IaC CLI Scanning Tool

Details on Using the CLI Scanning Tool to Perform Scans for IaC

The Infrastructure as Code CLI tool enables customers to take advantage of the command line interface to run scans for the Infrastructure as Code capability available within InsightCloudSec. The primary use case for this tool is to provide the ability to perform an IaC scan to identify possible misconfigurations earlier in the development process, even before the the code is pushed into the pipeline.

For a high-level overview of IaC Security (including prerequisites to get started) check out the IaC Security Overview or our IaC Security Workflow.

Prerequisites

Before getting started with the IaC CLI Scanning Tool we want to ensure you have the following:

  • A user in InsightCloudSec with the entitlement Editor or greater permissions
  • An API key for your user
  • An IaC Configuration created via UI

Download one of the following files, based on your environment:

If you have questions or issues, reach out to us the Customer Support Portal.

Deployment Instructions

For Mac or Linux

1. From a terminal, change directory to the location of the executable script file.

2. Run the following command: chmod +x ./mimics.

3. Open/execute the file with ./mimics. This should display the help menu (see Using the CLI Tool for verification).

For Windows

1. From a terminal, change directory to the location of the executable script file.

2. Run the following command: mimics.exe. This should display the help menu (see Using the CLI Tool for verification).

Using the CLI Tool

After successful deployment, the first time you run the program it should output the help menu, which will look similar to this regardless of your deployment type:

Command Output SummaryCommand Output Summary

Command Output Summary

To actually use the program, follow the pattern ./mimics [command] [flags]. For example:

./mimics --api-key {user_api_key} --base-url {environment_url} scan -a {author_name} -c {configure_name} -p {provider_type} -s {scan_name} {Where/the/Plan/you/want/to/scan} --report-formats {file_type} --report-name {Name} --report-path {where/you/want/report}
  • Use -h or --help for assistance with commands, e.g., ./mimics config -h or ./mimics scan -h.

Command List & Parameters

Required

Global flag:

  • --api-key - string, api key for Insight CloudSec

Scan:

  • -c or --config-name - string, IaC config to use for this scan

  • --report-formats - strings, formats of scan result report artifacts (all, json, html, junitxml), if not provided, no artifacts will be saved

  • --report-name - string, name used for generated report artifact files (default "scan_output")

  • --report-path - string, directory path to store report artifacts, defaults to the current directory

Optional

Global flag:

  • --base-url - string, URL where insightCloudSec API resides (default http://localhost:8001/)

  • --ca-certificate - string, sets the trusted authorities for SSL verification using a CA bundle file (.pem)

  • --no-color - disables color output

  • --no-verify - disables SSL verification for all API calls to insightCloudSec (superseded by --ca-certificate)

Scan:

  • -a or --author - string, custom author for scan

  • -c or --config-name - string, IaC config to use for this scan

  • -h or --help - help for scan

  • --no-fail - suppresses error code returned by scans containing failures

  • --no-progress - disables progress console animations

  • -p or --provider - string, IaC provider to use for the scan {cft|terraform}

  • -s or --scan-name - string, custom name for scan

  • --parameters - string, path to a CloudFormation Template (CFT) parameters file, defaults to none

    • CFT-only. Takes a JSON file to specify values for any user-defined parameters.
    • The existing parameter JSON file that you would normally pass to AWS is supported. Review AWS' CFT parameters documentation for more information
  • --overrides - string, path to a JSON file

    • CFT-only. Takes a JSON file to specify values for pseudo-parameters and to override values for user-defined parameters. These values take precedent over those specified via --parameters.
    • This file should be formatted as a JSON object with pseudo parameter/parameter names as keys.

Viewing CLI Scan Details in the UI

After performing a scan using the CLI tool you can view scan details through the InsightCloudSec UI. All CLI Scans will be included in the IaC Scan list and can be viewed in the same way as API or On-Demand Scans.

Check out the Viewing Scan Results page for details on viewing your scan results within the UI, including summary details.

IaC UI - CLI ScansIaC UI - CLI Scans

IaC UI - CLI Scans


Did this page help you?