io/username/repo:tag
+    $ snyk config set oci-registry-username=username
+    $ snyk config set oci-registry-password=password
+
 ### Static code analysis (SAST) scanning
 
 See `snyk code --help` for more details and examples: