InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

Viewing Scan Results

How to View and Interpret IaC Security Scan Results

Overview

This section of the documentation outlines viewing and interpreting IaC Security scan results, which are provided as a color-coded HTML report. Scans are available under "Security → Infrastructure as Code → Scan List". This page lists the previous scans including summary information about the type of scan, the status, the date, and the duration of the scan.

  • Click the hyperlink in the "Summary" column to open the results report.
  • Use the search or pagination features at the top of the page to quickly navigate through the list of configurations
  • Click "Filters" and adjust the configuration, Insight pack, date, status etc. settings as necessary to refine the list of scans.
IaC Security Scan ResultsIaC Security Scan Results

IaC Security Scan Results

Instant Scan Results

As soon as a scan has finished, it will be recorded within the Scan List interface. Scans have two possible statuses, success or failure. If any of the resources found in the IaC template failed a check against an Insight, the scan will be marked as a failure (failed scan). Both successful and failed scans can contain warnings, however. An example failed scan might look like this:

Example - Failed IaC Security ScanExample - Failed IaC Security Scan

Example - Failed IaC Security Scan

Scan Statistics and Information

Below the page heading is the following information

  • Configuration ("AWS" in our example) - If selected, this linked text will take you to the "Edit Configuration" page for the selected configuration , which enables you to view and modify any configuration settings.
  • Insight Pack ("Center for Internet Security (CIS) - AWS 1.3.0" in our example) - If selected, this linked text will take you to view the details for the Insight Pack you selected
  • Duration - The duration (in milliseconds) the scan took to complete.
  • Driver - The driver (e.g., the template format - CFT, Terraform, etc.) for the IaC template; review the IaC Security Overview for a full list of supported drivers.
  • Download report (HTML) - Enables you to download a copy of the template that was scanned as HTML.

Scan Results - Summary

This section provides an at-a-glance color-coded bar graph illustrating the total resources scanned and their individual statuses as well as a donut chart. The colors for the bar graph are aligned as follows:

  • Green = Passed
  • Orange = Warned
  • Red = Failed
  • Grey = Skipped

Donut Chart Summary

The donut chart provides a color-coded visual of the total resources scanned based on their resource type. In this example, it includes the total number of compute, network, and storage resources.

The details below the donut chart provide summary scan results color-coded for their respective scan statuses (pass, warn, fail).

Scan Summary - Donut ChartScan Summary - Donut Chart

Scan Summary - Donut Chart

Scan Results - Details

This section of the report shows the scan results for each individual Insight from the selected Insight pack and the resources that apply.

  • Users can click on the tabs in the details pane to view resources in groups based on scan results, including All (default), Failed, Warnings, Passed, and Skipped resources. (Each tab includes a total number of resources for each category.)
  • Within each tab (except "Skipped" because it's not appicable), a green box and a red box next to each Insight indicates the number of resources that passed or failed the check respectively.
Scan Results - DetailsScan Results - Details

Scan Results - Details

  • Selecting the “Show more info” option next to an individual Insight opens a page with the additional details for the resources. (This page includes the resource name, the source, and the resource ID.)
Show More Info (Individual Insight Details)Show More Info (Individual Insight Details)

Show More Info (Individual Insight Details)

📘

Insight Exemptions

IaC Security scans and results do not take Exemptions (Insights) into account.

Viewing HTML Reports

We produce a JSON blob that is described in our API documentation. We also produce an HTML report that's designed to be shared via your CI/CD pipeline and is optimized for your DevOps users.

An example of that report is below. You also can download one for local viewing here.

Example IaC Security HTML ReportExample IaC Security HTML Report

Example IaC Security HTML Report

Dynamic Analysis

An additional feature of the IaC Analyzer is the “dynamic analysis” capability. Let’s start with an example — imagine you are deploying your first payment application (Application B). This application has a new set of more stringent standards than what you have typically applied to your existing infrastructure.

Your existing infrastructure (let’s call it Application A) has been evaluated in InsightCloudSec using an existing Insight Pack. This new payment application (Application B) will include some pieces of Application A. It’s not uncommon for deployments or applications to include existing resources, and it’s important to note that all of the infrastructure included in Application A passes all of the existing Insight Pack checks.

The critical part is that for Application B, you will have a new set of more strict requirements. Using IaC’s dynamic analysis functionality will enable you to scan and analyze the infrastructure that exists already (from Application A), and all of the new components being added for Application B, to ensure that all of the parts both old and new meet the compliance and security requirements as you have them defined, before launching this new application and potentially introducing security issues.

Functionally this means that within the IaC Analyzer, we can scan a template of resources that include resources that are both conceptual (e.g., they don’t exist yet and have not been created) and those that may already exist within your existing InsightCloudSec platform.

This means that:

  • In whatever template you provided for analysis, we refer to new resources abstractly. For example, this instance has “x” network interface (the name of this interface is defined abstractly).
  • We also have the ability to refer to specified resources that already exist in InsightCloudSec (by ID). When able, we will look up resources by resource ID. (Here, when we say "resource ID", we mean the cloud-issued resource ID. In AWS, for example, we will use the ARN when we can reference that [ARNs are not available for every resource in AWS].)
Example - Scan result with Dynamic AnalysisExample - Scan result with Dynamic Analysis

Example - Scan result with Dynamic Analysis

Updated about a month ago

Viewing Scan Results


How to View and Interpret IaC Security Scan Results

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.