# IaC Scanner

## Table of Contents

1. [Purpose](#purpose)
2. [Handling Results](#handling_results)
3. [Quick Start](#quick_start)
4. [Usage](#usage)
5. [Configuration](https://docs.xygeni.io/xygeni-products/iac-security/iac-scanner/iac-scanner-configuration)
6. [Detectors](https://docs.xygeni.io/xygeni-products/iac-security/iac-scanner-configuration#detectors)

### Purpose <a href="#purpose" id="purpose"></a>

*Infrastructure-as-Code* or **IaC** is a method to provision and manage IT/Cloud infrastructure through the use of source code (IaC templates) under version control, rather than through operating procedures and manual processes.

An **IaC Flaw** represents a "flaw" or "defect" (a non-compliance) for a certain policy, found in an Infrastructure-as-Code (IaC) template. Most flaws represent a security-related issue that adds significant risk.

### Handling results <a href="#handling_results" id="handling_results"></a>

The flaws reported typically suggest a direct change in the template to fix it, documented in `Mitigation / Fix` section for the detector describing the recommended action.

### Quick Start <a href="#quick_start" id="quick_start"></a>

For detecting security flaws in Infrastructure-as-Code (IaC) templates found in current directory, the command shown below uploads the results to Xygeni platform.

```bash
xygeni iac -n MyProject --upload
```

{% hint style="info" %}
IaC scanner can be launched in two different ways:

1.- By its own specific command ( `xygeni iac [options]` )

2.- By the general command ( `xygeni scan --run="iac" [options]` )
{% endhint %}

For exporting the most important IaC flaws to CSV for review, or importing the findings into another tool:&#x20;

```bash
xygeni iac -n MyProject --detectors critical \
            --format csv --output MyProject.iac_flaws.csv
       
```

### Usage <a href="#usage" id="usage"></a>

The IaC Scanner is launched using the `xygeni iac [options]` command.

For a full reference of all the available option, you can issue :

```bash
xygeni iac --help
```

The most important properties are:

* Name of the project, `-n` or `--name`.
* Input, either a directory (`-d|--dir`) or a repository (`-repo|--repository`). If none given, the local current directory is assumed.
* Upload results to the service, `--upload`. By default, results are not uploaded.
* Output file (`-o` or `--output`) and format (`-f` or `--format`). If not output file (or stdout / - are used), the standard output is used. Use `--format=none` for no output.
* The detectors to run could be tailored with the `--detectors` / `--skip-detectors`, `--framework` / `--skip-framework` and `--cloud` / `--skip-cloud` options. A common use-case is to consider only issues with high or critical severity with `--detectors=high`.

```bash
Configuration options:
  -c, --conf=<config>        Configuration file (default: xygeni.iac.yml).
      --[no-]conf-download   Download scanner config? (default: true}
  -b, --baseline=<baseline>  Baseline file (default: .xygeni.iac.baseline.
                               json). If empty, no baseline.
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.
      --detectors=<detectors>
                             Comma-separated list of IDs for detectors to run,
                               PRIORITY or 'all'
      --skip-detectors=<skipDetectors>
                             Comma-separated list of IDs for detectors to
                               ignore, or PRIORITY
      --framework=<frameworks>
                             IaC framework to scan (arm, bicep,
                               aws_cloudformation, gcp_deployment_manager,
                               dockerfile, github_config, github_action,
                               gitlab_config, bitbucket_config, helm, json,
                               yaml, kubernetes, kustomize, serverless,
                               terraform, terraform_plan, unknown, all).
      --skip-framework=<skipFrameworks>
                             IaC framework to ignore (arm, bicep,
                               aws_cloudformation, gcp_deployment_manager,
                               dockerfile, github_config, github_action,
                               gitlab_config, bitbucket_config, helm, json,
                               yaml, kubernetes, kustomize, serverless,
                               terraform, terraform_plan, unknown, all).
      --cloud=<cloudProviders>
                             Cloud provider to include (aws, azure, gcp,
                               kubernetes, alibaba_cloud, ibm_cloud,
                               oracle_cloud, cloudstack, digitalocean,
                               openstack, docker, podman, other).
      --skip-cloud=<skipCloudProviders>
                             Cloud provider to exclude (aws, azure, gcp,
                               kubernetes, alibaba_cloud, ibm_cloud,
                               oracle_cloud, cloudstack, digitalocean,
                               openstack, docker, podman, other).
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.xygeni.io/xygeni-products/iac-security/iac-scanner.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.