microsoft/security-devops-action

Terrascan: How to config IacType and IacVersion in terrascan gdnconfig

ktran1005 opened this issue · 1 comments

ktran1005 commented

Hi everyone, I am trying to use MicrosoftDevOps task in Azure DevOps with Terrascan and only want to scan with k8s, helm and dockerfile. I have tried the following ways with env variable, but all gave me errors. Does anyone know the way we can specify certain IAC type in terrascan.

    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
        tools: 'BinSkim, terrascan'
        break: true
      env:
        GDN_BINSKIM_TARGET: '$(Build.ArtifactStagingDirectory)/binskim/**/${{ parameters.binskimPath }}'
        GDN_BINSKIM_RECURSE: 'true'
        GDN_BINSKIM_VERBOSE: 'true'
        GDN_TERRASCAN_IACTYPE: 'k8s, helm, docker'
        GDN_TERRASCAN_IACVERSION: 'v1, v3, v1' 
        GDN_TERRASCAN_LOGLEVEL: 'error'
        GDN_TERRASCAN_POLICYTYPE: 'azure'
        GDN_TERRASCAN_VERBOSE: 'true'
        GDN_TERRASCAN_SHOWPASSED: 'true'
        GDN_TERRASCAN_OUTPUTTYPE: 'human'
    - task: MicrosoftSecurityDevOps@1
      displayName: 'Microsoft Security DevOps'
      inputs:
        tools: 'BinSkim, terrascan'
        break: true
      env:
        GDN_BINSKIM_TARGET: '$(Build.ArtifactStagingDirectory)/binskim/**/${{ parameters.binskimPath }}'
        GDN_BINSKIM_RECURSE: 'true'
        GDN_BINSKIM_VERBOSE: 'true'
        GDN_TERRASCAN_IACTYPE: 'k8s, helm, docker'
        GDN_TERRASCAN_IACVERSION: 'k8s: v1, helm: v3, docker: v1' 
        GDN_TERRASCAN_LOGLEVEL: 'error'
        GDN_TERRASCAN_POLICYTYPE: 'azure'
        GDN_TERRASCAN_VERBOSE: 'true'
        GDN_TERRASCAN_SHOWPASSED: 'true'
        GDN_TERRASCAN_OUTPUTTYPE: 'human'

it works fine when I only choose only ine IAC_TYPE and pass in the corresponding version. However, when I try with more than one IAC type and IAC version, it gave me the error like this:
image

image

JiandongJiang commented

According to the Terrascan CLI Options documentation at https://runterrascan.io/docs/usage/command_line_mode/#terrascan-commands, the scan command/functionality supports flags to configure the following:

  • Specify a directory to be scanned
  • Specify a particular IaC file to be scanned
  • Configure IaC provider type
  • Directory path to policies
  • Specify policy type
  • Retrieve vulnerability scanning results from docker images referenced in IaC

The MicrosoftSecurityDevOps@1 task runs the Terrascan tool CLI for the scan command. As Terrascan does not support scanning multiple IAC types in a single run, you can use the MicrosoftSecurityDevOps@1 task to run Terrascan multiple times with each time just for one IAC type (and the corresponding version).