Static Analysis (Security scanner) for Terraform Code
in Cloud Computing , DevSecOps , DevOps
What is Terraform?
Terraform is an open-source infrastructure as code software tool that provides a consistent CLI workflow to manage hundreds of cloud services. Terraform codifies cloud APIs into declarative configuration files. (Source →Terraform.io)
Basically, we use terraform tool to provision cloud services from CLI using the code.
But can we check if our terrafrom code has some security flaws??
YES. We can. Using TFsec tool.
TFsec uses HCL parser to understand the terraform code and have many default checks in place already. They also give you freedom to write your own custom checks.
You can run this tool in you CI pipeline (also in github actions) and check your code before making changes to cloud. And the best thing it is supported in all the mostly used OS.. and they have a docker container as well (which I love btw).
You can download yourself one form here → https://www.tfsec.dev/docs/home/
And they are also Open Source. That means you can read the code and make changes to it that suits you best. And also you can help to make it better. Just like tons of people who are making it better everyday.
“Gettign Hands Dirty” Time
I already had some test code for Terraform and I intentionally added a default secret key variable (which I know is a bad idea from a security point of view).
variable file with default secret key
I am now expecting any security scanner to detect this type of behavior and report it.
After the code was ready… I pulled and created a container for tfsec and mounted my code repository in that to perform scanning.
docker run --rm -it -v $PWD:/src tfsec/tfsec /srcAnd as expected,
scan report from tfsec
It gave me a good human readable report with all the highlighted potential issues along with the time taken for everything. Since it is using HCL parser to parse every thing.. It also gives me warning/errors in my code.
Resources
- Official documentations (https://www.tfsec.dev/docs/home/)
- Github Link for project (https://github.com/tfsec/tfsec)
- Want to contribute ??— Most of the wiki pages are not complete at this point. So if you are beginner and have some understanding of terraform. You can start contributing here (https://github.com/tfsec/tfsec/wiki)
- Don’t have any idea on how to contribute to wiki of a project?? Read this →https://gist.github.com/omaraboumrad/35654da0a376c57a2e0ab4d92ad0c339
Share this story with your friends
Rishabh Umrao, Information Security Engineer @ Sophos
Another Computer Science and Engineering Graduate (B.Tech) from india with a strong interest in Devops, Security and Automation.
Published by
Another Computer Science and Engineering Graduate (B.Tech) from india with a strong interest in Devops, Security and Automation.
Reach Cloud Native Professionals Get in touch
A Quick Guide to Make the Most Out of Multicloud Architecture Free Download
Kubernetes security ebook - tips, tricks, best practices | StackRox Secure your software supply chain, running workloads & Kubernetes infrastructure
Top stories this week
Top 8 DevOps Trends for 2021
Getting Started as an SRE? Here are 3 Things You Need to Know.
4 Things you Need to Know about Writing Better Production Readiness Checklists
Avoid the 5 most common Amazon Web Services misconfigurations in build-time
Graphite Dropping Metrics: MetricFire can Help!
