How to scan Infrastructure as Code (IaC) files
Question
How do I scan Infrastructure as Code (IaC) files with Fortify?
Answer
IaC files should be scanned to facilitate the development of more secure infrastructure deployments including container images, GitHub Actions, including when e.g. Chef, Terraform, Ansible and other types of IaC files are stored in their own separate repository.[1]
As of Fortify v20.2.0, Fortify Static Code Analyzer (SCA) now supports scanning some types of IaC files. Please see the sections below for supported IaC files. As Fortify provides support for the IaC files for other containers, this technical note will be updated to include how to scan those IaC files.
Docker
Fortify SCA translates the following files as Dockerfiles: Dockerfile, dockerfile, *.Dockerfile, and *.dockerfile.
Fortify SCA accepts the following escape characters in Dockerfiles: backslash () and backquote (`). If the escape character is not set in the Dockerfile, then Fortify SCA assumes that the backslash is the escape character.
The syntax to translate a directory that contains Dockerfiles is shown in the following example (note there is no special syntax since Dockerfiles are text files):
sourceanalyzer -b <build_id> <dir>
If the Dockerfile is malformed and Fortify SCA cannot parse the file, an error is written to the log and analysis of the Dockerfile is skipped. The following is an example of the error written to the log:
Dockerfile parser error 1:20 : mismatched input '\n' expecting {LINE_EXTEND, WHITESPACE}
Unable to parse config file
C:/Users/jsmith/MyProj/docker/dockerfile/ProjA.Dockerfile
The Dockerfile should be examined at the line and location flagged to determine what (if any) corrections can be made so that Fortify SCA can successfully translate the file. If the syntax appears to be correct and the issue appears to be a problem with the Fortify translation parser, the developer should follow the procedures documented in the File parsing or Syntax errors technical note.
The following is an example for how to scan a directory that contains Dockerfiles:
sourceanalyzer -b <build_id> -scan -f myresults.fpr
See the Fortify SCA User Guide, Chapter 2: Installing Fortify Static Code Analyzer, section Using Docker to Install and Run Fortify Static Code Analyzer, for detailed instructions on how to install Fortify Static Code Analyzer in a Docker image and then run Fortify Static Code Analyzer as a Docker container.
GitHub Actions
Fortify SCA will look for GitHub Actions issues when scanning *.yaml and *.yml files.
These IaC files are scanned in the same manner as other YAML files. The syntax to translate a directory that contains these IaC files is shown in the following example (note there is no special syntax):
sourceanalyzer -b <build_id> .github\workflows
Then the scan command is run as normal:
sourceanalyzer -b <build_id> -scan -f myresults.fpr
Azure Resource Manager Templates
Fortify SCA will look for ARM Template issues when scanning *.json files.
ARM Templates are scanned the same as other json files. The syntax to translate a directory that contains ARM Templates is shown in the following example (note there is no special syntax):
sourceanalyzer -b <build_id> <dir>
Then the scan command is run as normal:
sourceanalyzer -b <build_id> -scan -f myresults.fpr
AWS, AWS CloudFormation, Azure ARM, Kubernetes K8S, and Azure Kubernetes Service
Fortify SCA will look for AWS, AWS CloudFormation, Azure ARM, Kubernetes K8S, and Azure Kubernetes Service IaC issues when scanning *.json, *.yaml, and *.yml files.
These IaC files are scanned as other JSON and YAML files. The syntax to translate a directory that contains these IaC files is shown in the following example (note there is no special syntax):
sourceanalyzer -b <build_id> <dir>
Then the scan command is run as normal:
sourceanalyzer -b <build_id> -scan -f myresults.fpr
Other IaC files
Fortify is actively expanding the types of IaC files it supports. For example, Fortify now supports scanning Terraform files as part of its HCL language support.
Please consult the Fortify documentation for more information on supported IaC formats and how to scan them.
References
- Storing and Managing Terraform files as Git Repository
- OpenText Fortify Static Code Analyzer User Guide, Chapter 15: Translating Other Languages and Configurations, section Translating Dockerfiles.
- Fortify Unplugged Video: Dockerfile Scanning with Fortify SCA