How to Start with Static Application Security Testing of Infrastructure as Code

Wondering how to get started with static application security testing (SAST)? Maybe this article will help you, presenting selected tools and examples of their integration into the CI/CD pipeline in IaC (Infrastructure as Code).

25 Oct 2024 Matěj Smyčka DevOps

No description

Infrastructure as Code (IaC) is a software engineering practice that allows us to manage and provision infrastructure using code. SAST plays a critical role in ensuring the security of IaC artifacts. In this text, we introduce helpful tools for scanning IaC artifacts and provide examples on how to integrate them into your CI/CD pipeline.

General

We recommend using the build-in templates for SAST IaC from gitlab, it's the best way to get started and an ideal baseline, for more advanced use follow this guide. Example of a gitlab pipeline with SAST IaC:

---
include:
  - template: Security/SAST.gitlab-ci.yml
  - template: Security/Dependency-Scanning.gitlab-ci.yml
  - template: Security/Secret-Detection.gitlab-ci.yml
  - template: Security/SAST-IaC.gitlab-ci.yml

stages:
test

All languages mentioned in this cheatsheet are supported by GitLab's SAST IaC templates.

Pipeline is using kick tool under the hood, which is a universal SAST tool that supports multiple languages, while sacrifising some precision for the sake of variety. That is why using more specialized tools for specific languages is preferable.

Note: IaC scanning supports a variety of IaC configuration files. When any supported configuration files are detected in a project, they are scanned by using KICS. Projects with a mix of IaC configuration files are supported.

Docker

When we were analyzing the tools, we found that the tools found bugs that, despite the label critical or high, did not have such an impact to deserve such a rating. So we recommend choosing the tool based on the type of project you are working on.

Recommended tools:

I would recommend using grype and hadolint in combination, as they complement each other well.

Kubernetes

Kubernetes, or k8s, can have various forms of configuration, typically k8s manifest or helmcharts.

Recommended tools:

Ansible

A few tools specifically target this language. This is because Ansible is mainly used to set up and configure machines rather than being directly vulnerable itself. The focus is usually on checking what a script deploys or if any sensitive information, like tokens, is accidentally left in the script.

Other tools address these concerns, so our recommendation is to combine tools based on what you need to check. For example, if you need to check for sensitive information, use GitLeaks or TruffleHog.

Recommended tools:

CI/CD Pipelines

For examples, visit Our cheatsheet for CI/CD pipelines

You are running an old browser version. We recommend updating your browser to its latest version.

More info