Pipeline scanner uses Cloud Conformity's Template Scanner to secure your CloudFormation templates before they're deployed.
- Have an Cloud One Conformity account. Sign up for free trial now if it's not already the case!
- A cloud formation template to be scan.
To use the script, specify the following required environment variables:
cc_apikey(Cloud One Conformity API KEY)cc_region(Cloud One Conformity account region)templatePath(Path of the template to be scanned)templatesDirPath(OPTIONAL. Location of the directory of templates to be scanned, (e.g., templates). This ignores the value of 'templatePath' if supplied.)maxExtreme | maxVeryHigh | maxHigh | maxMedium | maxLow(Choose one or more of the options and set a number of how many violations are accepted)cc_output_result(Either true or false, defaults to false. If set to true, it outputs the detected risks, instead of just the amount.)profileId(OPTIONAL. Provides a profile Id to be used by the scanner.)accountId(OPTIONAL. Provides an account Id to be used by the scanner.)
PS.: ALWAYS use secrets to expose your credentials!
Add an Action in your .github/workflow yml file to scan your cloud formation template with Cloud One Conformity.
name: My CI/CD Pipeline
on:
push:
branches:
- main
jobs:
CloudFormation-Scan:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Cloud One Conformity Pipeline Scanner
uses: raphabot/conformity-template-scanner-pipeline@version
env:
cc_apikey: ${{ secrets.apikey }}
maxExtreme: 0
maxVeryHigh: 1
maxHigh: 3
maxMedium: 5
maxLow: 10
cc_region: us-west-2
templatePath: template/infrastructure.yaml
templatesDirPath: templates # This is an example to scan all the templates inside the folder "templates"
cc_output_results: trueTo be able to scan your template using a Docker comtainer, follow the example below:
https://hub.docker.com/r/raphabot/conformity-template-scanner-pipeline
docker run -v /home/ec2-user/dynamotest.template:/app/dynamotest.template -e cc_apikey=$MYAPIKEY -e cc_region=$MYREGION -e maxExtreme=0 -e maxVeryHigh=0
-e maxHigh=0 -e maxMedium=0 -e maxLow=0 -e templatePath=infrastructure.yaml -cc_output_results=true felipecosta09/conformity-template-scanner-pipeline:latestPS.: To be able to scan a local template from a machine or inside a pipeline, the parameter "-v" is required in the docker run command, the example specifies a local file being copied to the container that will scan the Cloud Formation template /home/ec2-user/dynamotest.template:/app/dynamotest.template, where:
- /home/ec2-user/dynamotest.template - Represent the absolute path of the local Cloud Formation template file to be scanned;
- /app/dynamotest.template - The path where the file will be copied (ONLY CHANGE THE FILE NAME OF THE TEMPLATE);
To run the scanner in the Node CLI, just set the envinronment variables before execute the node script:
cc_apikey=$MYAPIKEY cc_region=$MYREGION maxExtreme=0 maxVeryHigh=0 maxHigh=0 maxMedium=0 maxLow=0 templatePath=infrastructure.yaml cc_output_results=true node scan.jsIf you encounter a bug, think of a useful feature, or find something confusing in the docs, please create a new issue!
We ❤️ pull requests. If you'd like to fix a bug, contribute to a feature or just correct a typo, please feel free to do so.
Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.