Iac Security Scanner

Kubernetes Manifest Scanning

• Analyze Kubernetes YAML manifests for security issues
• Check pod security standards compliance
• Validate resource limits and quotas
• Detect privileged containers and host path mounts

Pulumi Code Analysis

• Scan Pulumi TypeScript/Python code for security issues
• Check cloud resource configurations
• Validate security best practices

Policy Enforcement

• Define and enforce custom security policies using OPA/Rego
• Create guardrails for cloud resource configurations
• Block deployments that violate security policies
• Generate policy compliance reports

Compliance Mapping

• Map findings to compliance frameworks (CIS, NIST, SOC 2, PCI-DSS)
• Generate compliance gap analysis reports
• Track remediation progress against compliance requirements

Integrations

• Checkov: Multi-cloud IaC scanner by Bridgecrew
• tfsec: Terraform security scanner
• KICS: Keeping Infrastructure as Code Secure
• Terrascan: IaC security scanner
• OPA/Rego: Policy as code engine
• Snyk IaC: Infrastructure as Code security testing

Target Processes

• IaC Security Scanning Process
• Cloud Security Architecture Review
• DevSecOps Pipeline Integration
• Infrastructure Deployment Pipeline
• Compliance Continuous Monitoring

Input Schema

{
  "type": "object",
  "properties": {
    "iacPath": {
      "type": "string",
      "description": "Path to IaC files or directory"
    },
    "iacType": {
      "type": "string",
      "enum": ["terraform", "cloudformation", "kubernetes", "pulumi", "arm", "ansible"],
      "description": "Type of IaC to scan"
    },
    "scanners": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["checkov", "tfsec", "kics", "terrascan", "snyk"]
      },
      "description": "Scanners to use"
    },
    "complianceFrameworks": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["CIS", "NIST", "SOC2", "PCI-DSS", "HIPAA", "GDPR"]
      }
    },
    "customPolicies": {
      "type": "string",
      "description": "Path to custom OPA/Rego policies"
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["CRITICAL", "HIGH", "MEDIUM", "LOW"]
    },
    "excludePaths": {
      "type": "array",
      "items": { "type": "string" }
    }
  },
  "required": ["iacPath", "iacType"]
}

Output Schema

{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "iacPath": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "summary": {
      "type": "object",
      "properties": {
        "totalFiles": { "type": "integer" },
        "filesScanned": { "type": "integer" },
        "passedChecks": { "type": "integer" },
        "failedChecks": { "type": "integer" },
        "skippedChecks": { "type": "integer" }
      }
    },
    "findings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "checkId": { "type": "string" },
          "severity": { "type": "string" },
          "resourceType": { "type": "string" },
          "resourceName": { "type": "string" },
          "filePath": { "type": "string" },
          "lineNumber": { "type": "integer" },
          "description": { "type": "string" },
          "remediation": { "type": "string" },
          "complianceMapping": { "type": "array" }
        }
      }
    },
    "complianceReport": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}

Usage Example