Tools Resources

Scan Your IaC Templates in CircleCI Pipelines Using Panoptica

author_profile
Shay Ulmer
Monday, Mar 7th, 2022

When working with your Infrastructure as Code (IaC) files (whether those are Terraform files, Kubernetes manifests, Helm charts, or others), it is important to be able to scan them for possible security threats. Whether you are implementing a sophisticated GitOps mechanism, or just saving your IaC files and current state of your infrastructure in a centralized repository – it is important to continuously and seamlessly monitor your infrastructure changes for security threats that may be introduced while provisioning and changing your infrastructure.

To accomplish automated security analysis for your IaC templates, you may now use the new Panoptica IaC Orb inside the CircleCI platform. If you are an existing user of CircleCI, you are most probably familiar with the concept of Orbs. An Orb is, simply put – a reusable snippet of code that you can use by initiating just one line of code inside your pipelines. Orbs can help you automate processes inside your pipelines and use third-party integration tools to further enrich your CI/CD process. 

Designed for security and built for DevOps, the new Panoptica IaC Orb enables you to run security scans from within your existing CircleCI pipelines. If your repository contains IaC files, it is recommended that you integrate with the Panoptica cloud security platform to scan for potential security threats. In this blog post we will explore how to do so. 

Prerequisites 

  • A GitHub repository with existing IaC files  
  • A CircleCI account (they have a free plan, check it out
  • Existing Panoptica tenant (or use our free trial to create a tenant here
  • Panoptica API Key (explained below) 

Setting up your CircleCI Pipeline for the Panoptica IaC Orb 

Using the new Orb is very simple. All it takes to start scanning your IaC files is to follow these three simple steps: 

1. At the beginning of your pipeline config file, add the following call to the new orb:

version: 2.1 

orbs: 

  lightspin-orb: lightspin-tech/lightspin@1.0.0

2. Use the declared orb in a job, in the “Jobs” section of the pipeline config file: 

jobs: 

- lightspin-orb/lightspin_scan: 

    friendly-name: $CIRCLE_BUILD_NUM'_circle_CI' 

    path-to-scan: . 

    tenant-id: LS_TENANT 

    token: LS_TOKEN 

 
Let’s take a minute to break down the variables defined in this job: 

  • Friendly-name: Any value entered here, will be the title of your new IaC scan in the Panoptica platform. In the example above, we are taking the unique build ID for the specific pipeline to be the name for the new scan. 
  • Path-to-scan: This is the relative path to your IaC files. When specifying the character ‘.’ we are referring to the current directory. Any IaC file that resides in the current root folder of the repository directory tree will be scanned. 
  • Tenant-id: This is the environment variable name that will hold the Panoptica tenant ID. We will configure this environment variable in the next step. You can get this ID from your Panoptica platform URL (i.e. id-a5b125-v2). 
  • Token: This is the environment variable name that will hold the Panoptica API token. We will configure this environment variable in the next step.  
    To get the token, follow these steps: 
  1. From the Panoptica platform, click on the “Settings” icon and choose “Settings.” 
  2. Choose the “API Keys” section, create a new API key and save it for the next step. 

Note: path-to-scan, tenant-id, and token variables are not required since these have default values. 

3. Configure the environment variables for the CircleCI project. In the project settings, configure the values for “LS_TENANT” and “LS_TOKEN” environment variables with their respective values:  

CircleCI project

You are now ready to run your pipeline! 

Viewing your IaC scan results in the Panoptica platform 

You can review the findings detected on each scan from the IaC tab in the Panoptica platform, sorted by their severity. 

In addition to information about the security risk, we highlight the specific resource or line of code that is the source of the problem. 

IaC scan

Conclusion

IaC is the new de facto way of managing cloud infrastructure at scale. With increasing workloads constantly being built and deployed on top of IaC templates, it is important to keep security at the forefront while working with IaC. By shifting security left during the earliest stages, developers can ensure that they keep their code secure from build to runtime, and likewise stay alert of any implications their code may have on existing services or code.  

Panoptica’s multi-layer CNAPP solution enables any engineer to secure their code at any stage of their cloud journey, from build to runtime. Panoptica offers organizations not only the ability to shift security to the earliest stages of development but provides them the much-needed context around why particular security findings are more critical than others, and what impact they may have on your business if they are not remediated.  

Popup Image