CI/CD Tool Integrations

InsightCloudSec can integrate with CI/CD tools to trigger Infrastructure as Code (IaC) security and compliance scans at various points in your DevOps workflows. The following CI/CD tool integrations are available:

General Guidelines

InsightCloudSec IaC Security scanning can be triggered from most CI/CD tools and configured as a gating checkpoint to allow a pull request, merge, build, staging or deployment event to complete or fail or at least produce warnings about security or compliance violations observed in the IaC templates or plans evaluated.

The integrations described in the sub-pages of this section are meant as examples, but may need tuning for your specific environment. If you encounter issues setting up an integration, reach out to us with any questions you might have or with examples so we can help you succeed.

The CI/CD integrations are centered on using our IaC CLI Scanning tool, mimics, as the target, which will ensure optimal performance, full feature functionality, and ongoing, seamless integration with the InsightCloudSec API.

The sub-pages in this section contain detailed guides for use with some specific tools. If you use a different tool, or want to customize a CI/CD pipeline from scratch, you can do so using the following guidelines depending on the IaC language used.

AWS CloudFormation

  1. Set up your CI/CD platform to trigger when code is pushed to the repository that hosts your CloudFormation templates.
  2. Configure a step in your pipeline to send the JSON- or YAML-formatted CloudFormation template to the mimics scan function. See CLI Tool Commands and Parameters - Terraform and CloudFormation for details.
  3. Save all results returned from these endpoints using your CI/CD platform's artifact-saving feature.

Terraform

  1. Set up your CI/CD platform to trigger when code is pushed to your Terraform repository.
  2. Configure a step in your pipeline to generate the Terraform plan as JSON with the following commands: terraform plan -out out.plan && terraform show -json out.plan > out.plan.json
  3. Configure another step in your pipeline to send the JSON-formatted Terraform plan to the mimics scan function. See CLI Tool Commands and Parameters - Terraform and CloudFormation for details.
  4. Save all results returned from these endpoints using your CI/CD platform's artifact-saving feature.

Other Considerations

  • If you are writing your own script using the API instead of the CLI tool and want both HTML and JSON outputs, make a second request to the /scans endpoint using the build_id returned from the initial /scan request. This endpoint always requires authentication, so make sure to pass an API key!
  • If you are serving HTML from your CI/CD platform, you may have to disable some content security features, as our HTML report includes some inline images and remotely-hosted images that are blocked by HTML-serving features of some CI/CD platforms.

Output and HTML Reports

Upon completion of an IaC security scan, InsightCloudSec produces a JSON blob that is described in our API documentation. We also produce an HTML report that's designed to be shared via your CI/CD pipeline and is optimized for your DevOps users. You can download a sample report to review.