This section of the documentation outlines using the IaC Analyzer UI or On-Demand Scan to scan IaC templates on an as-needed basis. For a high-level overview of IaC Security (including prerequisites to get started) check out IaC Overview or take a look at the IaC Workflow.
An On-Demand Scan can be instructive if you're unfamiliar with the IaC Analyzer. If, however, you are familiar with the IaC Analyzer, we recommend using the IaC Analyzer via the API instead. The On-Demand Scan section of the InsightCloudSec IaC Security interface is available under "Security → Infrastructure as Code → On-Demand Scan".
- Note: Prior to running the IaC Analyzer through the InsightCloudSec UI, you will need to have JSON or YAML (AWS CloudFormation only) output for your IaC template.
CloudFormation Template Conversion Not Required
Since both native CloudFormation Template formats (JSON and YAML) are supported in the IaC Analyzer UI, conversion is not necessary.
If using Terraform for IaC, you'll need to convert the plan to human-readable JSON in order to use the On-Demand Scan feature. A Terraform plan or .tf file describes infrastructure in abstract terms. Using Terraform allows users to interpret/convert this plan through Terraform to conceptualize the abstract and effectively describe as much as it can about the “state of the infrastructure”.
In layman’s terms, it’s essentially a translation of abstract to concrete. InsightCloudSec is then analyzing the more “concrete” representation in the form of a JSON output.
- To learn more about Terraform, we recommend you check out their documentation.
A simple example of the Terraform commands you will need to run to create the JSON needed for the InsightCloudSec UI are as follows:
terraform init to initialize your Terraform environment.
2. Next run
terraform plan -out <plan-name>.plan to specify the creation of the Terraform plan.
3. Finally, run
terraform show -json <plan-name>.plan to create output of this plan in a readable JSON format.
With a template in hand, return to the InsightCloudSec UI. From the On-Demand Scan page:
1. Select the “Configuration” you want to run in your IaC Security scan.
2. Select the desired driver. Review IaC Overview for the full list of supported drivers.
3. Paste your JSON or YAML (AWS CloudFormation only) into the textbox and click “Scan” to initialize a scan through the InsightCloudSec UI.
Assuming you have success, check out our page on Viewing Scan Results to understand your output. If you run into issues or have questions, contact us through any of the options available under Getting Support.
Updated 4 months ago