CLI Tool Commands and Parameters - Terraform and CloudFormation
After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you're ready to start using it with Terraform and/or AWS CloudFormation Template (CFT) infrastructure. If you have questions or issues, reach out to us using the Customer Support Portal. If you're looking to use IaC with Terraform Cloud/Enterprise instead, see Integrate with Terraform Cloud/Enterprise (TFC/E) for more information.
Prerequisites
Before scanning Terraform or CFT files with the scanning tool, ensure you have the following:
- A proper setup for the CLI Scanning tool
- A user in InsightCloudSec with the Editor or greater entitlement for IaC
- An API key for your user
- Review Users, Groups, and Roles (Administration) for more information on creating an API key via the UI
- A complete IaC Configuration
Rename Executable
When you download the mimics executable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable to mimics (for Mac/Linux) or mimics.exe (for Windows) for ease of use. The examples in our docs use a simplified executable name.
If you have questions or issues, reach out to us using the Customer Support Portal.
Command List & Parameters
The command list and parameters are the same regardless if you're using mimics via local executable or Docker.
Global Flags and Parameters
| Name | Type | Description |
|---|---|---|
--api-key | string | InsightCloudSec API Key Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information |
--base-url | string | InsightCloudSec base URL, including protocol (e.g., http://localhost:8080/) Note: If using the Docker version of the CLI, this is better passed as a Docker environment variable. Review the Docker Examples for more information |
--platform-url | string | InsightCloudSec platform (SSO) URL, including protocol. For example: http://platformdomain.com:8080/ |
--ca-certificate | string | Sets the trusted authorities for SSL verification using a CA bundle file (.pem) (supersedes --no-verify) |
--config-file | string | Configuration file location (default: .mimics.yaml or $HOME/.mimics.yaml) |
-h, --help | N/A | Displays the help menu. Contextual help for each command is also available in the following formats: ./mimics help [command] or ./mimics [command] [-h|--help] Because each command may have sub-commands, the help menu is also available in this format: ./mimics [command] [sub-command] [-h|--help] |
--no-color | N/A | Disables color output |
--no-verify | N/A | Disables SSL verification for all API calls to InsightCloudSec. This is superseded by the usage of --ca-certificate |
--log-format | string | Sets the log format. Options: "text", "json" (default: "text") |
--log-level | string | Sets the log level. Options: "trace", "debug", "info", "warn", "error", "fatal" (default: "info") |
--log-path | string | Sets the log file path (default: "./log/mimics.log") |
Commands
| Name | Description | Sub-Commands |
|---|---|---|
| ics-config | List and view InsightCloudSec IAC configurations | - list -- List scan configurations - show <config-name> -- Detail a given scan configuration |
| help | Displays the help menu for a given command, e.g., ./mimics help [command] | N/A |
| scan | Scans IaC files. This command is always paired with IaC file(s) to scan, e.g., ./mimics scan file-name.json [flags and parameters] or ./mimics scan ./path/to/files [flags and parameters] | See Flags and Parameters for <code>scan</code> for more information |
| parse | Parse IaC files into their mimics-internal representation, e.g., ./mimics parse file-name.json | N/A |
| version | Displays the mimics version | N/A |
Flags and Parameters for <code>scan</code>
| Name | Type | Description |
|---|---|---|
--concurrent-files | int | Number of files to scan concurrently (default: 10) |
--custom-insights-path | string | Experimental: Path to a directory of custom Rego Insights |
--disable-remote | N/A | Disables remote scanning |
-c, --ics-config | string | Name of the InsightCloudSec IaC configuration to use |
--no-fail | N/A | Suppresses error code returned by scans containing failures |
--overrides-path | string | Path to a JSON file. Defaults to none. - CFT only. Takes a JSON file to specify values for pseudo-parameters and to override values for user-defined parameters. These values take precedent over those specified via --parameters-path - See the parameters and pseudo-parameters documentation for a detailed setup guide. This file should be formatted as a JSON object with pseudo-parameter/parameter names as keys |
--parameters-path | string | Path to a CloudFormation Template (CFT) parameters file. Defaults to none. - CFT only. Takes a JSON file to specify values for any user-defined parameters - See the parameters and pseudo-parameters documentation for a detailed setup guide. The existing parameter JSON file that you would normally pass to AWS using aws cloudformation create-stack --parameters is supported |
--report-formats | string | Format of scan result report artifacts (options: all, sarif, html, junitxml). If not provided, no artifacts will be saved |
--report-name | string | Name used for generated report artifact files (default: "ics_scan") |
--report-path | string | Directory path to store report artifacts. Defaults to the current directory |
--save-report | N/A | Save the scan report to InsightCloudSec (when not using an existing InsightCloudSec IaC configuration) |
-t, --scan-target | string | Overrides the default scan target. Defaults to <hostname>:<number of files>:<file names> |
--scan-timeout | int | Duration in seconds before processing an individual file should timeout. Default is 60 (0 = never) |
--show-exceptions | N/A | Show excepted findings in results |
Exit Codes
| Code | Description |
|---|---|
| 0 | Success. The scan completed and no resources failed specified Insights. |
| 1 | Failure. The scan did not complete or completed with failed Insights. |
| 2 | Unknown file type. mimics did not perform a scan because there was only one file specified and that file isn't a Terraform Plan or a CFT. |
Using mimics with Terraform/CFT
Use of the scanning tool depends on how you set it up. Below are examples using the scanning tool with each setup method.
Docker
Because the scanning tool is invoked using a public Docker image, the base command is more complicated than invoking the local executable:
bash
Important Docker Flags
InsightCloudSec recommends providing the following Docker flags with each invocation:
- Use
-vto establish a local volume that the Docker container can pull files from - Use
-eto establish an environment variable the Docker container recognizes -- two variables will need to be passed into the image: InsightCloudSec URL and API Key
Scan Example
Terraform templates must be compiled to plans first
All Terraform templates must be compiled to a plan file and converted to JSON before you can scan it with mimics. For example: terraform plan -out tf.plan && terraform show -json tf.plan > plan.json
bash
List IaC Configurations Example
bash
Local Executable
To actually use the local executable, follow the pattern ./mimics [command] [flags] for Mac or mimic.exe [command] [flags] for Windows.
Scan Example
Terraform templates must be compiled to plans first
All Terraform templates must be compiled to a plan file and converted to JSON before you can scan it with mimics. For example: terraform plan -out tf.plan && terraform show -json tf.plan > plan.json
bash
Show IaC Configuration Example
bash
Viewing CLI Scan Details in the UI
After performing a scan using the CLI tool you can view scan details through the InsightCloudSec UI. All CLI Scans will be included in the IaC Scan list and can be viewed in the same way as other scans.
Check out the Viewing Scan Results page for details on viewing your scan results within the UI, including summary details.