IaC Scanner

Table of Contents

1. Purpose

2. Handling Results

3. Quick Start

4. Usage

5. Configuration

6. Detectors

Purpose

Infrastructure-as-Code or IaC is a method to provision and manage IT/Cloud infrastructure through the use of source code (IaC templates) under version control, rather than through operating procedures and manual processes.

An IaC Flaw represents a "flaw" or "defect" (a non-compliance) for a certain policy, found in an Infrastructure-as-Code (IaC) template. Most flaws represent a security-related issue that adds significant risk.

Handling results

The flaws reported typically suggest a direct change in the template to fix it, documented in Mitigation / Fix section for the detector describing the recommended action.

Quick Start

For detecting security flaws in Infrastructure-as-Code (IaC) templates found in current directory, the command shown below uploads the results to Xygeni platform.

For exporting the most important IaC flaws to CSV for review, or importing the findings into another tool:

Usage

The IaC Scanner is launched using the xygeni iac [options] command.

For a full reference of all the available option, you can issue :

The most important properties are:

• Name of the project, -n or --name.

• Input, either a directory (-d|--dir) or a repository (-repo|--repository). If none given, the local current directory is assumed.

• Upload results to the service, --upload. By default, results are not uploaded.

• Output file (-o or --output) and format (-f or --format). If not output file (or stdout / - are used), the standard output is used. Use --format=none for no output.

• The detectors to run could be tailored with the --detectors / --skip-detectors, --framework / --skip-framework and --cloud / --skip-cloud options. A common use-case is to consider only issues with high or critical severity with --detectors=high.