conformity-template-scanner v1.0.4

Cloud Conformity Pipeline Scanner

Pipeline scanner uses Cloud Conformity's Template Scanner to secure your CloudFormation templates before they're deployed.

Requirements

• Have an Cloud One Conformity account. Sign up for free trial now if it's not already the case!
• A cloud formation template to be scan.

Usage

To use the script, specify the following required environment variables:

• cc_apikey (Cloud One Conformity API KEY)
• cc_region (Cloud One Conformity account region)
• templatePath (Path of the template to be scanned)

• maxExtreme | maxVeryHigh | maxHigh | maxMedium | maxLow (Choose one or more of the options and set a number of how many violations are accepted)

  PS.: ALWAYS use secrets to expose your credentials!

GitHub Actions Example

Add an Action in your .github/workflow yml file to scan your cloud formation template with Cloud One Conformity.

name: My CI/CD Pipeline

on: 
  push:
    branches: 
      - master
      
jobs:      
    CloudFormation-Scan:
       runs-on: ubuntu-latest
       steps:
          - name: Cloud One Conformity Pipeline Scanner
            uses: raphabot/conformity-template-scanner-pipeline@version
            env:
              cc_apikey: ${{ secrets.apikey }}
              maxExtreme: 0
              maxVeryHigh: 1
              maxHigh: 3
              maxMedium: 5
              maxLow: 10
              cc_region: us-west-2
              templatePath: template/infrastructure.yaml

Docker Container Example

To be able to scan your template using a Docker comtainer, follow the example below:

https://hub.docker.com/r/raphabot/conformity-template-scanner-pipeline

docker run -v /home/ec2-user/dynamotest.template:/app/dynamotest.template -e cc_apikey=$MYAPIKEY -e cc_region=$MYREGION -e maxExtreme=0 -e maxVeryHigh=0
-e maxHigh=0 -e maxMedium=0 -e maxLow=0 -e templatePath=infrastructure.yaml felipecosta09/conformity-template-scanner-pipeline:latest

PS.: To be able to scan a local template from a machine or inside a pipeline, the parameter "-v" is required in the docker run command, the example specifies a local file being copied to the container that will scan the Cloud Formation template /home/ec2-user/dynamotest.template:/app/dynamotest.template, where:

• /home/ec2-user/dynamotest.template - Represent the absolute path of the local Cloud Formation template file to be scanned;
• /app/dynamotest.template - The path where the file will be copied (ONLY CHANGE THE FILE NAME OF THE TEMPLATE);

Node CLI Example

To run the scanner in the Node CLI, just set the envinronment variables before execute the node script:

cc_apikey=$MYAPIKEY cc_region=$MYREGION maxExtreme=0 maxVeryHigh=0 maxHigh=0 maxMedium=0 maxLow=0 templatePath=infrastructure.yaml node scan.js

Contributing

If you encounter a bug, think of a useful feature, or find something confusing in the docs, please create a new issue!

We :heart: pull requests. If you'd like to fix a bug, contribute to a feature or just correct a typo, please feel free to do so.

Support

Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.