Secure Infrastructure-as-Code (Iac)
In the current continuous integration and continuous deployment (CI/CD) environment, the scans are conducted on cloud resources after deployment. As a result, you secure the cloud resources post-deployment. With the arrival of the IaC scan, you can now secure your code (IaC) before it gets deployed in the cloud environment.
The Qualys IaC Security feature will help shift security and compliance posture of cloud security to the left, allowing evaluation of cloud resource misconfigurations even before actual deployment. Using this feature, cloud infrastructure teams can prevent misconfigurations before they happen.
Launch an IaC Scan
The first step towards IaC security is triggering an IaC scan. In the current scenario, the scans are executed after the cloud resources are deployed in the cloud environment. As a result, misconfigurations are remediated post-deployment. However, using this feature, you can trigger a scan of the IaC (configuration file) before cloud resources are deployed in the environment.
Once you trigger the scan, TotalCloud evaluates the configuration file (IaC) against pre-defined controls.
IaC scanning works by uploading the template file or a zip containing multiple files to TotalCloud via our CLI or API. The template is processed, and the response returns a scan ID. The returned scan ID can then fetch the scan report, which provides the evaluation results, giving you a clear picture of the misconfigurations (if any) that must be fixed to secure your code before the deployment.
You can scan the templates either through CLI commands or using APIs:
Scanning Template Files Using CLI
Scanning Template Files Using API
Template SupportTemplate Support
This Qualys IaC Security version supports the following template files:
- AWS, Azure, and GCP Terraform Templates: The .tf template files. IaC Security scan supports over 100 Terraform resource types.
- AWS, Azure, and GCP Terraform Plan: The .json plan files - To scan the plan files, you need to make those files available in JSON format. Refer https://www.terraform.io/docs/internals/json-format.html
- AWS Cloudformation Template: We support the following template file types:
json,yaml,yml - Compressed Template File Formats: We are supporting the following compressed template file format: .zip, .7z, .tar, .tar.gz, .gz
Pre-requisites
Users with a non-expired Full/Free version of TotalCloud subscription that has API access enabled.
The following users with required permissions can access IaC:
- A user with Manager access
- A sub-user with the TOTALCLOUD API Access
Scanning Template Files Using CLI
Qualys provides an IaC scanning CLI, which can be installed on any machine having python3. Qualys IaC Security CLI is based on the Python PIP Platform.
Before you proceed with installation, we recommend you create a Python virtual environment so that other Python projects are not hampered.
You can create a python3 virtual environment using the below commands:
- MAC/Unix:
python3 -m pip install --user virtualenv - Windows:
py -m pip install --user virtualenv
Click here for more information and detailed steps.
Install Qualys IaC Security CLI
Use the following command to install Qualys IaC via the command-line interface (CLI).
pip install Qualys-IaC-Security
Once Qualys IaC Security is installed, you may verify the installation by running the following commands.
$ qiac -v / --version
Version: <installed version>
$ qiac -h / --help
Usage: Show this message and exit.
List of CommandsList of Commands
| Common Options | Description |
|---|---|
| -at, --auth_type | Authentication type |
| -c, --config_file | (Optional) Path of the credentials config file set using "config" command. |
| -a, --platform_url | Qualys Platform URL |
| -u, --user | Qualys username/ Qualys Client ID |
| -p, --password | Qualys password/ Qualys Client Secret |
| -m, --format | Provides the output in JSON format. [json] |
| -x, --proxy | Provide proxy in JSON format. For example,. {\"http\":\"http: // : @ : \",\"https\":\"https:// : \"} |
| -h, --help | Show this message and exit |
| Scan | Description |
|---|---|
| -n, --scan name | (required) Name of the scan. |
| -pn, --policy_name | Cloud security assessment (CSA) policy name [Execution type: Build time]. |
| -d, --path | (required) Single template file or a directory path. |
| -f, --filter | Use regular expression to filter to and include the input files. Example: ".*[.]tf$" Note: This option must used only when directory path is specified in the path option. |
| -as, --async | Launches/Triggers the laC scan asynchronously. |
| -q, --quiet | Show only failed checks. |
| -g, --tag | Add the tag (in JSON format) to the scan. For example, [{"env":"linux"},{"test_key":"tags"}] |
| -s, --save_output | (optional) Save the output in the current directory. |
| Get Result | Description |
| -i, --scan_id | Scan ID |
| -s, --save_output | (optional) Save the output in the current directory. |
| List Scans | Description |
| -i, --scan_id | Scan ID |
| Config | Description |
| -at, --auth_type | (required) Authentication type |
| -a, --platform_url | (required) Qualys Platform URL |
| -u, --user | (required) Qualys username/ Qualys Client ID |
| -p, --password | (required) Qualys password/ Qualys Client Secret |
| -c, --config_file | (optional) File path to store the configuration. |
Below are some of the common scenarios for command usage. Parameter usage varies by use case.
Configure IaC CLI (optional command)
This command configures the user's credentials. It is optional and should be used only when a user wants to store Qualys credentials in a flat file for subsequent use. Once this file is correctly configured, the user need not provide the Qualys platform URL, username/Client ID and password/Client Secret for every CLI command. The authentication details are read from the configuration file.
The following command collects Qualys credentials and stores them in the home directory (.qiac.yaml).
