IaC Security Scanner
Overview
Note
Infrastructure as Code (IaC) is the creation, provisioning and configuration of software-defined compute (SDC), network and storage infrastructure through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools. IaC automates the manual tasks usually associated with computing infrastructure configuration and implementation.
Checkmarx's IaC Security scanner (based on KICS opens source project powered by Checkmarx) examines configuration definitions and scripts used to instantiate infrastructure to ensure the resulting resources are secure. This scanner consumes configuration files and scripts in relevant formats and then applies tests to ensure conformance with common configuration hardening standards (i.e., Center for Internet Security Benchmarks and many others), identifies security issues associated with specific operational environments, identifies embedded secrets, and performs other tests supporting organization-specific standards and compliance requirements.
IaC Security Configuration Options
Parameter | Values | Notes | CLI | API |
|---|---|---|---|---|
Folder/file filter | Allow users to select specific folders or files to include or exclude from the code-scanning process. |
|
| scan.config.kics.filter |
platforms |
| NoticeConfigure one or more platforms, separated by a comma. The parameter means that you only want to run scans (queries) for those platforms. For example: Ansible, CloudFormation, Dockerfile WarningAny mistake in the platform characters will cause an error. |
| scan.config.kics.platforms |