IaC Scan (GitLab Pipeline)

This guide demonstrates how to integrate Infrastructure as Code (IaC) security into a GitLab CI/CD pipeline using AccuKnox. We will implement automated checks to identify configuration vulnerabilities in your IaC templates and send the results to AccuKnox for thorough analysis and remediation. This approach ensures your infrastructure is resilient and aligns with security best practices, effectively minimizing deployment risks.

Pre-requisites

  • GitLab Access

  • AccuKnox Platform Access

Steps for Integration

Step 1: Log in to AccuKnox Navigate to Settings and select Tokens to create an AccuKnox token for forwarding scan results to SaaS. For details on generating tokens, refer to How to Create Tokens.

Step 2: Configure GitLab CI/CD Variables. For details on configuring variables, refer to How to Create CI/CD Variables in GitLab.

  1. ACCUKNOX_TOKEN: AccuKnox API token for authorization.

  2. ACCUKNOX_TENANT: Your AccuKnox tenant ID.

  3. ACCUKNOX_ENDPOINT: The AccuKnox API URL (e.g., cspm.demo.accuknox.com).

  4. ACCUKNOX_LABEL: The label for your scan.

Step 3: Set Up GitLab CI/CD Pipeline

Create a new pipeline in your GitLab project with the following YAML configuration:

include:
  - component: $CI_SERVER_FQDN/accu-knox/scan/iac-scan@1.0
    inputs:
      STAGE: test
      INPUT_DIRECTORY: "."
      INPUT_COMPACT: true
      INPUT_QUIET: true
      INPUT_SOFT_FAIL: false
      ACCUKNOX_TOKEN: ${ACCUKNOX_TOKEN}
      ACCUKNOX_TENANT: ${ACCUKNOX_TENANT}
      ACCUKNOX_ENDPOINT: ${ACCUKNOX_ENDPOINT}
      ACCUKNOX_LABEL: ${ACCUKNOX_LABEL}

Initial CI/CD Pipeline Without AccuKnox IaC Scan

Initially, the CI/CD pipeline does not include the AccuKnox IaC scan. When changes are pushed to the repository, no infrastructure security checks are performed, potentially allowing misconfigurations or vulnerabilities in the IaC code.

CI/CD Pipeline After AccuKnox IaC Scan Integration

Once the AccuKnox IaC scan is integrated into the CI/CD pipeline, every push triggers an IaC security scan. This scan identifies potential security vulnerabilities or misconfigurations in the infrastructure code, enhancing security before deployment. The findings are then sent to the AccuKnox platform.

image-20241122-041210.png

View Results in AccuKnox SaaS

Step 1: After the pipeline completes, navigate to the Accuknox SaaS dashboard.

Step 2: Go to Issues > Findings and select IaC Findings to see identified vulnerabilities.

image-20241122-041304.png

Step 3: Click on a vulnerability to view more details and follow the instructions in the Solutions tab.

image-20241122-041403.png

Step 4: For unresolved vulnerabilities, create a ticket in your issue tracking system.

image-20241122-041845.png

Step 5: After fixing the vulnerabilities, rerun the GitLab CI/CD pipeline and verify that the issues have been resolved in the AccuKnox dashboard.

Conclusion

By integrating Checkov for IaC scanning with AccuKnox in a GitLab CI/CD pipeline, you strengthen the security of your infrastructure code. This integration allows for early detection and remediation of misconfigurations and vulnerabilities in the development lifecycle, ensuring a more secure deployment environment.