Snowflake¶

Snowflake security scanning focuses on identity governance, data access control, and platform configuration. The auditor identifies risky role assignments and potential data exfiltration vectors.

Authentication¶

Snowflake supports several methods for programmatic access. Choose the method that best fits your security policy.

Basic AuthKey Pair (JWT)OAuthProgrammatic Access Token (PAT)

Traditional username and password authentication.

export SNOWFLAKE_ACCOUNT="your-account"
export SNOWFLAKE_USER="your-user"
export SNOWFLAKE_PASSWORD="your-password"

Uses a private key to sign a JWT for authentication.

export SNOWFLAKE_ACCOUNT="your-account"
export SNOWFLAKE_USER="your-user"
export SNOWFLAKE_PRIVATE_KEY_PATH="/path/to/key.p8"

Uses an OAuth token generated by your identity provider.

export SNOWFLAKE_ACCOUNT="your-account"
export SNOWFLAKE_USER="your-user"
export SNOWFLAKE_TOKEN="your-oauth-token"

Uses a persistent access token for authentication.

export SNOWFLAKE_ACCOUNT="your-account"
export SNOWFLAKE_USER="your-user"
export SNOWFLAKE_PAT="your-pat-token"

Auth Priority¶

The scanner uses the following order to determine which authentication method to use:

Priority	Method	Required Variables
1	Key Pair (JWT)	`SNOWFLAKE_USER` + `SNOWFLAKE_PRIVATE_KEY_PATH`
2	PAT	`SNOWFLAKE_USER` + `SNOWFLAKE_PAT`
3	OAuth	`SNOWFLAKE_TOKEN`
4	Basic Auth	`SNOWFLAKE_USER` + `SNOWFLAKE_PASSWORD`

Environment Variables¶

The following variables configure the connection and audit scope.

Variable	Description	Default
`SNOWFLAKE_ACCOUNT`	Account identifier (e.g., `xy12345.us-east-1`)
SNOWFLAKE_USER	The login name for the auditor
SNOWFLAKE_PASSWORD	The user password (Basic Auth)
`SNOWFLAKE_PRIVATE_KEY_PATH`	Path to RSA private key PEM file
SNOWFLAKE_TOKEN	OAuth access token
SNOWFLAKE_PAT	Programmatic Access Token
SNOWFLAKE_ROLE	The role to assume during the audit	SECURITYADMIN
SNOWFLAKE_WAREHOUSE	The virtual warehouse to use	COMPUTE_WH
`SNOWFLAKE_DATABASE`	Database for ACCOUNT_USAGE views	`SNOWFLAKE`

Security Checks¶

Snowflake audits include 55 security checks covering access control and data protection.

Category	Count	Examples
IAM	8	MFA not enabled, ACCOUNTADMIN default role, password-only auth
ACL	8	ACCOUNTADMIN/SECURITYADMIN/SYSADMIN grants, MANAGE GRANTS
Network	3	Missing network policies, no blocked IP list
Config	22	Unencrypted copy, data exfiltration controls, session policies
Data Sharing	1	Outbound share review
Audit	3	Failed logins, logins without MFA
SAST	10	AWS keys in procedures, SQL injection