Secure Infrastructure-as-Code

In the current continuous integration and continuous deployment (CICD) environment, the scans are conducted on cloud resources after deployment. As a result, you secure the cloud resources post-deployment. With the arrival of the IaC scan, you can now secure your code (IaC) before it gets deployed in the cloud environment. 
The Qualys TotalCloud IaC Security feature will help shift security and compliance posture of cloud security to the left, allowing evaluation of cloud resource misconfigurations even before actual deployment. Using this feature, cloud infrastructure teams can prevent misconfigurations before they happen.

Launch an IaC Scan

The first step towards IaC security is triggering an IaC scan. In the current scenario, the scans are executed after the cloud resources are deployed in the cloud environment. As a result, misconfigurations are remediated post-deployment. However, using this feature, you can trigger the scan on IaC (configuration file) before the cloud resources are deployed in the environment. 

Once you trigger the scan, TotalCloud evaluates the configuration file (IaC) against pre-defined controls. 
IaC scanning works by uploading the template file or zip containing multiple files to TotalCloud, either via our CLI or API. The template is processed, and the response returns a scan ID. The returned scan ID can then fetch the scan report, which provides the evaluation results, giving you a clear picture of the misconfigurations (if any) that need to be fixed to secure your code before the actual deployment.

You can scan the templates either through CLI commands or using APIs:
Scanning Template Files Using CLI
Scanning Template Files Using API

Template SupportTemplate Support

This Qualys IaC Security version supports the following template files:


- AWS, Azure, and GCP Terraform Templates: The .tf template files - IaC Security scan supports over 100 terraform resource types.


- AWS, Azure, and GCP Terraform Plan: The .json plan files - To scan the plan files, you need to make those files available in JSON format. Refer https://www.terraform.io/docs/internals/json-format.html  


- AWS Cloudformation Template: We support the file types:.json, .yaml, .yml, .template


- Compressed Template File Formats: We are supporting the following compressed template file format: .zip, .7z, .tar, .tar.gz, .gz

Pre-requisites

Users with a non-expired Full/Free version of TotalCloud subscription that has API access enabled.

The following users with required permissions can access IaC:
-  A user with Manager access 
-  A sub-user with the TOTALCLOUD API Access 

Scanning Template Files Using CLI

Qualys provides an IaC scanning CLI, which can be installed on any machine having python3. Qualys IaC Security CLI is based on the Python PIP Platform.


Before you proceed with installation, we recommend you create a Python virtual environment so that other Python projects are not hampered.


We can create a python3 virtual environment using the below commands:

- MAC/Unix: python3 -m pip install --user virtualenv

- Windows: py -m pip install --user virtualenv


Click here for more information and detailed steps. 

Install Qualys IaC Security CLI

Use the following command to install the Qualys IaC through command line interface (CLI).

pip install Qualys-IaC-Security

Once Qualys IaC Security is installed, you may verify the installation by running the following commands.

$ qiac -v  / --version
Version: <installed version>

$ qiac -h  / --help
Usage: Show this message and exit.

List of CommandList of Commands

Common Option Description

-c, --config_file

(Optional) Path of the credentials config file set using "config" command

-a, --platform_url 

Qualys Platform URL

-u, --user

Qualys username

-p, --password

Qualys password

-m, --format

Provides the output in JSON format. [json]

-x, --proxy

Provide proxy in JSON format

For example,. {\"http\":\"http: // : @ : \",\"https\":\"https:// : \"}

-h, --help 

Show this message and exit

Scan Description

 -n, --scan name 

 (required) Name of the scan

 -pn, --policy_name

 Cloud security assessment (CSA) policy name [Execution type: Build time] 

 -d, --path 

 (required) Single template file or a directory path 

 -f, --filter 

 Use regular expression to filter to and include the input files.
Example: ".*[.]tf$"
Note: This option must used only when directory path is specified in the path option

 -as, --async

 Launches/Triggers the laC scan asynchronously

 -q, --quiet 

 Show only failed checks

-g, --tag 

 Add the tag (in JSON format) to the scan. 

For example, [{"env":"linux"},{"test_key":"tags"}]

-s, --save_output

 (optional) Save the output in the current directory 

Get Result     
Description

-i, --scan_id  

 Scan ID

-s, --save_output

 (optional) Save the output in the current directory 

List Scans Description

-i, --scan_id

Scan ID

Config    
Description

-a, --platform_url

(required) Qualys Platform URL

-u, --user  

(required) Qualys username

-p, --password  

(required) Qualys password

-c, --config_file

(optional) File path to store the configuration

Below are some of the common scenarios for command usage. Usage of parameters varies based on use cases.

