The iacbot Security Practitioner Demo

Rich Seiersen

Infrastructure As Code Scanning In GitHub

TL:DR: Iacbot is a FREE service for developers that automatically scans their Infrastructure as Code (IaC) - Terraform, CloudFormation, Kubernetes – and tells them about any misconfigurations, giving them the information to fix any issues. It works in Git so developers can fix issues before they push their code, saving your team and theirs from security risk and rework.

As a cloud native CISO, my #1 risk has been over privileged, misconfigured cloud native infrastructure. My #1 desire was fixing that in development. In this blog, I’ll describe how we do that with iacbot, and how we’ve made it easy for anyone to try it and see for themselves how simple it is to use.

Is this you?

  1. You’re in security…you have 5 minutes
  2. You want to experience the delight of being a developer scanning terraform for misconfigurations and being able to fix them
  3. You don’t have access to a GitHub repo
  4. You don’t have access to Terraform to test
  5. You’re not an expert in Git nor Terraform (nor aspire to be expert)

If this is you, follow these instructions, and you can experience firsthand how easy it is for developers to use iacbot to test and secure their Terraform. You can also watch this video to see me walk you through the process.

Get Started:

  1. If you don’t have a GitHub account? Get a free one here: https://github.com/join
  2. Go To Leaky Data Corp and Fork: https://github.com/LeakyDataCorp/terraform-aws
  • Upper right hand corner, click the fork drop down.

  1. Then choose the top option, which should be your personal org
  • This is the org you set up in step 1 if you are new to Git.

  1. You should see the following repo appear in your Git Account:

  1. Next we enable iacbot. In the video, we navigate to Soluble’s site. Once you click “Get Started” it will take you to step “b” in GitHub just below. You could optionally just start in GitHub by enabling iacbot directly.

    a. Start right from our website homepage at get.soluble.cloud

b. Install iacbot in your personal GitHub account: https://github.com/apps/iacbot/

  • Click Configure: Note that this page will look different depending on whether you have installed or tried to install iacbot someplace.

  1. You will see something that looks a lot like this after you hit configure.
  • Click configure next to the repo you want to scan.

  1. Select what you want to scan.
  • If you created a new repo, you may want to just use the “All Repositories” option. Otherwise, you can select specific repos in your account.

  1. You will land in the Soluble repo view, it should look something like this. It may take a few seconds for findings to appear.

  1. To see report details simply click on the terraform-aws repo. You get the following dashboard. Easy!

That’s it! Try iacbot today, and share it with your developers to stop misconfigurations from being deployed. Feel free to email me with any questions: rich@soluble.cloud.