IaC扫描工具之Terrascan

kaliarch 发表于 2022/01/30 08:49:10 2022/01/30
【摘要】 一 背景对于基础设施,例如dockerfile/kubernetes资源清单,还有terraform.tf 文件,需要进行检测扫描。 二 Terrasacn简介 2.1 Terrascan简介Terrascan 是基础架构即代码的静态代码分析器。它可以以多种不同的方式安装和运行,最常用于自动化管道中,以在配置不安全的基础架构之前识别策略违规行为。 2.2 特性Terrascan 是基础架构...

一 背景

对于基础设施,例如dockerfile/kubernetes资源清单,还有terraform.tf 文件,需要进行检测扫描。

二 Terrasacn简介

2.1 Terrascan简介

Terrascan 是基础架构即代码的静态代码分析器。它可以以多种不同的方式安装和运行,最常用于自动化管道中,以在配置不安全的基础架构之前识别策略违规行为。

2.2 特性

Terrascan 是基础架构即代码的静态代码分析器。 Terrascan 允许您:

  • 无缝地扫描基础设施作为错误配置的代码。
  • 监视有准备的云基础设施,以防止引入姿态漂移的配置更改,并支持恢复到安全姿态。
  • 检测安全漏洞和违规行为。
  • 在提供云本地基础设施之前降低风险。
  • 提供本地运行或与 CI CD 集成的灵活性。

三 安装

Terrascan 是一个可移植的可执行文件,不需要安装,也可以作为 Docker Hub 中的容器镜像使用。您可以根据自己的喜好以两种不同的方法使用 Terrascan:

3.1 macOS & Linux


$ curl -L "$(curl -s https://api.github.com/repos/accurics/terrascan/releases/latest | grep -o -E "https://.+?_Darwin_x86_64.tar.gz")" > terrascan.tar.gz
$ tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
$ install terrascan /usr/local/bin && rm terrascan
$ terrascan

3.2 Docker

$ docker run --rm accurics/terrascan version

$ alias terrascan="docker run --rm -it -v "$(pwd):/iac" -w /iac accurics/terrascan"

四 使用

4.1 命令行模式

$ terrascan
Terrascan

Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
For more information, please visit https://docs.accurics.com

Usage:
  terrascan [command]

Available Commands:
  help        Provides usage info about any command
  init        Initialize Terrascan
  scan        Start scan to detect compliance and security violations across Infrastructure as Code.
  server      Run Terrascan as an API server
  version     Shows the Terrascan version you are currently using.

Flags:
  -c, --config-path string   config file path
  -h, --help                 help for terrascan
  -l, --log-level string     log level (debug, info, warn, error, panic, fatal) (default "info")
  -x, --log-type string      log output type (console, json) (default "console")
  -o, --output string        output type (human, json, yaml, xml) (default "human")

Use "terrascan [command] --help" for more information about a command.

制定特定provider扫描

# 扫描aws
$ terrascan scan -t aws
# 扫描k8s
$ terrascan scan -i k8s
# 远程扫描
$ terrascan scan -t aws -r git -u git@github.com:accurics/KaiMonkey.git//terraform/aws
# 扫描helm chart
$ terrascan scan -i helm
# 扫描dockerfile
$ terrascan scan -i docker

4.2 服务端模式

服务器模式将执行 Terrascan 的 API 服务器。当使用 Terrascan 在软件开发管道的多个部分实施一套统一的策略和配置时,这是非常有用的。它还简化了与 Terrascan 的程序交互。默认情况下,http 服务器监听端口9010并支持以下路由:

  • 扫描IaC File
POST - /v1/{iac}/{iacVersion}/{cloud}/local/file/scan

POST Parameter: file - Content of the file to be scanned

Example: curl -i -F "file=@aws_cloudfront_distribution.tf" localhost:9010/v1/terraform/v14/aws/local/file/scan
  • 运行Terrascan为服务端模式
$ terrascan server
$ docker run --rm --name terrascan -p 9010:9010 accurics/terrascan

  • 请求示例子
$ curl -i -F "file=@aws_cloudfront_distribution.tf" localhost:9010/v1/terraform/v14/aws/local/file/scan
HTTP/1.1 100 Continue

HTTP/1.1 200 OK
Date: Sun, 16 Aug 2020 02:45:35 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked

{
  "results": {
    "violations": [
      {
        "rule_name": "cloudfrontNoGeoRestriction",
        "description": "Ensure that geo restriction is enabled for your Amazon CloudFront CDN distribution to whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content.",
        "rule_id": "AWS.CloudFront.Network Security.Low.0568",
        "severity": "LOW",
        "category": "Network Security",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      },
      {
        "rule_name": "cloudfrontNoHTTPSTraffic",
        "description": "Use encrypted connection between CloudFront and origin server",
        "rule_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407",
        "severity": "HIGH",
        "category": "Encryption and Key Management",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      },
      {
        "rule_name": "cloudfrontNoHTTPSTraffic",
        "description": "Use encrypted connection between CloudFront and origin server",
        "rule_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0407",
        "severity": "HIGH",
        "category": "Encryption and Key Management",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      },
      {
        "rule_name": "cloudfrontNoLogging",
        "description": "Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).",
        "rule_id": "AWS.CloudFront.Logging.Medium.0567",
        "severity": "MEDIUM",
        "category": "Logging",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      },
      {
        "rule_name": "cloudfrontNoSecureCiphers",
        "description": "Secure ciphers are not used in CloudFront distribution",
        "rule_id": "AWS.CloudFront.EncryptionandKeyManagement.High.0408",
        "severity": "HIGH",
        "category": "Encryption and Key Management",
        "resource_name": "s3-distribution-TLS-v1",
        "resource_type": "aws_cloudfront_distribution",
        "file": "terrascan-492583054.tf",
        "line": 7
      }
    ],
    "count": {
      "low": 1,
      "medium": 1,
      "high": 3,
      "total": 5
    }
  }
}

五 CI/CD集成

5.1 Gitlab CI

GitLab CI 可以使用 Docker 镜像作为管道的一部分。我们可以利用此功能并将 Terrascan 的 docker 映像用作管道的一部分,以将基础设施作为代码进行扫描。

为此,您可以更新您的。gitlab ci。yml文件使用带有[“bin/sh”、“-c”]入口点的“accurics/terrascan:latest”图像。Terrascan可以在图像中的“/go/bin”上找到,您可以根据需要使用任何Terrascan命令行选项。这里有一个例子。gitlab ci。yml文件:

stages:
  - scan

terrascan:
  image:
    name: accurics/terrascan:latest
    entrypoint: ["/bin/sh", "-c"]
  stage: scan
  script:
    - /go/bin/terrascan scan .

参考链接

【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区),文章链接,文章作者等基本信息,否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件至:cloudbbs@huaweicloud.com进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容。
  • 点赞
  • 收藏
  • 关注作者

评论(0

0/1000
抱歉,系统识别当前为高风险访问,暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称,即可参与社区互动!

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。