Configure IaC CLI (optional command)

The command configures the user's credentials. This command is optional and should be used only when a user wants to store Qualys credentials in a flat file for subsequent uses. Once this file is correctly configured, the user need not provide the Qualys platform URL, username, and password details for every CLI command. The authentication details are picked from the configuration file.
The following command collects Qualys credentials and stores it at the home directory (.qiac.yaml).

qiac config  -a <Qualys Platform URL> -u <username> -p <password>

The parameters: Qualys Platform URL, username, and password are mandatory for this command.

config_file: name or path of the config file

where,
name: if the name is provided, a config file with the specified name is created.

path: if the path is provided, then the config file is created at the specified path with the default name. The default name is .qiac.yaml.

This command saves the config file on the user's home directory with the name .qiac.yaml. If a user doesn't want to save the config file in the home directory, the user can use the config_file option to provide the config file path. The config_file option saves the file at the specified path.

A user can use the config file using the below ways:
- Use Config file from home directory: 

qiac <commands|params>

- User Config file from custom directory:

qiac <commands|params> -c <location of config file>

where, the commands could be scan, getresults, listscans.

If the user does not provide credentials in command options, CLI checks for the config file in the current directory. If the config file is not in the current directory, CLI checks the user's home directory.

Trigger Scan (add -d)Trigger Scan (add -d)

The command uploads scan artifacts (-d) to Qualys platform, generate scan Id and return as an output. You may/may not want to add password parameter in CLI.

-     With password (add -p)

qiac scan -a <Qualys Platform URL> -u <username> -p <password> -n <scan name> -d <path or single file>

- Without password (remove -p)

qiac scan -a <Qualys Platform URL> -u <username> -n <scan name> -d <path or single file> 

- With config file option (add -d: single file option)

qiac scan -n <scan name> -c <Path of the config file> -d <path or single file>
- With config file option (add -d: multiple file option)

qiac scan -n <name of the scan> -c < Path of the config file >  -d <path1 to a file or directory> -d <path2 to a file or directory> -d <path3 to a file or directory>

- With save output option (-s)

qiac scan -n <scan name> -c <Path of the config file> -d <path or single file> -m <file format:JSON> -s 

 Ensure that you always use the file format option (-m JSON) along with -s option. The option -s saves the scan output in the current directory in JSON format. The file name is as follows:
scan_response_<scanId>.json
- With policy name option (-pn) 
qiac scan -a <Qualys Platform URL> -u <username> -p <password> -n <scan name> -d <path or single file> -pn <policy name>

 The policy name should be entered in single quotes for Linux users and in double quotes for Windows users. The policy name must match with existing policies in TotalCloud.

Get the scan resultsGet the scan results

The command returns IaC scan result for the provided scan id (-i) in a default tabular format.

qiac getresult -a <Qualys Platform URL> -u -p -i   

with config file option

qiac getresult -c <Path of the config file> -c <Path of the config file>

Get the whole scan listGet the whole scan list

The command returns list of all the IaC scans.

qiac listscans -a <Qualys Platform URL> -u <username> -p <password> 

with config file option

qiac listscans -c <Path of the config file>

Get the scan list of single Scan IDGet the scan list of single Scan ID

The command returns single IaC scan as per the scan Id you provide.

qiac listscans -a <Qualys Platform URL> -u <username> -p <password> -i <scan id>

with config file option

qiac listscans -c <Path of the config file> -i <scan id>

Understanding Scan Output

In the command line interface (CLI), the output is defaulted to tabular display. CLI can output JSON response with additional input parameter for format.
For details on elements in JSON output format, refer to Secure IaC section in TotalCloud API User Guide.

IaC Integrations


TotalCloud IaC Scans are available as plugins for your CI/CD tools. Identify misconfigurations during development with just one click. You can read about the individual integrations and how to run them from the below resources.
IaC for Jenkins
IaC for GitLab 
IaC for GitHub
IaC for Bamboo
IaC for Bitbucket

Scanning Template Files Using API

Qualys has introduced a new API to launch the IaC scan and fetch the scan results and scan lists.


1) Trigger IaC Scan (POST)
2) Get Scan Results (GET)
3) Get List of Scans (GET)


For complete details, refer to Secure IaC section in the TotalCloud API User Guide.