Template scanner

Managing Conformity template scanner.

List Template Scanner rules

get/template-scanner/rules

This endpoint returns the list of available rules that are executed when scanning a template.

Example Request (CloudFormation):

curl -H "Content-Type: application/vnd.api+json" \
https://us-west-2-api.cloudconformity.com/v1/template-scanner/rules?type=cloudformation-template

Example Request (Terraform):

curl -H "Content-Type: application/vnd.api+json" \
https://us-west-2-api.cloudconformity.com/v1/template-scanner/rules?type=terraform-template

Example Response:

{
  "data": [
    {
      "type": "rules",
      "id": "EC2-001",
      "attributes": {
        "title": "Security Group Port Range",
        "description": "Ensure no security group opens range of ports",
        "compliances": [
          "NIST4",
          "NIST5",
          "SOC2",
          "NIST-CSF",
          "NIST-CSF-2_0",
          "AGISM",
          "HITRUST",
          "ASAE-3150",
          "PCI",
          "PCI-V4",
          "FEDRAMP",
          "CSA"
        ],
        "provider": "aws",
        "service": "EC2"
      }
    },
    {
      "type": "rules",
      "id": "EC2-014",
      "attributes": {
        "title": "Security Group Rules Counts",
        "description": "Determine if there is a large number of rules in a security group",
        "compliances": [
          "AWAF",
          "AGISM",
          "ASAE-3150",
          "PCI",
          "PCI-V4",
          "CSA"
        ],
        "provider": "aws",
        "service": "EC2"
      }
    }, ...more rules
  ]
}
Request
query Parameters
type
string

Sepcify the type of template. Default value is 'cloudformation-template'

Enum: "cloudformation-template" "terraform-template"
Responses
200

Success response

Response samples
application/json
{
  • "data": [
    ]
}

Scan a template

post/template-scanner/scan

This endpoint supports:

  • CloudFormation templates in YAML,
  • CloudFormation templates in JSON format and
  • Terraform plans

For assistance in how to generate Terraform plan templates from HCL to JSON format, please refer to the section Scanning a Terraform Template in the Help pages.

AWS Resource CloudFormation Terraform
API Gateway
  RestApi
AutoScaling
  Group
  LaunchConfiguration
CloudFormation
  Stack
CloudTrail
  Trail
DynamoDB
  Table
EC2
  Instance
  Volume
ECR
  Repository
EFS
  FileSystem
ElastiCache
  CacheCluster
Elasticsearch
  Domain
ELB
  LoadBalancer
ELBv2
  LoadBalancer
EMR
  Cluster
IAM
  Group
  ManagedPolicy
  Role
Kinesis
  Stream
KMS
  Key
Lambda
  Function
RDS
  DBCluster
  DBInstance
Redshift
  Cluster
S3
  Bucket
SNS
  Topic
SQS
  Queue
VPC
  NatGateway
  NetworkAcl
  NetworkInterface
  SecurityGroup
  Subnet
  VPC
  VPCEndpoint
WorkSpaces
  WorkSpace
  • Child modules are also supported for Terraform

Supported rules:

All resource level rules are supported. For a complete list, please refer to the endpoints CloudFormation rules supported and Terraform rules supported.

Examples:

Scan a template using Bash:

#!/usr/bin/env bash
# Scans a template file
# Requires "jq" (https://stedolan.github.io/jq/) to be installed

# Cloud Conformity API Key
api_key="Your Cloud Conformity API Key"
# Path to template file
file_path="Path to template"
# Region in which Cloud Conformity serves your organisation
region="us-west-2"

contents=$(cat ${file_path} | jq '.' -MRs)
payload="{\"data\":{\"attributes\":{\"type\":\"cloudformation-template\",\"contents\":${contents}}}}"

echo Request:
echo ${payload} | jq '.' -M

echo Response:
curl -s -X POST \
     -H "Authorization: ApiKey ${api_key}" \
     -H "Content-Type: application/vnd.api+json" \
     https://${region}-api.cloudconformity.com/v1/template-scanner/scan \
     --data-binary "${payload}" | jq '.' -M

Scan a template using Python:

#!/usr/bin/env python
# Scans a template file
# Requires "requests" to be installed

import requests
import json

# Please substitute filePath, apiKey, and region
# Cloud Conformity API Key
apiKey="Your Cloud Conformity API Key"
# Path to CloudFormation template file Yaml or JSON file
filePath="Path to CloudFormation template"
# Region in which Cloud Conformity serves your organisation
region="us-west-2"

endpoint = 'https://' + region + '-api.cloudconformity.com'
url = endpoint + '/v1/template-scanner/scan'

headers = {
    'Content-Type': 'application/vnd.api+json',
    'Authorization': 'ApiKey ' + apiKey
}

contents = open(filePath, 'r').read()

payload =  {
    'data': {
        'attributes': {
            'type': 'cloudformation-template',
            'contents': contents
        }
    }
}
print 'Request:\n' + json.dumps(payload, indent=2)

resp = requests.post(url, headers=headers, data=json.dumps(payload))
print 'Response:\n' + json.dumps(resp.json(), indent=2, sort_keys=True)
SecurityApiKeyAuth
Request
Request Body schema: application/vnd.apis+json
One of:
object

A JSON object containing the following properties

Responses
200

200 response

401

Unauthorized. The requesting user does not have enough privilege.

403

Forbidden. This happens when a valid api key is not provided or the user does not have access to the supplied account.

404

Not Found. The profile that was requested was not found.

500

The parsing of the template file failed

Request samples
application/vnd.apis+json
{
  • "data": {
    }
}
Response samples
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Scan an archive of templates

post/template-scanner/archive-scan

This endpoint supports a ZIP file containing Terraform HCL files (.tf).

Example:

Scan a ZIP file containing Terraform .tf templates using Bash:

#!/usr/bin/env bash
# Scans an archive

api_key="Your Cloud One API Key"

# Cloud One account region
region="us-1"

echo Response:
curl --location "https://conformity.${region}.cloudone.trendmicro.com/api/template-scanner/archive-scan" \
--header "Authorization: ApiKey ${api_key}" \
--form 'type="terraform-archive"' \
--form 'archive=@"/Users/admin/Documents/terraform-archive.zip"'
SecurityApiKeyAuth
Request
Request Body schema: multipart/form-data
One of:
archive
required
file

ZIP file with Terraform .tf templates to scan.

type
required
string

The type of archived template.

Value: "terraform-archive"
Responses
200

200 response

401

Unauthorized. The requesting user does not have enough privilege.

403

Forbidden. This happens when a valid api key is not provided or the user does not have access to the supplied account.

404

Not Found. The profile that was requested was not found.

500

The parsing of the template file failed

Request samples
multipart/form-data
{
  "type": "terraform-archive",
  "archive": "/Users/admin/Documents/terraform-archive.zip"
}
Response samples
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}
➔ Next to Users