SecOps in IaC with Terraform — exploring Static Code analysis & Security scanner tools

Terraform
tfsec . 
#Retrieve Azure Key Vault tenant iddata "azurerm_client_config" "current" {}#Create Azure Resource Groupresource "azurerm_resource_group" "example" {name = "${var.Resource_group}"location = "${var.location}"tags = "${var.Resource_group_tags}"}#Create Azure Key Vault resourceresource "azurerm_key_vault" "example" {name  = "${var.azkey_vault_name}"location = azurerm_resource_group.example.locationresource_group_name = azurerm_resource_group.example.nametenant_id = data.azurerm_client_config.current.tenant_idsoft_delete_retention_days = 7purge_protection_enabled  = falsesku_name = "standard"access_policy {tenant_policy = data.azurerm_client_config.current.tenant_idobject_id = data.azurerm_client_config.current.object_idkey_permissions = ["Get"]secret_permissions = ["Get","Create"]storage_permissions = ["Get"]}}# Generate Random passwordresource "random_password" "password" {length = 16special = trueoverride_special = "_%@"}# Azure Key Vault Secret retrievalresource "azurerm_key_vault_secret" "example" {name  = "${var.azurerm_key_vault_secret_name}"value = random_password.password.resultkey_vault_id = azurerm_key_vault.example.id}
Potential security violations detection in Azure Key Vault Terraform Configuration
Critical security vulnerability issue in Terraform code detected by scanner tool tfsec
pip3 install checkov
provider "azurerm" {version = "~>2.0"features {}subscription_id = "var.subscription_id"client_id       = "var.client_id"client_secret   = "var.client_secret"tenant_id       = "var.tenant_id"}resource "azurerm_resource_group" "examplerg" {name     = "terraform_resources"location = "North Europe"}resource "azurerm_storage_account" "example" {name                     = "examplestoreani"resource_group_name      = azurerm_resource_group.examplerg.namelocation                 = azurerm_resource_group.examplerg.locationaccount_tier             = "Standard"account_replication_type = "LRS"}resource "azurerm_storage_container" "example" {name                  = "content"storage_account_name  = azurerm_storage_account.example.namecontainer_access_type = "private"}resource "azurerm_storage_blob" "example" {name                   = "terraform.pdf"storage_account_name   = azurerm_storage_account.example.namestorage_container_name = azurerm_storage_container.example.nametype                   = "Block"access_tier = "Hot"}resource "azurerm_data_lake_store" "example_store" {name                = "consumptiondatalake"resource_group_name = azurerm_resource_group.examplerg.namelocation            = azurerm_resource_group.examplerg.location}
tfplan scanning through checkov scanner
terrascan
terrascan init
terrascan scan
terrascan commands
resource "azurerm_resource_group" "example" {name = "${var.Resource_group}"location = "${var.location}"}resource "azurerm_storage_account" "example" {name  = "${var.storage_account_name}"resource_group_name = "${var.Resource.group}"location = "${var.location}"account_tier = "Standard"account_replication_type = "LRS"}resource "azurerm_storage_container" "example" {name  = "${var.storage_container_name}"storage_account_name = azurerm_storage_account.example.namecontainer_access_type = "${var.container_access_type}"}resource "azurerm_eventhub_namespace" "example" {name  = "${var.azurerm_eventhub_ns_name}"resource_group_name = azurerm_resource_group.example.namelocation = azurerm_resource_group.example.locationsku = "{var.azurerm_eventhub_sku}"}resource "azurerm_eventhub" "example" {name  = "{var.azurerm_eventhub_name}"resource_group_name = azurerm_resource_group.example.namepartition_count = 2message_retention = 1}resource "azurerm_eventhub_authorization_rule" "example" {resource_group_name = azurerm_resource_group.example.namenamespace_name = azurerm_eventhub_namespace.example.nameeventhub_name = azurerm_eventhub.example.namename  = "${var.azurerm_eh_authorization_rulename}"send  = true}resource "azurerm_iothub" "example" {name  = "${var.azurerm_iothub_name}"resource_group_name = azurerm_resource_group.example.namelocation = azurerm_resource_group.locationsku {name = "S1"capacity = "1"}endpoint {batch_frequency_in_seconds = 60connection_string = azurerm_storage_account.example.primary_blob_connection_stringcontainer_name = azurerm_storage_container.example.nameencoding = "Avro"file_name_format = "{iothub}/{partition}_{YYYY}_{MM}_{DD}_{HH}_{mm}"max_chunk_size_in_bytes = 1name = "export"resource_group_name = azurerm_resource_group.example.nametype = "AzureIoTHub.StorageContainer"}endpoint  {type  = "AzureIotHub.EventHub"connection_string = azurerm_eventhub_authorization_rule.example.primary_blob_connection_stringname  = "export2"}route {name  = "export"source = "DeviceMessages"condition = "true"endpoint_names = ["export"]enabled  = true}route {name  = "export2"source = "DeviceMessages"condition = "true"endpoint_names = ["export2"]enabled   =  true}enrichment  {endpoint_names = [ "tenant" ]key = "$twin.tags.Tenant"value = ["export", "export2"]}tags  = {purpose = "dev"}}
Terrascan security violation detection in terraform code
scan summary results of terrascan
Synk Vulnerability scanner for VS code
snyk auth
snyk test
snyk iac test "path of file/directory"
snyk monitor
terraform plan object.tfplan
terraform show --json object.tfplan > object.json
snyk iac test object.json
Snyk scanning screenshot of Terraform Github configurations pulled from Github

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store