Self-Service IaC Testing for Developers
We’re pleased to release iacbot – a free GitHub app that analyzes changes in infrastructure as code (IaC) – Terraform, CloudFormation and Kubernetes – for security vulnerabilities and provides fast feedback directly in pull requests (PRs).
If you’re running IaC and don’t perform automated security analysis in your GitOps workflow, you can start using iacbot now.
You don’t have to install anything. You don’t have to run anything. Just connect the iacbot GitHub app to your GitHub org and follow its instructions.
Modern Cloud Infrastructure
IaC isn’t new, but its use as a path to self-service cloud infrastructure for distributed development teams is very new.
IaC of years past (Puppet, Chef, Ansible, etc.) was rarely embraced by application development teams. These tools are designed and built by infrastructure engineers, not application development teams.
While CloudFormation, Terraform and Kubernetes manifests were also designed by infrastructure engineers, they are now being embraced by application development teams.
Application development teams can take direct control over their infrastructure.
Control means freedom to innovate.
Freedom to innovate drives business growth.
This trend is not going to reverse any time soon.
Freedom and Responsibility
With freedom comes responsibility. This might be cliche, but that doesn’t make it any less true.
Are the new authors of Terraform, CloudFormation and Kubernetes ready for that responsibility? In some cases, yes. But in many cases, they need help. I know I do.
IaC is often copied from public sources or from another project. This isn’t a bad thing, but the author doesn’t always know what they don’t know. Are there security vulnerabilities? Does the code conform to security standards?
This is hard. Even Terraform experts have trouble looking at code and spotting issues.
Teams have a nagging fear that sooner or later a security engineer will come knocking, telling them that they have a set of issues to fix. Nobody likes this.
This is what we want to avoid.
This is why we built iacbot. We want to help IaC authors, and make their lives easier.
If you experience any of the following, iacbot can help:
- You use Terraform, CloudFormation and Kubernetes but don’t have security experts reviewing the code.
- You don’t have an IaC code review process.
- You have a process in place, but it is perfunctory. Lots of LGTM, when you know that changes are…not good.
- People reviewing changes are finding it a drag to keep up with mundane IaC PRs.
- Your security team is coming back to you with configuration issues that need subsequent remediation.
iacbot addresses these pain points.
You don’t have to install anything. You don’t have to run anything. Just connect the iacbot GitHub App to your GitHub org and follow its instructions.
You will get:
- Per-repo report of findings within seconds. We are using a battery of analysis tools under the hood, including checkov and tfsec.
- Detailed descriptions of the problems along with guidelines on how to resolve the issues.
- Easy ability to suppress findings that are works-as-designed or false-positive.
- Code analysis that is initiated on each code push and daily for each repo.
- Every PR is decorated with comments about the findings so that you don’t have to leave GitHub to see findings.
- Comments have instructions and guidelines to fix the issues.
And best of all: no changes to your CI/CD pipelines are required.
Get Started Now
The process is simple. Connect iacbot in Github, and let iacbot help you find and fix configuration issues in your GitOps workflow. It’s free.
Step 1 - Sign Up
We support GitHub today, but will be adding GitLab and BitBucket support soon.
Step 2 - Install the GitHub App
Review the permissions and make sure that you are comfortable.
Note: Yes, we ask for source code access so we can run these assessments on your behalf. If you aren’t comfortable with this, you can always try iacbot on some test repositories. If you like what you see, let us know. We are working on a hybrid model that makes it just as easy to get the same result.
That said, if you think that there is something in your Terraform or CloudFormation that is particularly sensitive, that might be an indication of a problem. You shouldn’t have secrets or core IP in there.
Step 3 - Sign In
We need to know who you are.
Within a minute or less, you should see a list of repos that you authorized iacbot to analyze.
As soon as findings are available, the summary of findings for the default branch will be available on the repository card.
You can click on the repository card to get an overview of the current findings for that repository.
Clicking on each finding will show you a detailed summary with remediation guidelines:
If you open a PR in GitHub, the status check will reflect the findings.
PR Comments are added with each push containing a summary of the issues that were found: