If you are confused about the choice of the Terraform static code analysis tool, then we will help you with that. We've looked at several security and configuration analysis solutions for AWS and GCP. And the motivation for this study was the desire to unify the various approaches of Revolgy engineers and provide our customers with the best and safest services.
Terraform . , , . .
()
, Terraform, AWS GCP. , tflint. conftest, kitchen-terraform, terrafirma, terraform-compliance terratest. Kubernetes, Ansible IaC-. ( , , , ), , , .
: checkov, snyk, terrascan tfsec.
( ):
Terraform, AWS GCP, .
( ), AWS/GCP Terraform.
.
.
GitLab ( / JUnitXML).
/ ( ).
.
, JSON, XML CSV ( ELK-, DefectDojo ..).
, , , , . , -, , , , . ., .
|
checkov |
Snyk |
terrascan |
tfsec |
|
|
|
/ |
|
|
Open-source |
|
( ) |
|
|
|
|
|
|
|
|
IaC: |
|
|
|
|
- TF AWS |
|
|
|
|
- TF GCP |
|
|
|
|
- TF Azure |
|
|
|
|
- CloudFormation |
|
|
|
|
- Kubernetes |
|
|
|
|
CLI (UNIX) |
|
|
|
|
CI/CD: |
|
|
|
|
- GitLab |
|
|
|
( JUnitXml) |
- GitHub |
|
|
|
|
- BitBucket |
|
|
|
( JUnitXml) |
|
( CLI-) |
|
|
|
|
( CLI-) |
|
|
|
|
( ) |
( ) |
|
|
|
|
|
|
|
|
|
|
|
|
: |
|
|
|
|
- CLI |
|
|
|
|
- JSON |
|
|
|
|
- XML |
( JUnitXML) |
|
|
( JUnitXML) |
- JUnitXML |
|
|
|
|
- Sarif |
|
|
|
|
- HTML |
|
|
|
|
- github_failed_only |
|
|
|
|
- Checkstyle |
|
|
|
|
- CSV |
|
|
|
|
- YAML |
|
|
|
|
|
|
|
|
|
|
Checkov
Checkov . python, ( tfsec) . , UI, , HIPAA, CIS, NIST. .
Checkov / :
checkov -d . --check CKV_AWS_20,CK_AWS_52
checkov -d . --skip-check CK_AWS_52,CK_AWS_52
- Checkov . API Bridgecrew. API,
--no-guide.
checkov , . , , . CloudFormation
, . .
Terrascan
terrascan 500 . , Helm v3 Kustomize v3. API. DevSecOps-, .
Terrascan GitHub Action. GitLab GitHub ssh known_hosts. Terrascan . API- AWS EKS ( GKE) ECS.
Terrascan . GCP. . Notifier, - .
tfsec
tfsec AWS, GCP Terraform. , . .
PR-: , tfsec. . JSON YAML, Go.
, tfsec , tfsec. Lambda AWS, DevSecOps.
Snyk
Snyk — , , Terraform. Snyk , Kubernetes . . Terraform, , AWS / GCP / Terraform. , Terraform, .
: GitLab API. Terraform, / . Snyk SCA, Terraform.
, Snyk. , API . Docker JIRA.
, , snyk-to-html. JSON HTML-.
HTML- snyk:
snyk iac test --json | snyk-to-html -o results.html
— . , , , terragoat.
Terragoat — terraform AWS, GCP Azure. , checkov terragoat , , . Terragoat IaC, EC2, S3, IAM, RDS, EKS GCP / Azure.
, AWS GCP. JSON, (. ). jq , :
, ;
( , , , );
( ID).
, , , ID . — . — :
Snyk AWS — , checkov. , Snyk checkov, , , AWS , . , , , , . .
, : AWS, , (7) (6), GCP , , , .
, terrascan GCP , checkov. ?
. . SAST- IaC : kubernetes, open source- docker? , , . ?
, «» , , . Immutable infrastructure, - « immutable infrastructure Packer Terraform». , Packer .