SAST Scanning of IAC tools(Infrastructure as code like terraform or cloudformation)
We are looking for a way to perform SAST Scan(and other type scan suggested for this type of code) on our terraform(Majority of our workloads) and cloud-formation templates. There are some open source tools which can perform the sast scan for the tools,but integrating these into pipelines is an issue for us rite know .
Can you have support for these tools integrated into the product.
Potential tools
General
- https://github.com/bridgecrewio/checkov
- https://github.com/ansible/ansible-lint (security focused or general linter?)
- https://github.com/rodjek/puppet-lint (security focused or general linter?)
- https://github.com/returntocorp/semgrep/releases/tag/v0.44.0
Terraform
Cloudformation
- https://github.com/stelligent/cfn_nag (some security rules)
- https://github.com/aws-cloudformation/cfn-python-lint
Scanners Evaluated
| Name | License | Language | Output | JUnit | Examples |
|---|---|---|---|---|---|
| ansible-lint | MIT | Python | N | Simple w/ Log Based Results | |
| cfn_nag | MIT | Ruby | JSON | Simple w/ Log Based Results | |
| cfn-python-lint | MIT | Python | JSON | Simple w/ Log Based Results | |
| checkov | Apache 2.0 | Python | JSON | Y | - Simple w/ Log Based Results - With Report Collection, Includable Extension and AutoDevOps Compat, Used as an Extension in CloudFormation Deployer |
| hadolint | GPL3 | Haskell | JSON | Simple w/ Log Based Results | |
| kics | Apache 2.0 | Go/OPA | JSON, Sarif | ||
| kube-linter | Apache 2.0 | Haskell | JSON | Simple w/ Log Based Results | |
| puppet-lint | MIT | Ruby | JSON | Simple w/ Log Based Results | |
| terrascan | Apache 2.0 | Go | JSON | Simple w/ Log Based Results | |
| tfsec | MIT | Go | JSON | Simple w/ Log Based Results | |
| yamllint | GPL3 | Python | JSON | Simple w/ Log Based Results |
Edited by Lucas Charles