CLI Tool Commands and Parameters - Terraform and CloudFormation

CLI Tool Commands and Parameters Overview for Terraform and CloudFormation IaC

After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you're ready to start using it with Terraform and/or AWS CloudFormation Template (CFT) infrastructure. If you have questions or issues, reach out to us using the Customer Support Portal.

🚧

Scanning Kubernetes

To scan Kubernetes infrastructure, the CLI IaC Scanning Tool utilizes different commands and parameters that are detailed on the CLI Commands and Parameters - Kubernetes IaC page.

Prerequisites

Before scanning Terraform or CFT files with the scanning tool, ensure you have the following:

📘

Rename Executable

When you download the mimics executable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable to mimics (for Mac/Linux) or mimics.exe (for Windows) for ease of use. The examples in our docs use a simplified executable name.

If you have questions or issues, reach out to us using the Customer Support Portal.

Command List & Parameters

The command list and parameters are the same regardless if you're using mimics via local executable or Docker.

Global Flags and Parameters

Name

Type

Description

--api-key

string

API key for InsightCloudSec

Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information

--base-url

string

URL where InsightCloudSec resides (default: "http://localhost:8001/")

Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information

--ca-certificate

string

Sets the trusted authorities for SSL verification using a CA bundle file (.pem)

--config

string

Filepath for the configuration file (default: $HOME/.mimics.yaml)

-h, --help

N/A

Displays the help menu. Contextual help for each command is also available in the following formats: ./mimics help [command] or ./mimics [command] [-h|--help]

Because each command may have sub-commands, the help menu is also available in this format: ./mimics [command] [sub-command] [-h|--help]

--no-color

N/A

Disables color output

--no-verify

N/A

Disables SSL verification for all API calls to InsightCloudSec. This is superseded by the usage of --ca-certificate

Commands

Name

Description

Sub-Commands

completion

Generates the auto-completion script for the specified shell

  • bash -- generate the auto-completion script for bash
  • fish -- generate the auto-completion script for fish
  • powershell -- generate the auto-completion script for powershell
  • zsh -- generate the auto-completion script for zsh

config

List and view scan configurations

  • list -- List scan configurations
  • show <config-name> -- Detail a given scan configuration

help

Displays the help menu for a given command, e.g., ./mimics help [command]

N/A

scan

Scans IaC files. This command is always paired with an IaC file to scan, e.g., `./mimics scan file-name.json [flags and parameters]

See Flags and Parameters for scan for more information

version

Displays the mimics version

N/A

Flags and Parameters for scan

Name

Type

Description

-c, --config-name

string

IaC config to use for this scan

--report-formats

string

Format of scan result report artifacts (options: all, json, html, junitxml). If not provided, no artifacts will be saved

--report-name

string

Name used for generated report artifact files (default: "scan_output")

--report-path

string

Directory path to store report artifacts. Defaults to the current directory

-a, --author

string

Custom author for scan

--no-fail

N/A

Suppresses error code returned by scans containing failures

--no-progress

N/A

Disables progress console animations

-p, --provider

string

IaC provider to use for the scan. Options are: terraform, cft

-s, --scan-name

string

Custom name for scan

--parameters

string

Path to a CloudFormation Template (CFT) parameters file. Defaults to none

  • CFT-only. Takes a JSON file to specify values for any user-defined parameters.

--overrides

string

Path to a JSON file. Defaults to none

  • CFT-only. Takes a JSON file to specify values for pseudo-parameters and to override values for user-defined parameters. These values take precedent over those specified via --parameters.

Using mimics with Terraform/CFT

Use of the scanning tool depends on how you set it up. Below are examples using the scanning tool with each setup method.

Docker

Because the scanning tool is invoked using a public Docker image, the base command is more complicated than invoking the local executable:

docker run [docker flags] public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest [mimics command] [mimics flags]

📘

Important Docker Flags

InsightCloudSec recommends providing the following Docker flags with each invocation:

  • Use -v to establish a local volume that the Docker container can pull files from
  • Use -e to establish an environment variable the Docker container recognizes -- two variables will need to be passed into the image: InsightCloudSec URL and API Key

Scan Example

docker run \
-v $(pwd):/data \
-e MIMICS_BASE_URL=$ICS_BASE_URL \
-e MIMICS_API_KEY=$ICS_API_KEY \
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest scan \
data/plan.json \
-p terraform \
-c "Azure Checks" \
-s "Github Actions Demo" \
--report-formats all \
--report-path "/data/reports" \
--no-progress

Zsh Completion Example

docker run
-v $(pwd):/data \
-e MIMICS_BASE_URL=$ICS_BASE_URL \
-e MIMICS_API_KEY=$ICS_API_KEY \
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest completion zsh
#compdef _mimics mimics

# zsh completion for mimics                               -*- shell-script -*-

__mimics_debug()
{
    local file="$BASH_COMP_DEBUG_FILE"
    if [[ -n ${file} ]]; then
        echo "$*" >> "${file}"
    fi
}

_mimics()
{
...
}

# don't run the completion function when being source-ed or eval-ed
if [ "$funcstack[1]" = "_mimics" ]; then
    _mimics
fi

List IaC Configurations Example

docker run
-v $(pwd):/data \
-e MIMICS_BASE_URL=$ICS_BASE_URL \
-e MIMICS_API_KEY=$ICS_API_KEY \
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest config list \
--no-verify
Config name                                         |    Total scans    |    Last scan time
-----------                                         |    -----------    |    --------------
tests config1                                       |    132            |    2022-05-21T10:43:46Z
AWS Config                                          |    3              |    2021-04-09T13:07:50ZZ
test config 4                                       |    1              |    2019-11-15T15:20:24Z
HIPAA Custom                                        |    4              |    2020-07-08T19:55:10Z

Local Executable

To actually use the local executable, follow the pattern ./mimics [command] [flags] for Mac or mimic.exe [command] [flags] for Windows.

Scan Example

./mimics scan data/plan.json \
-p terraform \
-c "Azure Checks" \
-s "Github Actions Demo" \
--report-formats all \
--report-path "/data/reports" \
--no-progress \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify

Show IaC Configuration Example

./mimics config show "tests config1" \
--api-key "<my-api-key>" \
--base-url "http://localhost:8001/" \
--no-verify
Insight Name                                                          |    Description
------------                                                          |    -----------
Cloud Account without Global API Accounting Config (AWS)              |    Identify Accounts Without API Accounting Config, Such as AWS CloudTra...
Cloud Root Account API Access Key Present                             |    Identify Accounts With API Access Keys Present on the Root Account
Cloud User Account without MFA                                        |    Identify cloud user accounts which do not require two-factor authenti...
Cloud Account without Root Account MFA Protection                     |    Identify Accounts Which Still Have the Root Account Active Without Tw...
Network without Traffic Logging                                       |    Identify Networks, e.g., AWS VPCs, That Do Not Have Network Logging E...
API Key Unused For 90 Days                                            |    Identify API keys that have not been used within the past 90 days

Viewing CLI Scan Details in the UI

After performing a scan using the CLI tool you can view scan details through the InsightCloudSec UI. All CLI Scans will be included in the IaC Scan list and can be viewed in the same way as API or On-Demand Scans.

Check out the Viewing Scan Results page for details on viewing your scan results within the UI, including summary details.

14031403

IaC UI - CLI Scans


Did this page help you?