IaC Scan Workflow
Infrastructure as Code (IaC) scan is scanning your IaC configuration files for known vulnerabilities. Tenable Cloud Security supports IaC scan for Terraform, Terragrunt, CloudFormation, Kubernetes YAML, Kustomize YAML, Helm Chart, and Azure Resource Manager (ARM).
Before you begin:
-
Perform the steps in Getting Started with Tenable Cloud Security.
To perform an IaC scan:
The IaC scan workflow consists of the following high-level steps:
First integrate your IaC repository with Tenable Cloud Security. Tenable Cloud Security allows you to perform IaC scans for the following types of repositories:
-
Code repositories: You can scan your IaC files in your code repositories by connecting to your Source Code Management (SCM) providers. Tenable Cloud Security supports the IaC scans for Bitbucket, GitHub, GitLab, Azure DevOps, and AWS CodeCommit.
-
CI/CD applications: Tenable Cloud Security integrates with your CI/CD provider and scans your IaC files for violations in your build pipeline. Tenable Cloud Security supports integration with Terraform Cloud, Jenkins, Azure DevOps, and CircleCI.
-
On-premises code repositories: If your code repositories are behind the firewall, you can use Tenable Cloud Security on-premises code scanner to connect to the repository. The Tenable Cloud Security code scanner scans the repository within the firewall-bound network and sends the processed data to Tenable Cloud Security services for reporting in Tenable Cloud Security.
-
Local repositories: You can use the Tenable Cloud Security CLI to scan the code in your local machine.
The following table provides the steps for integrating repositories with Tenable Cloud Security.
Repository | Integration Procedure |
---|---|
Code repositories |
|
CI/CD applications |
|
On-premises repositories |
|
Local repositories |
|
Analyze and Remediate IaC Scan Issues
After you have integrated your repositories with Tenable Cloud Security, you can perform the following steps to monitor, analyze, and remediate your IaC scans.
-
View the Tenable Cloud Security dashboard to see the analytics for all projects and timelines.
-
Tenable Cloud Security displays failing policies when resources fail to comply with the configured policies.
-
Perform workflow actions and remediate the impacted resources.
Workflow actions allow organizational users to configure and manage alerting and ticketing. You can also generate pull requests with proposed fixes to remediate build-time issues.
-
Tenable Cloud Security maps your IaC resources to the corresponding cloud resources in your cloud account. For mapped resources, your IaC code configuration may differ from that on the cloud, which raises a code to cloud drift.
-
The Tenable Cloud Security Reports page displays the compliance reports for all resources.