- Basic auth:
qiac config -a <Qualys Platform URL> -u <Qualys username> -p <Qualys password> -at basicauth - OIDC auth:
qiac config -a <Qualys Platform URL> -u <Qualys Client ID> -p <Qualys Client Secret> -at OIDC
The parameters: <Qualys Platform URL>, <Qualys username/Client ID>, and <Qualys password/Client Secret> are mandatory for this command.
config_file: name or path of the config file
where,
name: if provided, a config file with the specified name is created.
path: if provided, the config file is created at the specified path with the default name. The default name is .qiac.yaml.
This command saves the config file on the user's home directory with the name .qiac.yaml. If a user doesn't want to save the config file in the home directory, they can use the config_file option to specify the config file path. The config_file option saves the file at the specified path.
A user can use the config file using the following ways:
- Use the Config file from the home directory:
qiac <commands|params> - User Config file from custom directory:
qiac <commands|params> -c <location of config file>
where, the commands could be scan,getresults,listscans.
If the user does not provide credentials in the command options, the CLI checks for the config file in the current directory. If the config file is not in the current directory, CLI checks the user's home directory.
Trigger Scan (add -d)Trigger Scan (add -d)
The command uploads scan artifacts (-d) to the Qualys platform, generates a scan ID, and returns it as output. You may or may not want to add the password/client secret parameter in the CLI.
With password/client secret (add -p)
- Basic auth:
qiac scan -a <Qualys Platform URL> -u <username> -p <password> -at basicauth -n <scan name> -d <path or single file> - OIDC auth:
qiac scan -a <Qualys Platform URL> -u <Qualys Client ID> -p <Qualys Client Secret> -at OIDC -n <scan name> -d <path or single file>
Without password (remove -p)
- Basic auth:
qiac scan -a <Qualys Platform URL> -u <username> -at basicauth -n <scan name> -d <path or single file> - OIDC auth:
qiac scan -a <Qualys Platform URL> -u <Qualys Client ID> -at OIDC -d <path or single file>
With config file option (add -d: single file option)
qiac scan -n <scan name> -c <Path of the config file> -d <path or single file>
With config file option (add -d: multiple file option)
- Basic auth:
qiac scan -a <Qualys Platform> -u <your Qualys username> -n <name of the scan> -at basicauth -d <path1 to a file or directory> -d <path2 to a file or directory> -d <path3 to a file or directory>... - OIDC auth:
qiac scan -a <Qualys Platform> -u <yourQualys Client ID> -n <name of the scan> -at OIDC -d <path1 to a file or directory> -d <path2 to a file or directory> -d <path3 to a file or directory>...
With save output option (-s)
qiac scan -n <scan name> -c <Path of the config file> -d <path or single file> -m <file format:JSON> -s
Ensure that you always use the file format option (-m JSON) along with -s option. The -s option saves the scan output to the current directory in JSON format. The file name is as follows:
scan_response_<scanId>.json
With policy name option (-pn)
Basic auth: qiac scan -a <Qualys Platform URL> -u <username> -p <password> -at basicauth -n <scan name> -d <path or single file> -pn <policy name>
OIDC auth: qiac scan -a <Qualys Platform URL> -u <Qualys Client ID> -p <Qualys Client Secret> -at OIDC -n <scan name> -d <path or single file> -pn <policy name>
The policy name should be entered in single quotes for Linux users and in double quotes for Windows users. The policy name must match existing policies.
Get the scan resultsGet the scan results
The command returns IaC scan result for the provided scan id (-i) in a default tabular format.
- Basic auth:
qiac getresult -a <Qualys Platform> -u <your Qualys username> -at basicauth -i<Scan Id> - OIDC auth:
qiac getresult -a <Qualys Client ID> -u <Qualys Client Secret> -at OIDC -i <Scan Id>
With the config file option
qiac getresult -c <Path of the config file> -i <Scan Id>
Get the whole scan listGet the whole scan list
The command returns a list of all the IaC scans.
- Basic Auth:
qiac listscans -a <Qualys Platform URL> -u <username> -p <password> -at basicauth OIDC auth:qiac listscans -a <Qualys Platform URL> -u <Qualys Client ID> -p <Qualys Client secret> -at OIDC
With the config file option
qiac listscans -c <Path of the config file>
Get the scan list of single Scan IDGet the scan list of single Scan ID
The command returns a single IaC scan as per the scan ID you provide.
- Basic Auth:
qiac listscans -a <Qualys Platform> -u <your Qualys username> -at basicauth -i <Scan Id> - OIDC auth:
qiac listscans -a <Qualys Platform> -u <your Qualys Client ID> -at OIDC -i <Scan Id>
With the config file option
qiac listscans -c <Path of the config file> -i <scan id>
Understanding Scan Output
In the command-line interface (CLI), the output defaults to a tabular display. CLI can output a JSON response with an additional input parameter for format.
For details on elements in JSON output format, refer to the Secure IaC section in the API User Guide.
IaC Integrations
Scans are available as plugins for your CI/CD tools. Identify misconfigurations during development with just one click. You can read about the individual integrations and how to run them from the resources below.
Scanning Template Files Using API
Qualys has introduced a new API to launch the IaC scan and fetch the scan results and scan lists.
- Trigger IaC Scan (POST)
- Get Scan Results (GET)
- Get List of Scans (GET)
For complete details, refer to Secure IaC section in the API User Guide.