Viewing Scan Results

How to View and Interpret IaC Security Scan Results

This section of the documentation outlines viewing, interacting with, and interpreting IaC Security scan results. Scans are available under "Security → Infrastructure as Code → Scan List".

Scan List

This page lists the previous scans including summary information about scan drivers, date, duration, configuration info, and status/outcome. As soon as a scan has finished, it will be recorded within the Scan List interface.

  • Click "Add Filter" to use filters to narrow the list of scans to only the most critical or vulnerable
  • Click the link in the "Findings Summary" column to open the findings summary
    • If an error was encountered during the scan, no findings summary will be available in the column. Instead, click "Scan has encountered error" to open a window diagnosing the error and containing a download of the error stack trace
  • Click the "Edit Configuration" icon (pencil) to edit the configuration associated with a scan
  • Use the pagination features at the bottom of the page to quickly navigate through the list of configurations
IaC Security Scan List Results

IaC Security Scan List Results

Filters

Filtering allows for narrowing the scope of the resources list using properties like: cloud accounts, clusters, and resource groups. Click the “Add Filters” button to open the panel, and “Select a property” to get started. After choosing your desired filters, select “Apply” to update the page to display the results of your specified filters.

Filtering Behavior

  • Each selected Filter updates dynamically with options appropriate for the property selected.
  • Click “+ Add Filter” to add an additional filter and further narrow the scope.

Save Filters

After adding a filter, you can save it so that can easily be reused the next time you access the feature. Note: Saved filters are feature-specific (since options vary between features), i.e., a Feature "A" saved filter will only be available in Feature "A" and will not be available in Feature "B".

To save a filter:

1. Use the "Add Filter" option to create a filtered view of the page.

2. Expand the Filters section, and click the "Options" button (ellipsis).

Select "Save Filter"

Select "Save Filter"

3. Click "Save Filter" and provide a name and (optional) description.

4. If desired, select the checkboxes:

  • "Set as Default Filter" -- Designates this filter as your default when you return to the feature
  • "Make this a Public Filter" -- Makes this filter available to all users inside your InsightCloudSec organization

5. Click "OK". The filter is saved and can be edited from the "Saved Filters" page for this feature.

Findings Summary

Scans have two possible statuses: success or failure. If any of the resources found in the IaC template failed a check against an Insight, the scan will be marked as a failure (failed scan). Both successful and failed scans can contain warnings, however. An example failed scan might look like this:

Example - Failed IaC Security Scan

Example - Failed IaC Security Scan

From top-to-bottom, here's a summary of the information available:

  • Scan Summary -- The name of the IaC configuration, the scan target, the date/time the scan was completed, and the duration for the scan
    • The scan target contains three things: {type|hostname}:{number of files}:{name of files|user-provided string}
  • Download -- Enables you to download a copy of the scan in JSON or HTML.
  • Graph -- This section provides an at-a-glance color-coded bar graph illustrating the total resources scanned and their individual statuses. The colors for the bar graph are aligned as follows:
    • Green = Passed
    • Orange = Warned
    • Red = Failed
    • Grey = Ignored
  • Details -- Details for each Insight that was evaluated during the scan

📘

Total Insights

The Total Insights number is reflective of the resources scanned in the template, not the total number of Insights from a configuration's pack.

Results Details

This section of the report shows the scan results for each individual Insight from the selected Insight pack and the resources that apply.

  • Click the plus sign ("+") to expand each Insight and see the resource(s) that failed, warned, or passed
  • In the Action column, click "Inspect" to expose more information about the Insight as well as remediation details
Scan Results - Details

Scan Results - Details

📘

Insight Exemptions

IaC Security scans and results do not take Exemptions (Insights) into account.

Downloading Findings

IaC Scan findings summaries can be downloaded as JSON, SARIF, or HTML files. Below are example reports:

JSON Findings

Note: The notes and list of insights is abbreviated in the example below for a better reading experience.

{
  "complete_time": "2022-10-31T01:35:51.240937",
  "create_time": "2022-10-31T01:35:49.791230",
  "details": [
    {
      "description": "Identify database instances which are not encrypted",
      "findings": [
        {
          "location": null,
          "remediation": null,
          "resource_type": "RDS Database, Neptune, DocumentDB",
          "sink": "AppDB",
          "source": "AppDB"
        }
      ],
      "id": 23,
      "name": "Database Instance not Encrypted (AWS)",
      "notes": "## Overview\nDatabase instances store sensitive information...",
      "setting": "FAIL",
      "severity": 4,
      "source": "backoffice"
    },
    ...
  ],
  "drivers": [
    "cft"
  ],
  "html_report_uri": "/private/iac/scans/4/html",
  "iac_config": {
    "id": 8,
    "name": "AWS-CIS-1.4.0"
  },
  "id": 4,
  "sarif_report_uri": null,
  "scan_target": "cli:1:Scan on Push",
  "stats": {
    "failed_insights": 6,
    "passed_insights": 5,
    "skipped_insights": 38,
    "suppressed_findings": 0,
    "warned_insights": 0
  },
  "status": {
    "message": "Your insightCloudSec IaC Scan completed with 5 failed resources, 0 resource with warnings, 4 unanalyzed resources, and 0 error(s).",
    "stacktrace": null,
    "type_": "COMPLETED"
  }
}

SARIF Findings

The SARIF Findings report contains more verbose details about each finding and can be consumed by external tooling to visualize findings alongside the source code.

Note: The results and tool rules are abbreviated in the example below for a better reading experience.

{
  "runs": [
    {
      "invocations": [
        {
          "executionSuccessful": true
        }
      ],
      "properties": {},
      "results": [...],
      "tool": {
        "driver": {
          "name": "mimICS",
          "rules": [...],
          "version": "0.0.0-SNAPSHOT-45d197d"
        }
      },
      "versionControlProvenance": []
    }
  ],
  "schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0"
}

HTML Findings

The HTML Findings report contains a more stylized and expanded version of the findings within InsightCloudSec.

881

Example IaC Security HTML Report