This section of the documentation outlines viewing and interpreting IaC Security scan results, which are provided as a color-coded HTML report. Scans are available under "Security → Infrastructure as Code → Scan List". This page lists the previous scans including summary information about the type of scan, the status, the date, and the duration of the scan.
- Click the hyperlink in the "Summary" column to open the results report.
- Use the search or pagination features at the top of the page to quickly navigate through the list of configurations
- Click "Filters" and adjust the configuration, Insight pack, date, status etc. settings as necessary to refine the list of scans.
As soon as a scan has finished, it will be recorded within the Scan List interface. Scans have two possible statuses, success or failure. If any of the resources found in the IaC template failed a check against an Insight, the scan will be marked as a failure (failed scan). Both successful and failed scans can contain warnings, however. An example failed scan might look like this:
Below the page heading is the following information
- Configuration ("AWS" in our example) - If selected, this linked text will take you to the "Edit Configuration" page for the selected configuration , which enables you to view and modify any configuration settings.
- Insight Pack ("Center for Internet Security (CIS) - AWS 1.3.0" in our example) - If selected, this linked text will take you to view the details for the Insight Pack you selected
- Duration - The duration (in milliseconds) the scan took to complete.
- Driver - The driver (e.g., the template format - CFT, Terraform, etc.) for the IaC template; review the IaC Security Overview for a full list of supported drivers.
- Download report (HTML) - Enables you to download a copy of the template that was scanned as HTML.
This section provides an at-a-glance color-coded bar graph illustrating the total resources scanned and their individual statuses as well as a donut chart. The colors for the bar graph are aligned as follows:
- Green = Passed
- Orange = Warned
- Red = Failed
- Grey = Skipped
The donut chart provides a color-coded visual of the total resources scanned based on their resource type. In this example, it includes the total number of compute, network, and storage resources.
The details below the donut chart provide summary scan results color-coded for their respective scan statuses (pass, warn, fail).
This section of the report shows the scan results for each individual Insight from the selected Insight pack and the resources that apply.
- Users can click on the tabs in the details pane to view resources in groups based on scan results, including All (default), Failed, Warnings, Passed, and Skipped resources. (Each tab includes a total number of resources for each category.)
- Within each tab (except "Skipped" because it's not appicable), a green box and a red box next to each Insight indicates the number of resources that passed or failed the check respectively.
- Selecting the “Show more info” option next to an individual Insight opens a page with the additional details for the resources. (This page includes the resource name, the source, and the resource ID.)
IaC Security scans and results do not take Exemptions (Insights) into account.
We produce a JSON blob that is described in our API documentation. We also produce an HTML report that's designed to be shared via your CI/CD pipeline and is optimized for your DevOps users.
An example of that report is below. You also can download one for local viewing here.
An additional feature of the IaC Analyzer is the “dynamic analysis” capability. Let’s start with an example — imagine you are deploying your first payment application (Application B). This application has a new set of more stringent standards than what you have typically applied to your existing infrastructure.
Your existing infrastructure (let’s call it Application A) has been evaluated in InsightCloudSec using an existing Insight Pack. This new payment application (Application B) will include some pieces of Application A. It’s not uncommon for deployments or applications to include existing resources, and it’s important to note that all of the infrastructure included in Application A passes all of the existing Insight Pack checks.
The critical part is that for Application B, you will have a new set of more strict requirements. Using IaC’s dynamic analysis functionality will enable you to scan and analyze the infrastructure that exists already (from Application A), and all of the new components being added for Application B, to ensure that all of the parts both old and new meet the compliance and security requirements as you have them defined, before launching this new application and potentially introducing security issues.
Functionally this means that within the IaC Analyzer, we can scan a template of resources that include resources that are both conceptual (e.g., they don’t exist yet and have not been created) and those that may already exist within your existing InsightCloudSec platform.
This means that:
- In whatever template you provided for analysis, we refer to new resources abstractly. For example, this instance has “x” network interface (the name of this interface is defined abstractly).
- We also have the ability to refer to specified resources that already exist in InsightCloudSec (by ID). When able, we will look up resources by resource ID. (Here, when we say "resource ID", we mean the cloud-issued resource ID. In AWS, for example, we will use the ARN when we can reference that [ARNs are not available for every resource in AWS].)
Updated about a month ago