lostinopensrc Blogs!
Shift Security Left for Infra as Code

Photo by FlyD on Unsplash

Shift Security Left for Infra as Code

Gaurav's photo
Gaurav
·

2 min read

In Today’s Cloud Native World , keeping Infra Secure and Compliant has become priority , thus the Shift left Strategy towards securing Cloud Infra needs to be focused and discussed more.

I was exploring on this topic and landed upon a cool Opensource Tool that help act as a companion for this approach but also does way more!

KICS (keeping Infra as code Secure) tool finds security vulnerabilities , compliance issues and infrastructure misconfigurations early in development cycle thus providing an apt approach for Shifting Security left.

Proof of Concept:

This POC demonstrates how KICS as a tool can be integrated with your CI/CD pipeline tooling in this case Github Actions to Scan the Terraform Code for GCP and upload SARIF report(Static Analysis Results Interchange Format) under Github Repository which can be worked by DevOps/Infra team to eliminate vulnerabilities/compliance issues within an Organization.

Github Project: https://github.com/iamgp21/capstone-serverless

Github Action Workflow File: Below workflow file perform below steps:

  • Runs a job that is responsible for Infra Scan.

  • Runs kics github action to scan provided terraform directory that contains Infra code.

  • Display & Upload Results in SARIF on Github Repo Security.

name: Serverless Infra

on:
  push:
    paths:
      - infra/**

  workflow_dispatch:

jobs:
  infra_scan:
    name: 'Infra Scan'
    runs-on: ubuntu-latest
    # defaults:
    #   run:
    #     working-directory: ./infra

    permissions:
      # required for all workflows
      security-events: write
      contents: 'read'
      id-token: 'write'

    steps:
    # Checkout the repository to the GitHub Actions runner
    - name: Checkout
      uses: 'actions/checkout@v4' 

    - name: Make Infra Scan Directory
      run: mkdir -p infra_scan_results

    - name: run kics Scan
      uses: Checkmarx/kics-github-action@v2.1.5
      with:
        path: 'infra'
        ignore_on_exit: results #dont fail on results (overwrite default behaviour fails)
        output_path: 'infra_scan_results' # when provided with a directory on output_path it will generate the specified reports file named 'results.{extension}'
        platform_type: terraform
        output_formats: 'json,sarif'

    - name: Display Results
      run: |
        cat infra_scan_results/results.sarif

    - name: Upload SARIF file
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: infra_scan_results/results.sarif

SARIF File Upload on Github Repo:

Terraformcheckmarxgoogle cloudInfrastructure as code