Skip to content

Compliance as Code

Compliance as Code

Building an IaC Program

For a technical process for approaching and building an internal IaC security strategy, which meets goals without slowing your developers down:

Tool Description
Open Policy Agent
  • Policy-based control for cloud native environments
Chef InSpec
  • Turn your compliance, security, and other policy requirements into automated tests
HashiCorp Sentinel

OPA

Documentation
Conftest
Gatekeeper
OPAL
  • Administration layer for OPA, detecting changes to both policy and policy data in realtime and pushing live updates to your agents.
  • As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need.

Static Analysis

Exploration

For an experimentation with Semgrep to eradicate classes of (cloud) vulnerabilities from Infrastructure as Code, please refer to:

Tool comparison

This repo provides a comparison of the capabilities of the main scanners currently available:

Terraform

Tool Description
Sentinel Terraform Foundational Policies Library: library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform
tfsec Static analysis of TF templates to spot potential security issues
checkov Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework
terrascan Collection of security and best practice test for static code analysis of terraform templates
tf-parliament Run Parliament AWS IAM Checker on Terraform Files
regula Checks Terraform for AWS, Azure and GCP security and CIS compliance using Open Policy Agent/Rego
yor

CloudFormation

Tool Description
cfripper
checkov
  • Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework

Docker

Tool Description
trivy
  • A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
clair
  • Scan docker images for security vulnerabilities
tern
  • Software package inspection tool for containers
grype
  • Vulnerability scanner for container images and filesystems
dockle
  • Container Image Linter for Security, Helping build the Best-Practice Docker Image
container-scan
  • A GitHub action to help you scan your docker image for vulnerabilities, leveraging Trivy and Dockle
dagda
  • Static analysis of known vulnerabilities, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities
fossa-action
  • Scan images and finds license compliance and security issues

Kubernetes

Tool Description
kube-score
  • Performs static code analysis of your Kubernetes object definitions
  • The output is a list of recommendations
Kubei
  • Vulnerabilities scanning tool that allows to get a risk assessment of a cluster
  • Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods
version-checker
  • Utility for observing the current versions of images running in the cluster, as well as the latest available upstream
chart-testing
  • CLI tool for linting and testing Helm charts
helm-scanner
  • Open source IaC security scanner for public Helm charts

Pipeline / Supply Chain

Tool Description
TUF
  • TUF
  • The CI/CD system uses TUF to sign new integrations
  • Provides with a compromise-resilient mechanism by adding a higher layer of signed metadata to the repository
in-toto
  • in-toto
  • Provides end-to-end verification of a software supply chain
  • Guarantees that the CI/CD system packaged exactly the source code that one of the developers signed
Providence
  • Providence is a system for code commit & bug system monitoring
  • It is deployed within an organization to monitor code commits for security (or other) concerns, via customizable plugins
rode
  • Rode provides the collection, attestation and enforcement of policies in your software supply chain with Grafeas and OPA
Back to top