IaC Scanner
Table of Contents
Purpose
Infrastructure-as-Code or IaC is a method to provision and manage IT/Cloud infrastructure through the use of source code (IaC templates) under version control, rather than through operating procedures and manual processes.
An IaC Flaw represents a "flaw" or "defect" (a non-compliance) for a certain policy, found in an Infrastructure-as-Code (IaC) template. Most flaws represent a security-related issue that adds significant risk.
Handling results
The flaws reported typically suggest a direct change in the template to fix it, documented in Mitigation / Fix
section for the detector describing the recommended action.
Quick Start
For detecting security flaws in Infrastructure-as-Code (IaC) templates found in current directory, the command shown below uploads the results to Xygeni platform.
xygeni iac -n MyProject --upload
For exporting the most important IaC flaws to CSV for review, or importing the findings into another tool:
xygeni iac -n MyProject --detectors critical \
--format csv --output MyProject.iac_flaws.csv
Usage
The IaC Scanner is launched using the xygeni iac [options]
command.
For a full reference of all the available option, you can issue :
xygeni iac --help
The most important properties are:
Name of the project,
-n
or--name
.Input, either a directory (
-d|--dir
) or a repository (-repo|--repository
). If none given, the local current directory is assumed.Upload results to the service,
--upload
. By default, results are not uploaded.Output file (
-o
or--output
) and format (-f
or--format
). If not output file (or stdout / - are used), the standard output is used. Use--format=none
for no output.The detectors to run could be tailored with the
--detectors
/--skip-detectors
,--framework
/--skip-framework
and--cloud
/--skip-cloud
options. A common use-case is to consider only issues with high or critical severity with--detectors=high
.
Configuration options:
-c, --conf=<config> Configuration file (default: xygeni.iac.yml).
--[no-]conf-download Download scanner config? (default: true}
-b, --baseline=<baseline> Baseline file (default: .xygeni.iac.baseline.
json). If empty, no baseline.
--custom-detectors-dir=<customDetectorsDir>
Directory with custom detectors.
--detectors=<detectors>
Comma-separated list of IDs for detectors to run,
PRIORITY or 'all'
--skip-detectors=<skipDetectors>
Comma-separated list of IDs for detectors to
ignore, or PRIORITY
--framework=<frameworks>
IaC framework to scan (arm, bicep,
aws_cloudformation, gcp_deployment_manager,
dockerfile, github_config, github_action,
gitlab_config, bitbucket_config, helm, json,
yaml, kubernetes, kustomize, serverless,
terraform, terraform_plan, unknown, all).
--skip-framework=<skipFrameworks>
IaC framework to ignore (arm, bicep,
aws_cloudformation, gcp_deployment_manager,
dockerfile, github_config, github_action,
gitlab_config, bitbucket_config, helm, json,
yaml, kubernetes, kustomize, serverless,
terraform, terraform_plan, unknown, all).
--cloud=<cloudProviders>
Cloud provider to include (aws, azure, gcp,
kubernetes, alibaba_cloud, ibm_cloud,
oracle_cloud, cloudstack, digitalocean,
openstack, docker, podman, other).
--skip-cloud=<skipCloudProviders>
Cloud provider to exclude (aws, azure, gcp,
kubernetes, alibaba_cloud, ibm_cloud,
oracle_cloud, cloudstack, digitalocean,
openstack, docker, podman, other).
Last updated