Open in app

Sign in

Write

Sign in

Find Security Violations of IaC in Private GitHub Repository

Yu Ishikawa
4 min readJan 27, 2022

--

Today, it is getting more common to practice Infrastructure as Code (IaC) to build IT infrastructure as kubernetes manifests and terraform resources. So, it would be demanded to figure out potential compliance and security violations because of misconfigurations of IaC, because it requires some experiences to completely understand pit holes of many IaC resources.

So, DevSecOps is on the rise. DevSecOps stands for development, security, and operations. It’s an approach to culture, automation, and platform design that integrates security as a shared responsibility throughout the entire IT lifecycle. I am not a security engineer. I live in the data science world. But, I would like to practice DevSecOps by leveraging security tools to get rid of security risks from our data platform. So, I created a GitHub Actions to automatically leave comments about potential compliance and security violations using terrascan and reviewdog. In this article, I would like to briefly introduce a GitHub Action to leave comments about security violations to pull requests.

GitHub - yu-iskw/action-terrascan: Run terrascan with reviewdog on pull requests to enforce…

Run terrascan with reviewdog on pull requests to enforce security best practices - GitHub - yu-iskw/action-terrascan…

github.com

What is terrascan?

Terrascan is an open-sourced static code analyzer for Infrastructure as Code. Terrascan allows you to:

  • Seamlessly scan infrastructure as code for misconfigurations.
  • Monitor provisioned cloud infrastructure for configuration changes that introduce posture drift, and enables reverting to a secure posture.
  • Detect security vulnerabilities and compliance violations.
  • Mitigate risks before provisioning cloud native infrastructure.
  • Offers flexibility to run locally or integrate with your CI\CD.

Terrascan policies are written using the Rego policy language. We can not only take advantage of not only officially provided policies, but also implement custom policies with Reco and JSON. That is, we can practice Policy as Code through terrascan. As for me, I am using kubernetes and Google Cloud Platform at work. As terrascan support the official policies for the two, I took terrascan to keep my data platform more secure.

What is the GitHub Action like?

It would be great to run terrascan commands in GitHub Actions so that we find violations. We can understand what are wrong by diving into logs of workflows. But, what if we notice violations as comments on pull request?

Reviewdog provides a way to post review comments to code hosting service, such as GitHub, automatically by integrating with any static analytics tools. So, I integrated terrascan with reviewdog. The image below is an example of a comment left by reviewdog with terrascan. The terraform resources for Google Cloud Storage lacked a property about uniform bucket-level access.

We can use the action with a few configurations. Of course, we can also customize reviewdog and terrascan through the inputs.

check:
    if: github.event_name == 'pull_request'
    name: "runner / terrascan (github-pr-check)"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: yu-iskw/action-terrascan@v1
        id: test-scan
        with:
          github_token: ${{ secrets.github_token }}
          working-directory: terraform/
          reporter: github-pr-check
          terrascan-iac-type: terraform

Why did I create the Action?

Actually, a github actions for terrascan is offered in accurics/terrascan-action. It is awesome. But, if you use terraform modules in private repositories, it doesn’t work because it can’t download m. But it is quite common to use private and internal github repository at work. So, I needed to an action to cope with the issue on private repositories.

In short, we need to configure git to download terraform modules in private repositories by passing a github token through HTTPS, instead of SSH. If we put terraform modules in the same private repositories, secrets.GITHUB_TOKEN which is an officially provided secret is available. By doing that, we can securely download modules.

The reason why accurics/terrascan-action doesn’t work with terraform modules in private repositories is that it is impossible to pass the github configuration to the docker action. So, I made my action a composite action to take over the github configuration seamleslly.

- id: auth
  run: |
    git config --global \
      url."https://oauth2:${{ secrets.GITHUB_TOKEN }}@github.com/your-org/${{ github.event.repository.name }}".insteadOf \
      "ssh://git@github.com/your-org/${{ github.event.repository.name }}"

The article describes how to use github private repositories as terraform. If you are interested in more details about the background, it would be a good reference.

Summary

The GitHub Actions enables us to figure out potential compliance and security violations on Infrastructure as Code. As a data engineer, I have to care compliance and security vulnerability, even though I am not a security expert. So, I implemented the action to automatically figure out potential risks by practicing DevSecOps and Policy as Code.

Infrastructure As Code
Devsecops
Github Actions
Security
Terraform

--

--

Yu Ishikawa

Written by Yu Ishikawa

461 Followers

Data Engineering / Machine Learning / MLOps / Data Governance / Privacy Engineering

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams