Viewing Scan Results

How to View and Interpret IaC Security Scan Results

This section of the documentation outlines viewing and interpreting IaC Security scan results, which are provided as a color-coded HTML report. Scans are available under "Security → Infrastructure as Code → Scan List".

Scan List

This page lists the previous scans including summary information about the type of scan, the status, the date, and the duration of the scan.

The summary widgets provide details on the total scans broken out by type.

  • Error: Applies to issues with data prior to scanning and as a result a scan was never completed.
  • Failed: Applies to issues that have been scanned, with results that include noncompliant resources.
14031403

IaC Security Scan List Results

  • Click the hyperlink in the "Summary" column to open the results report (the Scan Results - Summary)
  • Use the search or pagination features at the top of the page to quickly navigate through the list of configurations
  • Click "Filters" and adjust the configuration, Insight pack, date, status etc. settings as necessary to refine the list of scans.
    • *Note for the Scan summaries, the only Filter that dynamically updates the displayed data is the "Scan Date" filter.

Scan Results (Summary)

As soon as a scan has finished, it will be recorded within the Scan List interface. Clicking on an summary or individual status(for failed) opens a scan summary. Scans have two possible statuses, success or failure. If any of the resources found in the IaC template failed a check against an Insight, the scan will be marked as a failure (failed scan). Both successful and failed scans can contain warnings, however. An example failed scan might look like this:

14401440

Example - Failed IaC Security Scan

Scan Statistics and Information

Below the page heading is the following information

  • Configuration ("AWS" in our example) - If selected, this linked text will take you to the "Edit Configuration" page for the selected configuration , which enables you to view and modify any configuration settings.
  • Insight Pack ("Center for Internet Security (CIS) - AWS 1.3.0" in our example) - If selected, this linked text will take you to view the details for the Insight Pack you selected
  • Duration - The duration (in milliseconds) the scan took to complete.
  • Driver - The driver (e.g., the template format - CFT, Terraform, etc.) for the IaC template; review the IaC Security Overview for a full list of supported drivers.
  • Download report (HTML) - Enables you to download a copy of the template that was scanned as HTML.

Scan Results - Summary

This section provides an at-a-glance color-coded bar graph illustrating the total resources scanned and their individual statuses as well as a donut chart. The colors for the bar graph are aligned as follows:

  • Green = Passed
  • Orange = Warned
  • Red = Failed
  • Grey = Skipped

Donut Chart Summary

The donut chart provides a color-coded visual of the total resources scanned based on their resource type. In this example, it includes the total number of compute, network, and storage resources.

The details below the donut chart provide summary scan results color-coded for their respective scan statuses (pass, warn, fail).

13951395

Scan Summary - Donut Chart

Scan Results - Details

This section of the report shows the scan results for each individual Insight from the selected Insight pack and the resources that apply.

  • Users can click on the tabs in the details pane to view resources in groups based on scan results, including All (default), Failed, Warnings, Passed, and Skipped resources. (Each tab includes a total number of resources for each category.)
  • Within each tab (except "Skipped" because it's not appicable), a green box and a red box next to each Insight indicates the number of resources that passed or failed the check respectively.
979979

Scan Results - Details

  • Selecting the “Show more info” option next to an individual Insight opens a page with the additional details for the resources. (This page includes the resource name, the source, and the resource ID.)
994994

Show More Info (Individual Insight Details)

📘

Insight Exemptions

IaC Security scans and results do not take Exemptions (Insights) into account.

Viewing HTML Reports

We produce a JSON blob that is described in our API documentation. We also produce an HTML report that's designed to be shared via your CI/CD pipeline and is optimized for your DevOps users.

An example of that report is below. You also can download one for local viewing here.

946946

Example IaC Security HTML Report

Dynamic Analysis

An additional feature of the IaC Analyzer is the “dynamic analysis” capability. Let’s start with an example — imagine you are deploying your first payment application (Application B). This application has a new set of more stringent standards than what you have typically applied to your existing infrastructure.

Your existing infrastructure (let’s call it Application A) has been evaluated in InsightCloudSec using an existing Insight Pack. This new payment application (Application B) will include some pieces of Application A. It’s not uncommon for deployments or applications to include existing resources, and it’s important to note that all of the infrastructure included in Application A passes all of the existing Insight Pack checks.

The critical part is that for Application B, you will have a new set of more strict requirements. Using IaC’s dynamic analysis functionality will enable you to scan and analyze the infrastructure that exists already (from Application A), and all of the new components being added for Application B, to ensure that all of the parts both old and new meet the compliance and security requirements as you have them defined, before launching this new application and potentially introducing security issues.

Functionally this means that within the IaC Analyzer, we can scan a template of resources that include resources that are both conceptual (e.g., they don’t exist yet and have not been created) and those that may already exist within your existing InsightCloudSec platform.

This means that:

  • In whatever template you provided for analysis, we refer to new resources abstractly. For example, this instance has “x” network interface (the name of this interface is defined abstractly).
  • We also have the ability to refer to specified resources that already exist in InsightCloudSec (by ID). When able, we will look up resources by resource ID. (Here, when we say "resource ID", we mean the cloud-issued resource ID. In AWS, for example, we will use the ARN when we can reference that [ARNs are not available for every resource in AWS].)
14401440

Example - Scan result with Dynamic Analysis


Did this page help you?