How to scan Infrastructure as Code (IaC) files

Question

How do I scan Infrastructure as Code (IaC) files with Fortify?

Answer

IaC files should be scanned to facilitate the development of more secure infrastructure deployments including container images, GitHub Actions, including when e.g. Chef, Terraform, Ansible and other types of IaC files are stored in their own separate repository.[1]

As of Fortify v20.2.0, Fortify Static Code Analyzer (SCA) now supports scanning some types of IaC files. Please see the sections below for supported IaC files. As Fortify provides support for the IaC files for other containers, this technical note will be updated to include how to scan those IaC files.

Docker

Fortify SCA translates the following files as Dockerfiles: Dockerfile, dockerfile, *.Dockerfile, and *.dockerfile.

Fortify SCA accepts the following escape characters in Dockerfiles: backslash () and backquote (`). If the escape character is not set in the Dockerfile, then Fortify SCA assumes that the backslash is the escape character.

The syntax to translate a directory that contains Dockerfiles is shown in the following example (note there is no special syntax since Dockerfiles are text files):

sourceanalyzer -b <build_id> <dir>

If the Dockerfile is malformed and Fortify SCA cannot parse the file, an error is written to the log and analysis of the Dockerfile is skipped. The following is an example of the error written to the log:

Dockerfile parser error 1:20 : mismatched input '\n' expecting {LINE_EXTEND, WHITESPACE}

Unable to parse config file
C:/Users/jsmith/MyProj/docker/dockerfile/ProjA.Dockerfile

The Dockerfile should be examined at the line and location flagged to determine what (if any) corrections can be made so that Fortify SCA can successfully translate the file. If the syntax appears to be correct and the issue appears to be a problem with the Fortify translation parser, the developer should follow the procedures documented in the File parsing or Syntax errors technical note.

The following is an example for how to scan a directory that contains Dockerfiles:

sourceanalyzer -b <build_id> -scan -f myresults.fpr

See the Fortify SCA User Guide, Chapter 2: Installing Fortify Static Code Analyzer, section Using Docker to Install and Run Fortify Static Code Analyzer, for detailed instructions on how to install Fortify Static Code Analyzer in a Docker image and then run Fortify Static Code Analyzer as a Docker container.

GitHub Actions

Fortify SCA will look for GitHub Actions issues when scanning *.yaml and *.yml files.

These IaC files are scanned in the same manner as other YAML files. The syntax to translate a directory that contains these IaC files is shown in the following example (note there is no special syntax):

sourceanalyzer -b <build_id> .github\workflows

Then the scan command is run as normal:

sourceanalyzer -b <build_id> -scan -f myresults.fpr

Azure Resource Manager Templates

Fortify SCA will look for ARM Template issues when scanning *.json files.

ARM Templates are scanned the same as other json files. The syntax to translate a directory that contains ARM Templates is shown in the following example (note there is no special syntax):

sourceanalyzer -b <build_id> <dir>

Then the scan command is run as normal:

sourceanalyzer -b <build_id> -scan -f myresults.fpr

AWS, AWS CloudFormation, Azure ARM, Kubernetes K8S, and Azure Kubernetes Service

Fortify SCA will look for AWS, AWS CloudFormation, Azure ARM, Kubernetes K8S, and Azure Kubernetes Service IaC issues when scanning *.json, *.yaml, and *.yml files.

These IaC files are scanned as other JSON and YAML files. The syntax to translate a directory that contains these IaC files is shown in the following example (note there is no special syntax):

sourceanalyzer -b <build_id> <dir>

Then the scan command is run as normal:

sourceanalyzer -b <build_id> -scan -f myresults.fpr

Other IaC files

Fortify is actively expanding the types of IaC files it supports. For example, Fortify now supports scanning Terraform files as part of its HCL language support.

Please consult the Fortify documentation for more information on supported IaC formats and how to scan them.

References