How to scan Infrastructure as Code (IaC) files

Question

How do I scan Infrastructure as Code (IaC) files with Fortify?

Answer

IaC files should be scanned to facilitate the development of more secure infrastructure deployments including container images, including when e.g. Chef, Terraform, Ansible and other types of IaC files are stored in their own separate repository.[1]

As of Fortify v20.2.0, Fortify Static Code Analyzer (SCA) now supports scanning some types of IaC files. Please see the sections below for supported IaC files. As Fortify provides support for the IaC files for other containers, this technical note will be updated to include how to scan those IaC files.

Docker

Note if you are using dockerfiles that don’t have an filename extension, Fortify SCA patch v20.2.1 is required with Fortify rulepacks version 2020.4.0.

Fortify SCA translates the following files as Dockerfiles: Dockerfile, dockerfile, *.Dockerfile, and *.dockerfile.

Fortify SCA accepts the following escape characters in Dockerfiles: backslash () and backquote (`). If the escape character is not set in the Dockerfile, then Fortify SCA assumes that the backslash is the escape character.

The syntax to translate a directory that contains Dockerfiles is shown in the following example (note there is no special syntax since Dockerfiles are text files):

sourceanalyzer -b <build_id> <dir>

If the Dockerfile is malformed and Fortify SCA cannot parse the file, an error is written to the log and analysis of the Dockerfile is skipped. The following is an example of the error written to the log:

Dockerfile parser error 1:20 : mismatched input '\n' expecting {LINE_EXTEND, WHITESPACE}

Unable to parse config file
C:/Users/jsmith/MyProj/docker/dockerfile/ProjA.Dockerfile

The Dockerfile should be examined at the line and location flagged to determine what (if any) corrections can be made so that Fortify SCA can successfully translate the file. If the syntax appears to be correct and the issue appears to be a problem with the Fortify translation parser, the developer should follow the procedures documented in the File parsing or Syntax errors technical note.

The following is an example for how to scan a directory that contains Dockerfiles:

sourceanalyzer -b <build_id> -scan -f myresults.fpr

See the Fortify SCA User Guide, Chapter 2: Installing Fortify Static Code Analyzer, section Using Docker to Install and Run Fortify Static Code Analyzer, for detailed instructions on how to install Fortify Static Code Analyzer in a Docker image and then run Fortify Static Code Analyzer as a Docker container.

Azure Resource Manager Templates

Note Fortify rulepacks version 2020.4.0 or newer is required to scan ARM Templates.

Fortify SCA will look for ARM Template issues when scanning *.json files.

ARM Templates are scanned the same as other json files. The syntax to translate a directory that contains ARM Templates is shown in the following example (note there is no special syntax):

sourceanalyzer -b <build_id> <dir>

Then the scan command is run as normal:

sourceanalyzer -b <build_id> -scan -f myresults.fpr

AWS, AWS CloudFormation, Azure ARM, Kubernetes K8S, and Azure Kubernetes Service

Note Fortify version 21.2.0 and Fortify rulepacks version 2021.4.0 or newer is required to scan AWS, AWS CloudFormation, Azure ARM, Kubernetes K8S, and Azure Kubernetes Service IaC files.

Fortify SCA will look for AWS, AWS CloudFormation, Azure ARM, Kubernetes K8S, and Azure Kubernetes Service IaC issues when scanning *.json, *.yaml, and *.yml files.

These IaC files are scanned as other JSON and YAML files. The syntax to translate a directory that contains these IaC files is shown in the following example (note there is no special syntax):

sourceanalyzer -b <build_id> <dir>

Then the scan command is run as normal:

sourceanalyzer -b <build_id> -scan -f myresults.fpr

References