Viewing Scan Results
After an IaC scan is completed, detailed results are uploaded to the Scan List page. To see all your scan results, go to Security > Infrastructure as Code > Scan List.
Explore your scans
Each completed scan entry contains important information at a glance, including:
-
Scan Target: The name of the file that was scanned.
-
Outcome: Scans have three possible statuses:
- Failed: One or more Insight checks failed.
- Warned: One or more Insight checks warned.
- Passed: All Insight checks passed or were ignored.
Point your cursor to the Outcome column value to see a summary of Insight check statuses.
-
Severity Summary: If the scan failed or warned, the column displays number of Insight checks in the scan organized by severity.
-
Configuration: The name of the configuration used for the scan.
-
Drivers: The type of analyzer used in the scan (
cftorterraform).
The Scan List also has filtering functionality to effectively narrow the scope of and navigate the data.
Add Filter
Filtering allows for narrowing the scope of the resources list using properties like cloud accounts, clusters, resource groups, etc. Some things to note about filtering behavior:
- Each selected filter updates dynamically with options appropriate for the property selected.
- After selecting an initial property, click + Add Filter to add an additional filter and further narrow the scope.
- If filtering on a Resource Tag:
- Searching for a tag is case insensitive.
- New tags are harvested every 12 hours by the
ResourceTypeTrigramsProcessbackground job (see System Settings for more information).
To add a filter:
- Click the Add Filters button to open the side panel.
- Select and configure a property to get started.
- After configuring your desired filters, click Apply to update the scope for the feature.
Save Filters (Optional)
After Adding a Filter, you can save it so that it can easily be reused the next time you access the feature. Saved filters are feature-specific (since options vary between features), i.e., a saved filter in Feature “A” will only be available in Feature “A” and will not be available in Feature “B”.
To save a filter:
- Once filter(s) have been applied, ensure the filters list is expanded by clicking the arrow (>)
- Click the ellipsis (…) button, then click Save Filter.
- Provide a name for the filter and an optional description.
- Select the checkbox for Set as Default Filter to set this filter as the default for the feature. This only applies to your user account and will not affect other users’ default filter.
- Select the checkbox for Make this a Public Filter to allow other users to use and see the filter.
- Click OK.
Once a filter has been successfully saved, it can be accessed (along with other saved filters) or edited from the same ellipsis menu.
Understand scan results
To open scan results:
- Click a scan entry’s Outcome. The scan results panel opens.
From this panel you can:
- Get a graph-based and table summary of the scan results
- Review impacted resources details, including Insight, finding, and remediation information
- Create an exception for an Insight check
- Download results
Review impacted resources
A table on the scan results panel shows the outcome for each Insight check from the selected pack as well as the number of impacted resources.
To see the impacted resources:
- Find an Insight.
- Click +. The Insight expands to show the resources that failed the Insight check.
You can click Inspect to show detailed information about the Insight as well as how to remediate the failure. If you want to exclude a resource from a particular scan, review Create exceptions.
Create remote IaC Exceptions
Remote IaC Exceptions are created using the IaC interface and exclude a resource from being scanned for a particular Insight check. Exceptions can be scheduled and last anywhere from a day to indefinitely. To create a local Exception with the IaC CLI Scan Tool, see Create IaC Exceptions. To view or manage your exceptions, see Exceptions.
To create an IaC exception:
- From the Scan List tab, click a scan entry’s Outcome. The scan results panel opens.
- Find an Insight.
- Click +. The Insight expands to show the resources that failed the Insight check.
- Click Action (…) Create exception.
- Optionally, select an Expiration Date.
- Enter an Approver Email.
- Optionally, enter Notes.
- Click Create. The Exception is created.
Download results
You can download scan results in JSON or SARIF format.
JSON results example
The notes and list of Insights is abbreviated in the example for a better reading experience.
{
"complete_time": "2022-10-31T01:35:51.240937",
"create_time": "2022-10-31T01:35:49.791230",
"details": [
{
"description": "Identify database instances which are not encrypted",
"findings": [
{
"location": null,
"remediation": null,
"resource_type": "RDS Database, Neptune, DocumentDB",
"sink": "AppDB",
"source": "AppDB"
}
],
"id": 23,
"name": "Database Instance not Encrypted (AWS)",
"notes": "## Overview\nDatabase instances store sensitive information...",
"setting": "FAIL",
"severity": 4,
"source": "backoffice"
},
...
],
"drivers": [
"cft"
],
"html_report_uri": "/private/iac/scans/4/html",
"iac_config": {
"id": 8,
"name": "AWS-CIS-1.4.0"
},
"id": 4,
"sarif_report_uri": null,
"scan_target": "cli:1:Scan on Push",
"stats": {
"failed_insights": 6,
"passed_insights": 5,
"skipped_insights": 38,
"suppressed_findings": 0,
"warned_insights": 0
},
"status": {
"message": "Your insightCloudSec IaC Scan completed with 5 failed resources, 0 resource with warnings, 4 unanalyzed resources, and 0 error(s).",
"stacktrace": null,
"type_": "COMPLETED"
}
}SARIF results example
The SARIF Findings report contains more verbose details about each finding and can be consumed by external tooling to visualize findings alongside the source code. The results and tool rules are abbreviated in the example for a better reading experience.
{
"runs": [
{
"invocations": [
{
"executionSuccessful": true
}
],
"properties": {},
"results": [...],
"tool": {
"driver": {
"name": "mimICS",
"rules": [...],
"version": "0.0.0-SNAPSHOT-45d197d"
}
},
"versionControlProvenance": []
}
],
"schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0"
}