Last month, we announced our Infrastructure as Code (IaC) scanning capabilities in a press release. We are adding IaC scanning for security misconfigurations to our Internal Monitoring platform. This new release complements the current automated secrets detection and remediation capabilities. And in keeping with Shift Left security, we are enabling proactive IaC scanning through the popular open-source command-line interface (CLI) for developers, ggshield.

Why should you care about IaC scanning?

Infrastructure as Code (IaC) has become the de facto solution in development today.

While software-defined infrastructure has enabled engineering teams to deploy cloud resources more quickly and consistently, it comes with risks. Gartner predicts that through 2023, at least 99% of cloud security failures will be the user's fault, primarily due to misconfigurations.

Today, developers are under pressure to deliver new features while also managing all of the configurations required for the services on which their applications run. In this hustle, it is easy to overlook the manual checks required to secure their Infrastructure as Code. It might be as simple as forgetting to restrict network access, setting the correct permissions to their resources, or failing to encrypt storage systems such as databases, AWS S3 buckets, etc. It might also be as dangerous as leaving credentials hardcoded in Terraform configuration files. These errors spread from code to different cloud-native environments, exposing crucial workloads and resources. So, IaC security scanning that does not cause developer friction is critical for your security posture.

Infrastructure code is not so different from application code that it cannot be tested. Developers should not waste time manually going through templates that were meant to save time. Even if you are ready to put in the time to comb through the code for misconfigurations, there is still the likelihood of human error. IaC scanning tools can automate the process and guarantee that every line of your infrastructure code is safe and secure.

How should you use ggshield to scan IaC misconfigurations?

The GitGuardian CLI, ggshield, for IaC scanning, is to be adopted on local workstations (as a pre-commit check) to scan your IaC before each commit. It can also be integrated into your CI pipelines to prevent serious misconfigurations from being deployed. We always encourage you to prevent security issues as early as possible in the software development life cycle. This will minimize the potential cost and impact of security misconfiguration.

A layered detection strategy
A layered detection strategy

IaC scanning was added to ggshield with one goal: to make it simple for Developers, Site Reliability Engineers, DevOps Engineers (or any Terraform author) to manage large-scale IaC misconfigurations from the comfort of the command line.

Let's take a closer look at how it works:

1. Create a token to authenticate your GitGuardian workspace

After installing ggshield, you can use the ggshield auth login command (see documentation) or manually create a personal access token in your dashboard with the scan permission.

2. Scan your local repositories

Once you have installed and set up the command-line interface, you can initiate scans with a simple ggshield command:

ggshield iac scan iac_repo

3. View scan results in the command line interface

You can quickly identify misconfigurations, read detailed information about them, and see which exact policies were violated all in one place. You may also export the results to a JSON file and save it somewhere else in your CI/CD for further analysis.

4. Set a minimum severity to prioritize issues

Unlike most IaC security scanning tools, ggshield IaC Scanning does not overwhelm the user with numerous alerts. The command line interface allows you to prioritize remediation. You can set a severity threshold to filter critical misconfigurations (thanks to rich context!) and address them before running a Terraform plan and generating the corresponding infrastructure.

ggshield iac scan --minimum-severity CRITICAL iac_repo

5. Achieve a broad scope of coverage

Before deployment, DevOps, Platform Engineering, and Site Reliability Engineering teams can find and fix over 70 security misconfigurations in their Terraform files managing AWS resources.

Application and Cloud Security teams can enforce and monitor ggshield IaC Scanning from the GitGuardian dashboard, thanks to our analytics and reporting features.

We're not going to stop at secrets detection and remediation

ggshield IaC Scanning is part of our vision to create a code security platform for the next generation of DevOps professionals. ggshield has already assisted thousands of enterprises in hardening the Source Control Management systems on which they rely to create and sell software. This time, we tried to explore a different use case that would benefit cloud security posture defenders.

See ggshield IaC Scanning in action

To get started with IaC Scanning, you only need a GitGuardian account! This feature is free for all GitGuardian customers at the moment.

Check out our public documentation for more information on IaC security scanning capabilities.

PS: also check the awesome IaC security cheat sheet!