Scans your infrastructure-as-code Cloudformation stacks or docker images for security vulnerabilities using wiz
Add the following to your pipeline.yml
, the plugin will pull the image, scan it using wiz and create a buildkite annotation with the results.
steps:
- command: ls
env:
- WIZ_API_ID: "<your-id-goes-here>"
plugins:
- blstrco/wiz#v1.0.0:
scan-type: 'docker'
image-address: "<image-address-to-pull-and-scan>"
If you are using the AWS Assume Role Plugin, you might have trouble getting your secret key from aws secretsmanager
if the role you assumed doesn't have the necessary access rights. To restore your role, you can use the AWS Restore Role Buildkite Plugin before the wiz plugin.
...
plugins:
- franklin-ross/aws-restore-role#HEAD
- blstrco/wiz#v1.0.1:
...
To avoid adding build time overhead, you can add IaC scanning to your cdk diff
step. You will need to mount/export the cdk.out
folder and pass its path to the plugin. The plugin will then scan each Cloudformation stack in the folder and create a buildkite annotation with the results.
steps:
- command: ls
env:
- WIZ_API_ID: "<your-id-goes-here>"
plugins:
- docker-compose#v4.16.0:
...
# to get the output of CDK diff, mount the volume in cdk diff stage
- volumes:
- './infrastructure/cdk.out:/app/infrastructure/cdk.out'
...
- blstrco/wiz#v1.0.1:
scan-type: 'iac'
path: "infrastructure/cdk.out"
The scan type can be either docker or iac
The path to image file, if the scan-type
is docker
The path to cdk.out
folder containing CloudFormation stack(s), if the scan-type
is iac
To run the tests:
docker-compose run --rm tests
- Fork the repo
- Make the changes
- Run the tests
- Commit and push your changes
- Send a pull request