SonarCloud can scan Terraform and CloudFormation files + cfn-lint support

Hello Terraform, CloudFormation developers,

IaC Engine

Today, we are happy to announce that SonarCloud can start helping you deploying safer infrastructures.
This is just the beginning of the journey with the first set of 10 rules targeting mainly AWS S3 buckets.

Security Hotspot Detections:

  • Allowing public ACLs or policies on a S3 bucket is security-sensitive
  • Authorizing HTTP communications with S3 buckets is security-sensitive
  • Disabling S3 server access logging is security-sensitive
  • Disabling server-side encryption of S3 buckets is security-sensitive
  • Granting access to S3 buckets to all or authenticated users is security-sensitive
  • Having policies granting anonymous access to S3 buckets is security-sensitive
  • Unversioned or suspended versioned S3 bucket is security-sensitive

Code Smell Detections:

  • “Log Groups” should be configured with a retention policy
  • “Log Groups” should be declared explicitly
  • AWS tag keys should comply with a naming convention

In order to enable this feature, you need to turn on the corresponding property in the Administration section of your project and run again your scan. Here is the property for CloudFormation (the same exists for Terraform):

AWS CloudFormation Linter Support

In addition to these rules, you can also load your cfn-lint issues into SonarCloud (JSON format) using this property:

sonar.cloudformation.cfn-lint.reportPaths

More than ever because this is the first release our IaC Engine, we are waiting for your feedback.

Thanks
Alex

4 Likes

Does this feature supports checking Terraform code against Azure?

@Raghu_Vamsi For the moment, the support of Terraform is limited to AWS and the 10 rules I mentioned. Definitely we want to add more rules for AWS and then start to look at Azure and GCP.

Hi,

Can this plugin be installed in Sonarqube community as well ?

Do you have a link to the plugin ?

Best regards

Hello,

The IaC Analyzer is not compatible yet with SonarQube but it’s part of 9.x roadmap to bring such features to SonarQube users.

Alex

1 Like