IaC Security Scanning
A practical guide to integrating automated security scanning into your Infrastructure as Code (IaC) workflows to prevent vulnerabilities before deployment.
π Prerequisites
- Basic knowledge of an IaC tool (Terraform or CloudFormation)
- Access to a CI/CD system (examples use GitHub Actions)
- Python and pip installed (for Checkov examples)
- Familiarity with the command line
π― What You'll Learn
- The importance of "shifting left" to find security issues earlier
- How to compare and choose an open-source IaC scanner
- Integrating a scanner into your local development workflow
- Automating IaC security checks in a GitHub Actions pipeline
- Customizing policies and managing findings (suppressions)
- How to interpret scan results and prioritize fixes
π·οΈ Topics Covered
Infrastructure as Code Security Scanning: Essential DevSecOps Practice Guide
Infrastructure as Code (IaC) allows us to define and manage infrastructure with code, but it also means that misconfigurations can be codified and replicated just as easily. IaC security scanning analyzes these definition files (e.g., .tf or .yaml) for security flaws before they are ever deployed. This is a core tenet of DevSecOps and "shifting left"βfinding and fixing problems at the earliest, cheapest stage.
Checkov
A widely-used, Python-based scanner by Bridgecrew (Palo Alto Networks) with a massive library of built-in policies.
tfsec
A fast, Go-based scanner by Aqua Security focused specifically on Terraform, known for its speed and developer-friendly output.
Terrascan
A flexible, Go-based scanner from Tenable that supports a wide range of IaC tools and can be run as a server for API-based scanning.
Checkov Security Scanner Tutorial: Local Infrastructure Code Vulnerability Detection
Let's walk through a practical example using Checkov. First, install it using pip.
pip install checkovNow, create a file named main.tf with a deliberately insecure S3 bucket configuration.
resource "aws_s3_bucket" "insecure_bucket" {
bucket = "my-super-insecure-app-bucket-12345"
# This makes the bucket public!
acl = "public-read"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "insecure_bucket_sse" {
bucket = aws_s3_bucket.insecure_bucket.id
# Encryption is NOT enabled here.
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}Run Checkov against your directory. It will automatically discover and scan the Terraform files.
checkov -d .Checkov will produce a detailed report in your terminal, highlighting the failed checks, providing remediation guidance, and linking to more information.
GitHub Actions Security Automation: IaC Scanning Pipeline with Checkov Integration
The real power of IaC scanning comes from automation. Let's integrate Checkov into a GitHub Actions workflow to scan every pull request.
name: IaC Security Scan
on:
pull_request:
paths:
- '**.tf'
- '**.tfvars'
jobs:
checkov-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'
- name: Install Checkov
run: pip install checkov
- name: Run Checkov scan
id: scan
run: |
checkov -d . --output sarif > results.sarif
continue-on-error: true # Don't fail the job, just capture the results
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
- name: Fail job if critical vulnerabilities found
if: steps.scan.outcome == 'failure'
run: |
echo "Checkov scan failed with vulnerabilities."
exit 1This workflow runs on every pull request that changes a Terraform file. It runs the scan, uploads the results to GitHub's "Security" tab for easy viewing within the PR, and fails the check if any issues are found.
Infrastructure Security Scanner Configuration: Custom Rules and Vulnerability Management
Sometimes you need to accept a risk or a check is a false positive for your specific use case. You can suppress findings with inline comments or a central configuration file.
Suppressing a Finding
To skip a specific check on a specific resource, add a comment directly above it.
# checkov:skip=CKV_AWS_18:This bucket is for public website assets and must be public
resource "aws_s3_bucket" "insecure_bucket" {
bucket = "my-super-insecure-app-bucket-12345"
acl = "public-read"
}Using a Configuration File
For broader customizations, create a .checkov.yaml file in your repository's root.
# Skip these checks globally
skip-check:
- CKV_AWS_21 # S3 Bucket should have MFA delete enabled
- CKV_AWS_144 # S3 Bucket should have cross-region replication enabled
# Only run checks with these severity levels
check:
- HIGH
- CRITICAL
# Set a soft-fail threshold. The build will pass if only LOW and MEDIUM findings are present.
soft-fail-on:
- LOW
- MEDIUM
# Specify directory to scan
directory:
- terraform/Infrastructure Security Scanning Best Practices: Enterprise DevSecOps Strategy
Scan Early, Scan Often
Integrate scanning into pre-commit hooks for developers and into every pull request in your CI/CD pipeline.
Block the Build
Configure your CI/CD pipeline to fail if high or critical severity vulnerabilities are detected. Don't let insecure code merge.
Establish a Triage Process
Have a clear process for reviewing, prioritizing, and either fixing or formally suppressing findings.
Customize Your Baseline
Use configuration files to tune the scanner to your organization's specific security policies and risk appetite.
Combine with Other Tools
IaC scanning is one layer. Combine it with runtime security monitoring (e.g., AWS Security Hub) and software composition analysis (SCA).
Educate Developers
Use the scanner's output as a tool to educate developers on secure coding practices for infrastructure.
Next Steps
π Congratulations!
You now know how to build a foundational DevSecOps practice by integrating security into your IaC lifecycle. You have learned to:
- β Scan IaC files for security issues locally.
- β Automate security scanning within a CI/CD pipeline.
- β Upload results for easy review in pull requests.
- β Customize scanner behavior and manage findings.