Skip to content

Compliance as Code

Compliance as Code

Building an IaC Program

For a technical process for approaching and building an internal IaC security strategy, which meets goals without slowing your developers down:

Tool Description
Open Policy Agent
  • Policy-based control for cloud native environments
Chef InSpec
  • Turn your compliance, security, and other policy requirements into automated tests
HashiCorp Sentinel

OPA

Documentation
Conftest
Gatekeeper
OPAL
  • Administration layer for OPA, detecting changes to both policy and policy data in realtime and pushing live updates to your agents.
  • As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need.
kube-mgmt
  • Sidecar for managing OPA on top of Kubernetes

Static Analysis

Exploration

For an experimentation with Semgrep to eradicate classes of (cloud) vulnerabilities from Infrastructure as Code, please refer to:

Tool comparison

This repo provides a comparison of the capabilities of the main scanners currently available:

Terraform

Tool Description
Sentinel
tfsec
  • Static analysis of TF templates to spot potential security issues
checkov
terrascan
  • Collection of security and best practice test for static code analysis of terraform templates
tf-parliament
  • Run Parliament AWS IAM Checker on Terraform Files
regula
  • Checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego
yor
terraform-validator
  • Terraform Validator can run pre-deployment checks on Terraform plans for policy compliance
  • Based on Rego/Gatekeeper

CloudFormation

Tool Description
cfripper
checkov

Docker

Tool Description
trivy
  • A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
clair
  • Scan docker images for security vulnerabilities
tern
  • Software package inspection tool for containers
grype
  • Vulnerability scanner for container images and filesystems
dockle
  • Container Image Linter for Security, Helping build the Best-Practice Docker Image
container-scan
  • A GitHub action to help you scan your docker image for vulnerabilities, leveraging Trivy and Dockle
dagda
  • Static analysis of known vulnerabilities, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
fossa-action
  • Scan images and finds license compliance and security issues

Kubernetes

Tool Description
kube-score
  • Performs static code analysis of your Kubernetes object definitions
  • The output is a list of recommendations
Kubei
  • Vulnerabilities scanning tool that allows to get a risk assessment of a cluster
  • Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods
version-checker
  • Utility for observing the current versions of images running in the cluster, as well as the latest available upstream
chart-testing
  • CLI tool for linting and testing Helm charts
helm-scanner
  • Open source IaC security scanner for public Helm charts
kyverno
  • Kyverno is a policy engine designed for Kubernetes. It can validate, mutate, and generate configurations using admission controls and background scans
  • Exploring Kyverno: multi-part series exploring Kyverno
kubeval
  • Validates Kubernetes YAML/JSON configuration files
  • It uses schemas generated from the Kubernetes OpenAPI specification, and therefore can validate schemas for multiple versions of Kubernetes
kube-linter
  • Analyzes Kubernetes YAML files and Helm charts, and checks them against a variety of best practices, with a focus on production readiness and security

Pipeline / Supply Chain

Tool Description
TUF
  • TUF
  • The CI/CD system uses TUF to sign new integrations
  • Provides with a compromise-resilient mechanism by adding a higher layer of signed metadata to the repository
  • Using The Update Framework in Sigstore: how Sigstore is integrating TUF into the Sigstore projects and infrastructure
in-toto
  • in-toto
  • Provides end-to-end verification of a software supply chain
  • Guarantees that the CI/CD system packaged exactly the source code that one of the developers signed
Providence
  • Providence is a system for code commit & bug system monitoring
  • It is deployed within an organization to monitor code commits for security (or other) concerns, via customizable plugins
rode
  • Rode provides the collection, attestation and enforcement of policies in your software supply chain with Grafeas and OPA
Back to top