# IaC Scanner
## Table of Contents
1. [Purpose](#purpose)
2. [Handling Results](#handling_results)
3. [Quick Start](#quick_start)
4. [Usage](#usage)
5. [Configuration](https://docs.xygeni.io/xygeni-products/iac-security/iac-scanner/iac-scanner-configuration)
6. [Detectors](https://docs.xygeni.io/xygeni-products/iac-security/iac-scanner-configuration#detectors)
### Purpose
*Infrastructure-as-Code* or **IaC** is a method to provision and manage IT/Cloud infrastructure through the use of source code (IaC templates) under version control, rather than through operating procedures and manual processes.
An **IaC Flaw** represents a "flaw" or "defect" (a non-compliance) for a certain policy, found in an Infrastructure-as-Code (IaC) template. Most flaws represent a security-related issue that adds significant risk.
### Handling results
The flaws reported typically suggest a direct change in the template to fix it, documented in `Mitigation / Fix` section for the detector describing the recommended action.
### Quick Start
For detecting security flaws in Infrastructure-as-Code (IaC) templates found in current directory, the command shown below uploads the results to Xygeni platform.
```bash
xygeni iac -n MyProject --upload
```
{% hint style="info" %}
IaC scanner can be launched in two different ways:
1.- By its own specific command ( `xygeni iac [options]` )
2.- By the general command ( `xygeni scan --run="iac" [options]` )
{% endhint %}
For exporting the most important IaC flaws to CSV for review, or importing the findings into another tool:
```bash
xygeni iac -n MyProject --detectors critical \
--format csv --output MyProject.iac_flaws.csv
```
### Usage
The IaC Scanner is launched using the `xygeni iac [options]` command.
For a full reference of all the available option, you can issue :
```bash
xygeni iac --help
```
The most important properties are:
* Name of the project, `-n` or `--name`.
* Input, either a directory (`-d|--dir`) or a repository (`-repo|--repository`). If none given, the local current directory is assumed.
* Upload results to the service, `--upload`. By default, results are not uploaded.
* Output file (`-o` or `--output`) and format (`-f` or `--format`). If not output file (or stdout / - are used), the standard output is used. Use `--format=none` for no output.
* The detectors to run could be tailored with the `--detectors` / `--skip-detectors`, `--framework` / `--skip-framework` and `--cloud` / `--skip-cloud` options. A common use-case is to consider only issues with high or critical severity with `--detectors=high`.
```bash
Configuration options:
-c, --conf= Configuration file (default: xygeni.iac.yml).
--[no-]conf-download Download scanner config? (default: true}
-b, --baseline= Baseline file (default: .xygeni.iac.baseline.
json). If empty, no baseline.
--custom-detectors-dir=
Directory with custom detectors.
--detectors=
Comma-separated list of IDs for detectors to run,
PRIORITY or 'all'
--skip-detectors=
Comma-separated list of IDs for detectors to
ignore, or PRIORITY
--framework=
IaC framework to scan (arm, bicep,
aws_cloudformation, gcp_deployment_manager,
dockerfile, github_config, github_action,
gitlab_config, bitbucket_config, helm, json,
yaml, kubernetes, kustomize, serverless,
terraform, terraform_plan, unknown, all).
--skip-framework=
IaC framework to ignore (arm, bicep,
aws_cloudformation, gcp_deployment_manager,
dockerfile, github_config, github_action,
gitlab_config, bitbucket_config, helm, json,
yaml, kubernetes, kustomize, serverless,
terraform, terraform_plan, unknown, all).
--cloud=
Cloud provider to include (aws, azure, gcp,
kubernetes, alibaba_cloud, ibm_cloud,
oracle_cloud, cloudstack, digitalocean,
openstack, docker, podman, other).
--skip-cloud=
Cloud provider to exclude (aws, azure, gcp,
kubernetes, alibaba_cloud, ibm_cloud,
oracle_cloud, cloudstack, digitalocean,
openstack, docker, podman, other).
```