Infrastructure as Code (IaC) Scanning
Introduced in GitLab 14.5.
Infrastructure as Code (IaC) Scanning scans your IaC configuration files for known vulnerabilities.
Currently, IaC scanning supports configuration files for Terraform, Ansible, AWS CloudFormation, and Kubernetes.
Requirements
IaC Scanning runs in the test
stage, which is available by default. If you redefine the stages in the .gitlab-ci.yml
file, the test
stage is required.
To run IaC scanning jobs, by default, you need GitLab Runner with the
docker
or
kubernetes
executor.
If you're using the shared runners on GitLab.com, this is enabled by default.
WARNING: Our IaC scanning jobs require a Linux container type. Windows containers are not yet supported.
WARNING:
If you use your own runners, make sure the Docker version installed
is not 19.03.0
. See troubleshooting information for details.
Supported languages and frameworks
GitLab IaC scanning supports a variety of IaC configuration files. Our IaC security scanners also feature automatic language detection which works even for mixed-language projects. If any supported configuration files are detected in project source code we automatically run the appropriate IaC analyzers.
Configuration File Type | Scan tool | Introduced in GitLab Version |
---|---|---|
Ansible | KICS | 14.5 |
AWS CloudFormation | KICS | 14.5 |
Azure Resource Manager 1 | KICS | 14.5 |
Dockerfile | KICS | 14.5 |
Google Deployment Manager | KICS | 14.5 |
Kubernetes | KICS | 14.5 |
OpenAPI | KICS | 14.5 |
Terraform | KICS | 14.5 |
- IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the Bicep language, you must use the bicep CLI to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
Making IaC analyzers available to all GitLab tiers
All open source (OSS) analyzers are available with the GitLab Free tier. Future proprietary analyzers may be restricted to higher tiers.
Summary of features per tier
Different features are available in different GitLab tiers, as shown in the following table:
Capability | In Free | In Ultimate |
---|---|---|
Configure IaC Scanners | {check-circle} | {check-circle} |
View JSON Report | {check-circle} | {check-circle} |
Presentation of JSON Report in Merge Request | {dotted-circle} | {check-circle} |
Address vulnerabilities | {dotted-circle} | {check-circle} |
Access to Security Dashboard | {dotted-circle} | {check-circle} |
Contribute your scanner
The Security Scanner Integration documentation explains how to integrate other security scanners into GitLab.
Configuration
To configure IaC Scanning for a project you can:
Configure IaC Scanning manually
To enable IaC Scanning you must include the
SAST-IaC.latest.gitlab-ci.yml template
provided as part of your GitLab installation.
The included template creates IaC scanning jobs in your CI/CD pipeline and scans your project's configuration files for possible vulnerabilities.
The results are saved as a SAST report artifact that you can download and analyze.
Enable IaC Scanning via an automatic merge request
To enable IaC Scanning in a project, you can create a merge request from the Security Configuration page:
- On the top bar, select Menu > Projects and find your project.
- On the left sidebar, select Security & Compliance > Configuration.
- In the Infrastructure as Code (IaC) Scanning row, select Configure with a merge request.
This automatically creates a merge request with the changes necessary to enable IaC Scanning that you can review and merge to complete the configuration.
Reports JSON format
The IaC tool emits a JSON report file in the existing SAST report format. For more information, see the schema for this report.
The JSON report file can be downloaded from the CI pipelines page, or the
pipelines tab on merge requests by setting artifacts: paths
to gl-sast-report.json
. For more information see Downloading artifacts.