Compliance as Code

Building IaC Programs

Building an IaC security and governance program step-by-step: A technical process for approaching and building an internal IaC security strategy, which meets goals without slowing your developers down.
Scanning Infrastructure-as-Code for security flaws: Slides discussing scanning IaC, but also drift prevention / detection, runtime scanning, and a strategy to introduce IaC scanning in an organization.

Compliance as Code¶

Tool	Description
Open Policy Agent	Policy-based control for cloud native environments
Semgrep	Semgrep is a fast, open-source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time
pre-commit	A framework for managing and maintaining multi-language pre-commit hooks

OPA¶


Documentation	Introducing Policy As Code: The Open Policy Agent (OPA) The Rego Playground Styra Academy 5 tips for using the Rego language Fitness Validation For Your Kubernetes Apps: Policy As Code Enforce Ingress Best Practices Using OPA Authorizing Microservice APIs With OPA and Kuma
Conftest	Tutorials: Creating Exceptions Lists for Conftest in Rego Policies: Collection of rego policies Deprek8: check for deprecated API versions (blog) confectionery: a library of rules for Conftest used to detect misconfigurations within Terraform configuration files Helpers: action-conftest: a GitHub Action for using conftest in your CI Integrations: pre-commit-opa: pre-commit git hooks for OPA and Rego development
Gatekeeper	Tutorials: OPA Gatekeeper: Policy and Governance for Kubernetes How to monitor OPA Gatekeeper with Prometheus metrics Using Gatekeeper in Kubernetes Performing Image Scanning on Admission Controller with OPA Kubernetes Pod Security Policies with Open Policy Agent Enforce Custom Resource policies with Open Policy Agent Gatekeeper Expose Gatekeeper Constraint Violations with Prometheus and Grafana Verifying container signatures on Kubernetes with Gatekeeper: How you can use some new features in Gatekeeper to enable container signature verification Automated Manifest File Validation Using Open Policy Agent and GitHub Actions: How to validate manifest files using Open Policy Agent and automate this using GitHub Actions Testing Gatekeeper constraints with gator CLI: The gator CLI is a new tool that ships with Gatekeeper version 3.7 and provides policy authors a way to test policy prior to being deployed to Kubernetes Policies: gatekeeper-library: the official Gatekeeper policy library sample apps: demo of Gatekeeper functionality k8s-security-policies: security policies created based on CIS Kubernetes benchmark and rules defined in Kubesec.io Integrations: konstraint: assist with the creation and management of constraints when using Gatekeeper opa-image-scanner: Admission Controller for Image Scanning using OPA, to check if the image you scan is the image you deploy in your K8S cluster gatekeeper-policy-manager: Web-based policies manager
Open Policy Registry	A Docker-inspired workflow for OPA policies
OPAL	Administration layer for OPA, detecting changes to both policy and policy data in realtime and pushing live updates to your agents. As your application state changes (whether it's via your APIs, DBs, git, S3 or 3^rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need.
kube-mgmt	Sidecar for managing OPA on top of Kubernetes

Static Analysis¶

Exploration

For an experimentation with Semgrep to eradicate classes of (cloud) vulnerabilities from Infrastructure as Code, please refer to:

Marco Lancini Semgrep for Cloud Security

Tool comparison

This repo provides a comparison of the capabilities of the main scanners currently available:

iacsecurity/tool-compare

Terraform¶

Tool	Description
HashiCorp Sentinel	Policy As Code tool which can be run locally via Sentinel Simulator and be used to validate any sort of JSON, like the output from a terraform plan Using HashiCorp Sentinel to validate Terraform configuration/plan Terraform Foundational Policies Library: library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform
tfsec	Static analysis of TF templates to spot potential security issues tfsec-pr-commenter-action: add comments to pull requests where tfsec checks have failed
checkov	Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework Prioritize new misconfigurations with Checkov's baseline feature
terrascan	Collection of security and best practice test for static code analysis of terraform templates
tf-parliament	Run Parliament AWS IAM Checker on Terraform Files
regula	Checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego
yor	Helps add informative and consistent tags across infrastructure-as-code frameworks such as Terraform, CloudFormation, and Serverless Can be run as a GitHub Action, pre-commit hook, standalone CLI Guides Using Yor for ownership mapping using YAML tag groups Simplify cost allocation using Yor automated tagging with AWS Cost Explorer Automate AWS Config compliance fixes with Yor + Slack Integrating Yor with AWS IAM for better access control
GCP Terraform Policy validation	`gcloud beta terraform vet` provides guardrails and governance for Terraform configurations to help reduce misconfigurations of Google Cloud resources that violate any of your organization's policies policy library

CloudFormation¶

Tool	Description
cfripper	Library and CLI tool for analysing CloudFormation templates and check them for security compliance Guides Cloud Governance with CFRipper Automating cloud governance at scale
checkov	Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework Prioritize new misconfigurations with Checkov's baseline feature

Docker¶

Tool	Description
trivy	A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
clair	Scan docker images for security vulnerabilities
tern	Software package inspection tool for containers
grype	Vulnerability scanner for container images and filesystems
dockle	Container Image Linter for Security, Helping build the Best-Practice Docker Image
container-scan	A GitHub action to help you scan your docker image for vulnerabilities, leveraging Trivy and Dockle
dagda	Static analysis of known vulnerabilities, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
fossa-action	Scan images and finds license compliance and security issues
copacetic	CLI tool for directly patching container images using reports from vulnerability scanners

Kubernetes¶

Tool	Description
Whorf	An admission controller for security and operational best practices (based on Checkov) Introducing Whorf: The Checkov-powered Kubernetes Admission Controller
kube-score	Performs static code analysis of your Kubernetes object definitions The output is a list of recommendations
Kubei	Vulnerabilities scanning tool that allows to get a risk assessment of a cluster Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods
version-checker	Utility for observing the current versions of images running in the cluster, as well as the latest available upstream
chart-testing	CLI tool for linting and testing Helm charts
helm-scanner	Open source IaC security scanner for public Helm charts
kyverno	Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans Exploring Kyverno: multi-part series exploring Kyverno
kubeval	Validates Kubernetes YAML/JSON configuration files It uses schemas generated from the Kubernetes OpenAPI specification, and therefore can validate schemas for multiple versions of Kubernetes
kube-linter	Analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security

Applications¶

Tool	Description
OSV-Scanner	Vulnerability scanner to find existing vulnerabilities affecting your project's dependencies

Pipeline / Supply Chain¶

Tool	Description
TUF	TUF The CI/CD system uses TUF to sign new integrations Provides with a compromise-resilient mechanism by adding a higher layer of signed metadata to the repository Using The Update Framework in Sigstore: how Sigstore is integrating TUF into the Sigstore projects and infrastructure
in-toto	in-toto Provides end-to-end verification of a software supply chain Guarantees that the CI/CD system packaged exactly the source code that one of the developers signed
Providence	Providence is a system for code commit & bug system monitoring It is deployed within an organization to monitor code commits for security (or other) concerns, via customizable plugins
rode	Rode provides the collection, attestation and enforcement of policies in your software supply chain with Grafeas and OPA