iac-scan-runner: scans your Infrastructure as Code for common vulnerabilities
IaC Scan Runner
The IaC Scanner is an inspection service that aims to scan IaC (Infrastructure as Code) in order to find the problems and security vulnerabilities so that the users can improve their code.
The IaC Scanner supports the following logic – one IaC scan can consist of one or multiple IaC checks, which are the results from tools that can analyze IaC and detect common IaC vulnerabilities. These tools can be anything from linters and static code analysis tools (like Pylint) to remote service checks (such as Snyk).
IaC Scanner currently includes the following tools and services:
- IaC Scan Runner: an IaC scan runner component that serves as an IaC inspector
- IaC Scanner SaaS: the Software as a Service edition that supports IaC scanning along with multi-tenancy and multi-user experience
Purpose and description
The IaC Scan Runner is a REST API service used to scan IaC (Infrastructure as Code) package and perform various code checks in order to find possible vulnerabilities and improvements. Explore the docs for more info.
Scanner and check reference
The scanner is the main component of the IaC Scan Runner and it initiates the scanning process, which makes the supplied IaC go through multiple checks.
IaC Scan Runner currently supports the following IaC checks that can be executed as part of one IaC scan:
| IaC Check | Target IaC entity | Enabled (by default) | Needs configuration |
|---|---|---|---|
| xOpera TOSCA parser | TOSCA | yes | no |
| Ansible Lint | Ansible | yes | no |
| Steampunk Scanner | Ansible | no | yes |
| TFLint | Terraform | yes | no |
| tfsec | Terraform | yes | no |
| Terrascan | Terraform | yes | no |
| yamllint | YAML | yes | no |
| Pylint | Python | yes | no |
| Bandit | Python | yes | no |
| Safety | Python packages | yes | no |
| Gitleaks | Git repositories | yes | no |
| git-secrets | Git repositories | yes | no |
| Markdown lint | Markdown files | yes | no |
| hadolint | Docker | yes | no |
| Gixy | Nginx configuration | yes | no |
| ShellCheck | Shell scripts | yes | no |
| ESLint | JavaScript | yes | no |
| TypeScript ESLint | TypeScript | yes | no |
| HTMLHint | HTML | yes | no |
| stylelint | CSS and other styles | yes | no |
| Checkstyle | Java | yes | no |
| cloc | Multiple components | yes | no |
| Snyk | Multiple components | no | yes |
| SonarScanner | Multiple components | no | yes |
Install & Use
Copyright (C) 2023 xlab-si
