Skip to content
GitLab
Next
Open
Issue created by Michael Friedrich@dnsmichi🌈Developer

IaC SAST should detect vulnerabilities in custom Terraform modules from a GitLab registry

Proposal

Vulnerabilities in Terraform modules outside of the official registry are not detected. The IaC security scanner kics only supports a limited set of Terraform modules: https://docs.kics.io/latest/platforms/#terraform_modules

Evaluated while writing this blog post: https://about.gitlab.com/blog/2022/02/17/fantastic-infrastructure-as-code-security-attacks-and-how-to-find-them/#terraform-module-dependency-scans and discussed in &6653 (comment 847160211)

Example use case

https://gitlab.com/gitlab-de/use-cases/iac-tf-vuln-module introduces a vulnerability demo with public AWS S3 buckets:

module "my_module_name" {
  source = "gitlab.com/gitlab-de/iac-tf-vuln-module/aws"
  version = "1.0.0"
}

For local tests, terraform init requires .terraformrc with credentials token for gitlab.com if not used in the same GitLab CI/CD permission scope.

$ vim $HOME/.terraformrc 

credentials "gitlab.com" {
  token = "XXX"
}

Demo project: https://gitlab.com/gitlab-de/use-cases/infrastructure-as-code-scanning/

Upstream issue

Feature proposal to track:

cc @theoretick