Table of contents

Template Scanner

Location

Top navigation bar > Template Scanner

Template Scanner enables you to run Trend Cloud One™ – Conformity Rules on your Terraform, AWS Cloud Development Kit (CDK), Serverless Framework, and AWS CloudFormation templates. You can add preventative security and governance controls to the workflow to identify and remediate issues prior to launching any services and resources.

What is Template Scanner?

Conformity provides Template Scanner capability as a preventative measure to ensure your AWS infrastructure remains compliant by detecting risks in template files before they are launched into AWS.

An API endpoint is available for CI/CD pipelines and automation.

You can use this service to scan templates. We support Terraform plans and CloudFormation templates via the UI and API. You can configure rules through Conformity Profiles. We also support Cloudformation templates and Terraform configuration files via the Github App.

Parameters can be used to customize input values to the template each time a stack is created. If a parameter is defined in a template, parameter values can be supplied using the arguments field.

Supported features

Template Scanner supports two entry points:

  • Template Scanner for UI and API
  • Template Scanner GitHub App
Feature Template Scanner UI/API Github Application
Graphical interface to load files
Public API
Account and Profile Rule settings
Github Integration
AWS CloudFormation
AWS Cloud Development Kit (CDK)
Serverless Framework (AWS)
Terraform (AWS)

Supported through Terraform Plan files (.json)

Can interpret multiple Terraform language features: input variables, local values, reference expressions, jsonencode function call.

Scan via UI

  1. Select the type of rule settings you want to scan for:
    • Default rule settings: upload and scan using rule settings from your organization.
    • Profile rule settings: upload and scan using rule settings from a selected profile.
    • Account rule settings: upload and scan using rule settings from a selected account.

Scanning a CloudFormation template

  • CloudFormation templates can be uploaded in either JSON or YAML format.
  • You can also use the ! Condition in YAML templates.

Scanning AWS Cloud Development Kit (CDK)

Template scanner supports the evaluation of your CDK files by synthesizing a Cloudformation template out of the CDK code.

  1. Install the AWS CDK CLI
  2. In the directory with your CDK code, run cdk synth. This will output a YAML CloudFormation file (can also use --json if desired).
  3. Use Template Scanner UI or API endpoints to scan the CloudFormation file generated by cdk synth.

Scanning Serverless Framework

Template scanner supports the evaluation of your Serverless Framework applications by synthesizing a Cloudformation template out of the serverless code.

  1. In the directory with your serverless file, run serverless package to generate a JSON file in .serverless/cloudformation-template-update-stack.json.
  2. Use Template Scanner UI or API endpoints to scan the CloudFormation file generated by serverless package.

Scanning Terraform

  1. Terraform templates must be converted to a Terraform plan in JSON by following the steps below from your Command Line tool:

    1. In the same directory as .tf template, export your provider's access key, secret key, and export region (e.g. `export AWS_REGION=us-east-1`)
    2. Run the command terraform init
    3. Run the command terraform plan -out=your_file
    4. Run the command terraform show -json your_file > your_file.json. Your Terraform JSON plan is ready to be uploaded to the Template Scanner from the same folder as your .tf file.
  2. Click on Upload and scan to view scan results for your selected rule settings.

  3. You will get a message for missing parameters while scanning your template. Decide whether you want to Proceed or Cancel the scanning process.

    Resources with missing parameters will not be scanned and thereby result in partial scan results.

  4. Review Checks from scan results. Failed checks will display a Resolve button with a link to resolution steps. For more information on the anatomy of the rule, see Rules.

    Resolution steps provided with failed checks are for workflows via CLI or Console. You can also use these steps as a guide for resolution within CloudFormation.

Scan via API

See API reference for how to use Template Scanner API in your automation or build pipelines.

Additional examples can be found below:

Scan via Github Pull Requests

The Template Scanner Github App can be used to automatically trigger scans of CloudFormation templates and Terraform configuration files.

API Endpoints to Retrieve Rules

You can use the following API endpoints to retrieve a list of rules that can be scanned for:

Why do I not see any scan results?

You may receive an empty response or an error for any of the following reasons:

  1. Unsupported resource type or rules - Template Scanner only supports resource-level rules. Please refer to the APIs for a list of supported rules and resource types. We have plans to add support for more source types over time. If there is a specific resource type you need as a priority, please log in to Conformity and submit a ticket to our support team.
  2. Parameter(s) with no default value - CloudFormation templates with parameters that have no default values may fail to be processed.
  3. Unsupported AWS CloudFormation intrinsic functions - CloudFormation templates with unsupported intrinsic functions may not process or may not generate complete results. The following are the supported intrinsic functions in CloudFormation templates:
    • Fn::Base64
    • Fn::And
    • Fn::Equals
    • Fn::If
    • Fn::Not
    • Fn::Or
    • Fn::FindInMap
    • Fn::GetAtt
    • Fn::GetAZs
    • Fn::Join
    • Fn::Select
    • Fn::Split
    • Fn::Sub
    • Ref

You may want to temporarily replace these functions for static values so your template can be correctly scanned.