IaC Scanning Security

Owned by Byung-Woo Jun
Last updated: Sept 04, 2024
2 min read

Overview

Infrastructure as Code (IaC) scanning in CI/CD pipelines involves automatically checking the code that defines your infrastructure for security vulnerabilities, misconfigurations, and policy violations before it's deployed. This process is essential for ensuring that your infrastructure is secure, compliant, and follows best practices from the moment it's written to the time it's deployed.

Key Concepts in IaC Scanning

  1. Infrastructure as Code (IaC):

  2.  

    • Definition: IaC is the practice of managing and provisioning computing infrastructure through machine-readable code, rather than through physical hardware configuration or interactive configuration tools.

    • Examples: Tools like Terraform, AWS CloudFormation, Ansible, and Kubernetes YAML files are commonly used for IaC.

  3. CI/CD Pipelines:

  4.  

    • Continuous Integration (CI): The practice of automatically integrating code changes from multiple contributors into a shared repository several times a day. CI aims to detect and fix integration issues early.

    • Continuous Delivery/Deployment (CD): Automates the deployment of validated code to a staging or production environment.

  5. IaC Scanning:

  6.  

    • Purpose: Automatically check IaC code for issues before it is merged, deployed, or run. This prevents misconfigurations, vulnerabilities, or non-compliance from being introduced into your infrastructure.

    • Tools: Various tools can be integrated into CI/CD pipelines to perform IaC scanning.

Steps for Implementing IaC Scanning in CI/CD

  1. Choose IaC Scanning Tools:

  2.  

    • Examples:

    •  

      • Terraform: Tools like tfsec, Checkov, Terrascan, and Snyk IaC.

      • CloudFormation: cfn-lint, Checkov, Snyk IaC.

      • Kubernetes YAML: kubeval, Polaris, Checkov, Kubescape.

      • Ansible: ansible-lint, Checkov.

    • Features: Look for tools that offer integration with your version control system (VCS), CI/CD platform, and can produce reports or alerts based on findings.

  3. Integrate IaC Scanning into the CI Pipeline:

  4.  

    • Triggering Scans: Set up your CI pipeline to automatically trigger IaC scans when changes are pushed to the repository (e.g., during a pull request or commit).

    • Failing Builds: Configure the pipeline to fail the build if critical issues are found, ensuring that problematic code doesn't proceed to deployment.

    • Feedback Loop: Provide feedback directly in the pull request or CI pipeline logs, helping developers fix issues quickly.

  5. Define Security and Compliance Policies:

  6.  

    • Policies: Define policies that align with your organization's security, compliance, and operational standards (e.g., ensuring encryption is enabled, no hardcoded secrets).

    • Rule Customization: Customize the scanning rules based on your specific infrastructure and compliance requirements.

By ChatGPT



It seems that Checkov supports most of the environments, and also Checkov can be integrated with GitHub, Jenkins and others.

Nephio Sig Security team just started investigating Checkov.

Since both ONAP and Nephio (and also O-RAN SC SMO) are under LFN, maybe handling IaC scanning at the LFN level could be beneficial.

Tool evaluations

Checkov,



ONAP Investigation

Working with LFN

TBD

Nephio Input

Nephio SIG Security team is also investigating on Checkov for their IaC scanning.

More to come...