Configure IaC scanning

4 minute read

Configure Infrastructure as Code (IaC) scanning to identify security misconfigurations, compliance violations, and best practice deviations in your infrastructure configuration files. IaC scanning analyzes infrastructure configuration files such as Terraform, Kubernetes manifests, CloudFormation templates, and Docker files to detect security risks before deployment. Before you begin, ensure you have IaC configuration files in your repositories and the necessary permissions to configure security scanning tools.

Choose your IaC scanning approach

CloudBees Unify supports both implicit scanning through application security posture management (ASPM) and explicit workflow scanning for Infrastructure as Code security analysis.

To choose the right approach:

  1. Determine your scanning needs:

    • Choose implicit scanning for automatic analysis of IaC files when code is committed to repositories.

    • Choose explicit scanning for targeted IaC analysis with specific configuration control and custom timing.

  2. Identify your IaC frameworks and file types:

    • Ensure IaC configuration files (such as Terraform .tf files, Kubernetes YAML, or CloudFormation templates) are available for analysis.

    • Consider scanning timing in your infrastructure deployment pipeline to catch issues before they reach production environments.

Your approach determines which configuration steps to follow in the subsequent sections.

Configure implicit IaC scanning

Implicit IaC scanning integrates with ASPM to provide automatic security analysis of infrastructure configuration files as they are committed and updated.

You must have ASPM enabled for your organization and the Manage security tools permission to configure implicit IaC scanning.

To configure implicit IaC scanning:

  1. Navigate to Security  Marketplace in your organization.

  2. Filter the available tools by IaC scanning category or search for infrastructure scanning tools.

  3. Select and activate your chosen IaC scanner from the available implicit option:

    • Snyk IaC: Comprehensive Infrastructure as Code security analysis with support for multiple IaC frameworks and cloud providers.

      The system activates Snyk IaC for automatic analysis of infrastructure configuration files across your organization.

  4. Configure scanner-specific settings if required:

    • Access individual scanner configuration through the Marketplace interface.

    • Set severity thresholds and compliance policy requirements appropriate for your infrastructure standards.

    • Configure scanning scope and exclusion patterns for specific file types or directory structures.

      Implicit IaC scanning automatically triggers when infrastructure configuration files are committed to repositories linked to CloudBees Unify components.

Once configured, implicit scanning provides continuous infrastructure security monitoring across all linked repositories without requiring workflow modifications.

Configure explicit workflow IaC scanning

Explicit workflow IaC scanning provides granular control over when and how infrastructure security analysis runs within your CloudBees Unify workflows.

To configure explicit workflow IaC scanning:

  1. Add IaC scanning actions to your workflow YAML file in appropriate job steps. Available explicit IaC scanner:

    • Snyk IaC: Comprehensive infrastructure security analysis (also available as implicit scanner).

  2. Configure scanner authentication and file access:

    • Create the required secrets in your CloudBees Unify organization or component settings for Snyk API access.

    • Set up access to infrastructure configuration files ensuring the scanner can read IaC files during workflow execution.

    • Configure organizational context and project identification parameters for proper result tracking.

      Common authentication requirements:

      • API key authentication: Snyk IaC requires API tokens stored as secrets for analysis and result reporting.

      • File system access: Scanner needs access to IaC configuration files within the workflow workspace.

      • Organizational context: Proper organization and project identification for result management.

  3. Customize scan parameters for your infrastructure:

    • Define file scanning scope and specify which IaC frameworks and file types to analyze.

    • Configure severity thresholds and compliance policy enforcement based on your infrastructure security requirements.

    • Set up custom rule sets and exclusion patterns for organization-specific infrastructure patterns.

      Example IaC scanning configuration:

      - name: Scan with Snyk IaC uses: https://github.com/cloudbees-io/snyk-iac-scan@v1 with: orgname: "your_snyk_organization" token: ${{ secrets.SNYK_SECRET }} file-path: "infrastructure/" severity-threshold: "high"
IaC scanning should be integrated early in infrastructure development workflows to catch misconfigurations before deployment to production environments.

Manage IaC scanning and infrastructure workflows

IaC scanning requires integration with infrastructure development and deployment processes to ensure security analysis occurs at appropriate points in the infrastructure lifecycle.

To integrate IaC scanning effectively:

  1. Schedule IaC scans at appropriate infrastructure workflow stages:

    • Scan after infrastructure configuration changes but before deployment to any environment.

    • Consider scanning both during development and before production deployment approvals.

    • Use workflow dependencies to ensure infrastructure security validation occurs before deployment processes.

  2. Configure appropriate scanning scope and performance:

    • Set scanning scope to cover all relevant IaC files while avoiding unnecessary analysis of documentation or example files.

    • Account for scanning time in your infrastructure deployment pipeline timing.

    • Consider parallel scanning of different infrastructure components to optimize overall pipeline duration.

  3. Handle scan results and infrastructure deployment decisions:

    • Define misconfiguration severity thresholds that determine deployment approval requirements.

    • Configure notifications for infrastructure teams when critical security issues are discovered.

    • Implement automated remediation suggestions and infrastructure security best practice guidance.

Review and manage IaC findings

IaC security findings focus on infrastructure misconfigurations and require specialized knowledge of cloud security best practices and compliance requirements.

To review IaC findings:

  1. Access scan results through the CloudBees Unify Security Center:

    • Navigate to Security  Security Center in your organization.

    • Filter findings by scanner type and infrastructure-specific misconfiguration categories.

  2. Understand IaC-specific finding types and prioritization:

    • Security group and network access control misconfigurations that could expose infrastructure.

    • Identity and access management policy issues that may grant excessive permissions.

    • Encryption and data protection configuration problems in storage and database resources.

    • Compliance violations based on industry standards and organizational security policies.

  3. Coordinate with infrastructure and security teams for effective remediation:

    • Share findings with infrastructure teams for configuration updates and security improvements.

    • Work with security teams to validate remediation approaches and ensure compliance alignment.

    • Prioritize remediation based on infrastructure exposure, criticality, and potential security impact.

    • Track infrastructure security improvements and implement preventive measures for common misconfiguration patterns.

For detailed guidance on findings management, refer to Triage security findings.