IaC Scan Workflow

Infrastructure as Code (IaC) scan is scanning your IaC configuration files for known vulnerabilities. Tenable Cloud Security supports IaC scan for Terraform, Terragrunt, CloudFormation, Kubernetes YAML, Kustomize YAML, Helm Chart, and Azure Resource Manager (ARM).

Before you begin:

To perform an IaC scan:

The IaC scan workflow consists of the following high-level steps:

  1. Integrate with Repositories.

  2. Analyze and Remediate IaC Scan Issues.

Integrate with Repositories

First integrate your IaC repository with Tenable Cloud Security. Tenable Cloud Security allows you to perform IaC scans for the following types of repositories:

  • Code repositories: You can scan your IaC files in your code repositories by connecting to your Source Code Management (SCM) providers. Tenable Cloud Security supports the IaC scans for Bitbucket, GitHub, GitLab, Azure DevOps, and AWS CodeCommit.

  • CI/CD applications: Tenable Cloud Security integrates with your CI/CD provider and scans your IaC files for violations in your build pipeline. Tenable Cloud Security supports integration with Terraform Cloud, Jenkins, Azure DevOps, and CircleCI.

  • On-premises code repositories: If your code repositories are behind the firewall, you can use Tenable Cloud Security on-premises code scanner to connect to the repository. The Tenable Cloud Security code scanner scans the repository within the firewall-bound network and sends the processed data to Tenable Cloud Security services for reporting in Tenable Cloud Security.

  • Local repositories: You can use the Tenable Cloud Security CLI to scan the code in your local machine.

The following table provides the steps for integrating repositories with Tenable Cloud Security.

Repository Integration Procedure
Code repositories
  1. Connect your repositories and grant Tenable Cloud Security access to your repository.

    Tenable Cloud Security supports the following SCM providers:

CI/CD applications
  1. If you do not want your CI/CD tool to deploy cloud resources in case Tenable Cloud Security detects violations in your IaC, create a policy with the Enforce mode. For more information, see Policy Modes.

  2. Generate an API token to authenticate your CI/CD application with Tenable Cloud Security.
  3. Integrate with the CI/CD tool. Tenable Cloud Security supports integration with the following tools:

On-premises repositories
  1. Deploy an On-Premises Code Scanner.

    Tenable Cloud Security also supports the on-premises scanning of the following enterprise IaCs:

Local repositories
  1. Install and set up the command-line interface.

    Set up Code Analysis Through CLI

Analyze and Remediate IaC Scan Issues

After you have integrated your repositories with Tenable Cloud Security, you can perform the following steps to monitor, analyze, and remediate your IaC scans.

  1. View the Tenable Cloud Security dashboard to see the analytics for all projects and timelines.

  2. Analyze the failing policies.

    Tenable Cloud Security displays failing policies when resources fail to comply with the configured policies.

  3. Perform workflow actions and remediate the impacted resources.

    Workflow actions allow organizational users to configure and manage alerting and ticketing. You can also generate pull requests with proposed fixes to remediate build-time issues.

  4. View code to cloud drifts.

    Tenable Cloud Security maps your IaC resources to the corresponding cloud resources in your cloud account. For mapped resources, your IaC code configuration may differ from that on the cloud, which raises a code to cloud drift.

  5. View compliance reports.

    The Tenable Cloud Security Reports page displays the compliance reports for all resources.