IaC Scanner

Table of Contents

  1. Purpose

  2. Handling Results

  3. Quick Start

  4. Usage

  5. Configuration

  6. Detectors

Purpose

Infrastructure-as-Code or IaC is a method to provision and manage IT/Cloud infrastructure through the use of source code (IaC templates) under version control, rather than through operating procedures and manual processes.

An IaC Flaw represents a "flaw" or "defect" (a non-compliance) for a certain policy, found in an Infrastructure-as-Code (IaC) template. Most flaws represent a security-related issue that adds significant risk.

Handling results

The flaws reported typically suggest a direct change in the template to fix it, documented in Mitigation / Fix section for the detector describing the recommended action.

Quick Start

For detecting security flaws in Infrastructure-as-Code (IaC) templates found in current directory, the command shown below uploads the results to Xygeni platform.

xygeni iac -n MyProject --upload

IaC scanner can be launched in two different ways:

1.- By its own specific command ( xygeni iac [options] )

2.- By the general command ( xygeni scan --run="iac" [options] )

For exporting the most important IaC flaws to CSV for review, or importing the findings into another tool: 

xygeni iac -n MyProject --detectors critical \
            --format csv --output MyProject.iac_flaws.csv

Usage

The IaC Scanner is launched using the xygeni iac [options] command.

For a full reference of all the available option, you can issue :

xygeni iac --help

The most important properties are:

  • Name of the project, -n or --name.

  • Input, either a directory (-d|--dir) or a repository (-repo|--repository). If none given, the local current directory is assumed.

  • Upload results to the service, --upload. By default, results are not uploaded.

  • Output file (-o or --output) and format (-f or --format). If not output file (or stdout / - are used), the standard output is used. Use --format=none for no output.

  • The detectors to run could be tailored with the --detectors / --skip-detectors, --framework / --skip-framework and --cloud / --skip-cloud options. A common use-case is to consider only issues with high or critical severity with --detectors=high.

Configuration options:
  -c, --conf=<config>        Configuration file (default: xygeni.iac.yml).
      --[no-]conf-download   Download scanner config? (default: true}
  -b, --baseline=<baseline>  Baseline file (default: .xygeni.iac.baseline.
                               json). If empty, no baseline.
      --custom-detectors-dir=<customDetectorsDir>
                             Directory with custom detectors.
      --detectors=<detectors>
                             Comma-separated list of IDs for detectors to run,
                               PRIORITY or 'all'
      --skip-detectors=<skipDetectors>
                             Comma-separated list of IDs for detectors to
                               ignore, or PRIORITY
      --framework=<frameworks>
                             IaC framework to scan (arm, bicep,
                               aws_cloudformation, gcp_deployment_manager,
                               dockerfile, github_config, github_action,
                               gitlab_config, bitbucket_config, helm, json,
                               yaml, kubernetes, kustomize, serverless,
                               terraform, terraform_plan, unknown, all).
      --skip-framework=<skipFrameworks>
                             IaC framework to ignore (arm, bicep,
                               aws_cloudformation, gcp_deployment_manager,
                               dockerfile, github_config, github_action,
                               gitlab_config, bitbucket_config, helm, json,
                               yaml, kubernetes, kustomize, serverless,
                               terraform, terraform_plan, unknown, all).
      --cloud=<cloudProviders>
                             Cloud provider to include (aws, azure, gcp,
                               kubernetes, alibaba_cloud, ibm_cloud,
                               oracle_cloud, cloudstack, digitalocean,
                               openstack, docker, podman, other).
      --skip-cloud=<skipCloudProviders>
                             Cloud provider to exclude (aws, azure, gcp,
                               kubernetes, alibaba_cloud, ibm_cloud,
                               oracle_cloud, cloudstack, digitalocean,
                               openstack, docker, podman, other).

PreviousIaC User Interface GuideNextIaC Scanner Configuration

Last updated