Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/quixoticmonk/conformity-template-scanner

GitHub action which scans Terraform/CloudFormation templates using cloud conformity template scanner api.
https://github.com/quixoticmonk/conformity-template-scanner

conformity iac-scanner trendmicro

Last synced: about 2 months ago
JSON representation

GitHub action which scans Terraform/CloudFormation templates using cloud conformity template scanner api.

Awesome Lists containing this project

README 

          
# Conformity Template Scanner



[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/quixoticmonk/conformity-template-scanner/badge)](https://api.securityscorecards.dev/projects/github.com/quixoticmonk/conformity-template-scanner)



A GitHub action to scan your infrastructure templates modelled either in Terraform or CloudFormation. The type of resources scanned depends on the currently supported list from Cloud Conformity.



## Pre-requisites



- You have a Cloud Conformity API key

- You know the Cloud Conformity region



## Usage



```yaml

      - name: Initiate scan

        uses: quixoticmonk/conformity-template-scanner@v1

        with:

          conformity_region: "us-1"

          conformity_api_key: ${{secrets.conformity_api_key}}

          template_type: "terraform-template"

          template_path: "infra/tf_plan.json"

```



## Input



| Input              | Description                       |

|--------------------|-----------------------------------|

| conformity_region  | Your Cloud Conformity region      |

| conformity_api_key | Your Cloud Conformity API key     |

| template_type      | Your infrastructure template type |

| template_path      | Path of the template to scan      |



## Output



The action reviews the generated CloudFormation template or Terraform plan against the conformity api to provide you a categorized output of rules , their risk levels and status. The script is further configured to fail with an exit code of 1 in case of high or Very_high findings.



The output generated will be a json the format below



```bash



{

  "DNS Compliant S3 Bucket Names": {

    "risk": "LOW",

    "status": "SUCCESS"

  },

  "Enable S3 Block Public Access for S3 Buckets": {

    "risk": "MEDIUM",

    "status": "FAILURE"

  },

  .....

  "Secure Transport": {

    "risk": "MEDIUM",

    "status": "FAILURE"

  },

  "Server Side Encryption": {

    "risk": "HIGH",

    "status": "FAILURE"

  },

  "Tags": {

    "risk": "LOW",

    "status": "FAILURE"

  }

}

{'VERY_HIGH': 10, 'MEDIUM': 3, 'LOW': 7, 'HIGH': 1}



```