Topics on this page
Scan Infrastructure-as-Code (IaC)
Trend Cloud One™ - GitHub App scans your infrastructure-as-code (IaC) templates and evaluates them against best security practices. You can select repositories within your organization to be automatically scanned when a pull request is opened or updated in your selected GitHub repositories.
How to install Trend Cloud One - GitHub App
Please follow the guide on Getting started with GitHub Source Accounts.
Supported templates and resources
| Supported Templates | Supported Resource Types |
|---|---|
| Terraform | S3 |
| Cloudformation YML | EC2 |
| Cloudformation JSON | ELBv2 |
| SNS | |
| DynamoDB | |
| SQS | |
| RDS Cluster | |
| RDS Instance |
Configure the repository scan targets
The default configuration determines which Terraform and CloudFormation templates to scan:
{
"frameworks": {
"terraform": { "templateFilesPattern": "**/*.tf" },
"cloudformation": { "templateFilesPattern": "*(cloudformation|template|CloudFormation|Cloudformation|cloudFormation).*(yml|yaml|json)" }
}
}However, you can override the default configuration.
- Create a directory called
.template-securityin the root of the repository to be scanned. - Add a
config.jsonfile with your configurations.
Valid JSON parameters
frameworks: (object) Contains the frameworks you would like to scan as keys. Supported values:- "terraform"
- "cloudformation"
templateFilesPattern: (string) Use a file pattern to match files and directories.
Special characters for matching part of a path
*Matches 0 or more characters in a part of a single path?Matches 1 character[...]Matches a range of characters, similar to a RegExp range.
If the first character of the range is!or^then it matches any character not in the range.!(pattern|pattern|pattern)Matches anything that does not match any of the pattern.?(pattern|pattern|pattern)Matches zero or one occurrence of the pattern.+(pattern|pattern|pattern)Matches one or more occurrences of the pattern.*(a|b|c)Matches zero or more occurrences of the pattern@(pattern|pat*|pat?erN)Matches exactly one of the pattern**If a "globstar" is alone in a path portion, then it matches zero or more directories and subdirectories.
Note that this does not crawl symlinked directories.
Match examples:
*(*.tf)Match only files ending with.tf**/*(*.tf|*.tfvars)Starting from the top directory, match files ending with.tfor.tfvars*(*.tf|*.tfvars)Match files ending with.tfor.tfvarsin the root directory only
If a file or directory path portion has a . as the first character, then it will not match any glob pattern unless that pattern's corresponding path part also has a . as its first character.
For example, the pattern a/.*/c would match the file at a/.b/c. However the pattern a/*/c would not, because * does not start with a dot character.
Trigger a scan
To trigger a scan, create a pull request in GitHub for the repository where you installed Trend Cloud One - GitHub App.
You should now see the status of the scan at the bottom of your pull request in GitHub.
