¶ Infrastructure security scanning
Infrastructure code security scanning, also known as Infrastructure as Code (IaC) security scanning, is the process of evaluating the security of the code used to define and configure an organization's infrastructure. Infrastructure code refers to the scripts, templates, or configuration files that are used to automate the deployment and management of infrastructure resources such as servers, networks, and storage.
With the rise of DevOps practices and cloud computing, Infrastructure as Code has become increasingly popular. It allows organizations to define and manage their infrastructure using code, which offers advantages such as version control, automation, and reproducibility. However, like any code, infrastructure code can contain security vulnerabilities that may be exploited by attackers.
Infrastructure code security scanning involves analyzing the code used to define infrastructure resources and identifying potential security risks, misconfigurations, or vulnerabilities. The scanning process typically focuses on the following aspects:
-
Security Best Practices: The scanning tool examines the infrastructure code against established security best practices and guidelines. It checks for adherence to secure coding principles, such as using encryption, avoiding hard-coded credentials, and implementing access controls.
-
Vulnerability Detection: The tool analyzes the code for known vulnerabilities, insecure configurations, or potential weaknesses. It may compare the code against a database of known vulnerabilities or utilize static code analysis techniques to identify security flaws.
-
Secrets Management: Infrastructure code often includes sensitive information such as access keys, passwords, or API tokens. The scanning tool verifies if these secrets are properly managed, such as not being exposed in the code repository or stored insecurely.
-
Compliance Requirements: Depending on the organization's industry or regulatory obligations, the scanning tool may check if the infrastructure code meets specific compliance requirements. This could include adherence to standards like HIPAA, PCI DSS, or GDPR.
-
Integration with CI/CD Pipelines: To ensure continuous security, infrastructure code security scanning is often integrated into the organization's CI/CD (Continuous Integration/Continuous Deployment) pipelines. This enables automatic scanning and validation of infrastructure code with every code commit or deployment, allowing for early detection and remediation of security issues.
Infrastructure code security scanning helps organizations identify and address security vulnerabilities and misconfigurations early in the development and deployment process. By ensuring the security of infrastructure code, organizations can reduce the risk of security breaches, ensure compliance, and improve the overall security posture of their infrastructure.
¶ How it works?
In Cryeye, infrastructure security scanning is performed by the Audits system, where users can upload their infrastructure code as an asset and create an audit project to manually select and run infrastructure audits.
¶ Infrastructure scaning types
¶ Docker images and files infrastructure security scanning
Infrastructure code security scanning of Docker files refers to the process of evaluating the security of Dockerfiles, which are used to build Docker images. Docker is a popular containerization technology that allows applications to be packaged along with their dependencies and executed in isolated environments called containers.
Dockerfiles are text files that contain instructions for building Docker images. They specify the base image, define the application's dependencies, configure environment variables, and set up the runtime environment. Infrastructure code security scanning of Docker files involves analyzing these files for potential security vulnerabilities, misconfigurations, or best practice violations.
Vulnerability scanning for Docker local images allows developers and development teams to review the security state of the container images and take actions to fix issues identified during the scan, resulting in more secure deployments. Docker Scan runs on different tools, providing users with visibility into the security posture of their local Dockerfiles and local images.
By conducting infrastructure code security scanning of Docker files, organizations can identify potential security risks and vulnerabilities in the containerization process. This allows them to address these issues early on, ensuring that Docker images are built securely and minimizing the risk of container-based attacks or compromises. It is recommended to incorporate Dockerfile scanning as part of the CI/CD pipeline or during the container image build process to maintain a strong security posture.
There example of work one of Docker infrastructure audits
¶ Terraform infrastructure security scanning
Infrastructure code security scanning of Terraform code refers to the process of evaluating the security of Terraform configuration files. Terraform is an infrastructure as code tool used to define and manage infrastructure resources across various cloud providers, including AWS, Azure, and Google Cloud.
Terraform configuration files, written in HashiCorp Configuration Language (HCL), describe the desired state of the infrastructure. Infrastructure code security scanning of Terraform code involves analyzing these configuration files to identify potential security vulnerabilities, misconfigurations, or compliance issues.
Cryeye scans your Terraform code for misconfigurations and security issues as well. For configuration files, once scanned, Cryeye reports on any misconfigurations based on the settings your administrator has implemented, and makes recommendations for fixing accordingly.
Infrastructure code security scanning of Terraform code helps organizations identify and address security issues in their infrastructure deployments. By conducting these scans, organizations can reduce the risk of misconfigurations, vulnerabilities, or non-compliance, ultimately strengthening the security of their infrastructure provisioned with Terraform. Integrating scanning into the CI/CD pipeline or performing regular assessments ensures ongoing security and adherence to security best practices.
There example of work one of Terraform infrastructure audits
¶ AWS Cloudformation infrastructure security scanning
Infrastructure code security scanning of AWS CloudFormation code refers to the process of evaluating the security of AWS CloudFormation templates. AWS CloudFormation is a service that allows users to define and provision AWS infrastructure resources using JSON or YAML templates.
Infrastructure code security scanning of AWS CloudFormation code involves analyzing these templates to identify potential security vulnerabilities, misconfigurations, or compliance issues specific to AWS services and resources.
AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS and third-party resources, and provision and manage them in an orderly and predictable fashion.
Infrastructure code security scanning of AWS CloudFormation code helps organizations identify and address security issues in their AWS infrastructure deployments. By conducting these scans, organizations can ensure that their CloudFormation templates are configured securely, reduce the risk of misconfigurations or vulnerabilities, and align with best security practices. Regular scanning and adherence to security recommendations help maintain a robust security posture in AWS environments.
There example of work one of AWS Cloudformation infrastructure audits
¶ Ansible infrastructure security scanning
Ansible is the simplest way to automate apps and IT infrastructure. Application Deployment + Configuration Management + Continuous Delivery.
Ansible can be used to provision the underlying infrastructure of your environment, virtualized hosts and hypervisors, network devices, and bare metal servers. It can also install services, add compute hosts, and provision resources, services, and applications inside of your cloud.
Infrastructure code security scanning of Ansible code refers to the process of evaluating the security of Ansible playbooks and configuration files. Ansible is an open-source automation tool that allows organizations to automate the provisioning, configuration, and management of infrastructure resources.
Infrastructure code security scanning of Ansible code involves analyzing playbooks and configuration files to identify potential security vulnerabilities, misconfigurations, or compliance issues.
By conducting infrastructure code security scanning of Ansible code, organizations can identify and address security issues in their infrastructure automation processes. This helps ensure that Ansible playbooks and configuration files are built securely, minimizing the risk of misconfigurations, vulnerabilities, or non-compliance. Regular scanning and adherence to security best practices contribute to maintaining a strong security posture in Ansible-based infrastructure automation.
There example of work one of Ansible infrastructure audits
¶ Helm infrastructure security scanning
Infrastructure code security scanning of Helm code refers to the process of evaluating the security of Helm charts. Helm is a package manager for Kubernetes that simplifies the deployment and management of applications in Kubernetes clusters.
Helm charts are packages that contain the necessary files and configurations to deploy and configure applications on Kubernetes. Infrastructure code security scanning of Helm code involves analyzing these charts to identify potential security vulnerabilities, misconfigurations, or compliance issues specific to Kubernetes deployments.
Infrastructure code security scanning of Helm code helps organizations identify and address security issues in their Kubernetes deployments. By conducting these scans, organizations can ensure that their Helm charts are configured securely, reduce the risk of misconfigurations or vulnerabilities, and align with best security practices. Regular scanning and adherence to security recommendations help maintain a robust security posture in Kubernetes environments managed with Helm.
Infrastructure code security scanning of Helm code helps organizations identify and address security issues in their Kubernetes deployments. By conducting these scans, organizations can ensure that their Helm charts are configured securely, reduce the risk of misconfigurations or vulnerabilities, and align with best security practices. Regular scanning and adherence to security recommendations help maintain a robust security posture in Kubernetes environments managed with Helm.
There example of work one of Helm infrastructure audits
¶ Kubernetes infrastructure security scanning
Kubernetes automates operational tasks of container management and includes built-in commands for deploying applications, rolling out changes to your applications, scaling your applications up and down to fit changing needs, monitoring your applications, and more—making it easier to manage applications.
Infrastructure code security scanning of Kubernetes code refers to the process of evaluating the security of Kubernetes configuration files, also known as Kubernetes manifests or YAML files. Kubernetes is an open-source container orchestration platform used to deploy, scale, and manage containerized applications.
Infrastructure code security scanning of Kubernetes code involves analyzing these configuration files to identify potential security vulnerabilities, misconfigurations, or compliance issues specific to Kubernetes deployments.
Infrastructure code security scanning of Kubernetes code helps organizations identify and address security issues in their Kubernetes deployments. By conducting these scans, organizations can ensure that their Kubernetes manifests are configured securely, reduce the risk of misconfigurations or vulnerabilities, and align with best security practices. Regular scanning and adherence to security recommendations help maintain a strong security posture in Kubernetes environments.
There example of work one of Kubernetes infrastructure audits
¶ Azure Resource Manager infrastructure security scanning
Azure Resource Manager is the deployment and management service for Azure. It provides a management layer that enables you to create, update, and delete resources in your Azure account. You use management features, like access control, locks, and tags, to secure and organize your resources after deployment.
Infrastructure code security scanning of Azure Resource Manager (ARM) code refers to the process of evaluating the security of Azure Resource Manager templates. Azure Resource Manager is the deployment and management service for Azure resources that allows users to define and provision Azure infrastructure resources in a declarative manner.
Infrastructure code security scanning of Azure Resource Manager code involves analyzing these templates to identify potential security vulnerabilities, misconfigurations, or compliance issues specific to Azure deployments.
Infrastructure code security scanning of Azure Resource Manager code helps organizations identify and address security issues in their Azure deployments. By conducting these scans, organizations can ensure that their ARM templates are configured securely, reduce the risk of misconfigurations or vulnerabilities, and align with best security practices. Regular scanning and adherence to security recommendations help maintain a robust security posture in Azure environments provisioned with ARM templates.
There example of work one of Azure Resource Manager infrastructure audits
