IaC Scanner
Table of Contents
Purpose
Infrastructure-as-Code or IaC is a method to provision and manage IT/Cloud infrastructure through the use of source code (IaC templates) under version control, rather than through operating procedures and manual processes.
An IaC Flaw represents a "flaw" or "defect" (a non-compliance) for a certain policy, found in an Infrastructure-as-Code (IaC) template. Most flaws represent a security-related issue that adds significant risk.
Handling results
The flaws reported typically suggest a direct change in the template to fix it, documented in Mitigation / Fix section for the detector describing the recommended action.
Quick Start
For detecting security flaws in Infrastructure-as-Code (IaC) templates found in current directory, the command shown below uploads the results to Xygeni platform.
IaC scanner can be launched in two different ways:
1.- By its own specific command ( xygeni iac [options] )
2.- By the general command ( xygeni scan --run="iac" [options] )
For exporting the most important IaC flaws to CSV for review, or importing the findings into another tool:
Usage
The IaC Scanner is launched using the xygeni iac [options] command.
For a full reference of all the available option, you can issue :
The most important properties are:
Name of the project,
-nor--name.Input, either a directory (
-d|--dir) or a repository (-repo|--repository). If none given, the local current directory is assumed.Upload results to the service,
--upload. By default, results are not uploaded.Output file (
-oor--output) and format (-for--format). If not output file (or stdout / - are used), the standard output is used. Use--format=nonefor no output.The detectors to run could be tailored with the
--detectors/--skip-detectors,--framework/--skip-frameworkand--cloud/--skip-cloudoptions. A common use-case is to consider only issues with high or critical severity with--detectors=high.
Last updated