SonarCloud can scan Terraform and CloudFormation files + cfn-lint support

Alexandre_Gigleux · August 23, 2021, 1:58pm

Hello Terraform, CloudFormation developers,

IaC Engine

Today, we are happy to announce that SonarCloud can start helping you deploying safer infrastructures.
This is just the beginning of the journey with the first set of 10 rules targeting mainly AWS S3 buckets.

Security Hotspot Detections:

Allowing public ACLs or policies on a S3 bucket is security-sensitive
Authorizing HTTP communications with S3 buckets is security-sensitive
Disabling S3 server access logging is security-sensitive
Disabling server-side encryption of S3 buckets is security-sensitive
Granting access to S3 buckets to all or authenticated users is security-sensitive
Having policies granting anonymous access to S3 buckets is security-sensitive
Unversioned or suspended versioned S3 bucket is security-sensitive

Code Smell Detections:

“Log Groups” should be configured with a retention policy
“Log Groups” should be declared explicitly
AWS tag keys should comply with a naming convention

In order to enable this feature, you need to turn on the corresponding property in the Administration section of your project and run again your scan. Here is the property for CloudFormation (the same exists for Terraform):

AWS CloudFormation Linter Support

In addition to these rules, you can also load your cfn-lint issues into SonarCloud (JSON format) using this property:

sonar.cloudformation.cfn-lint.reportPaths

More than ever because this is the first release our IaC Engine, we are waiting for your feedback.

Thanks
Alex

Raghu_Vamsi · August 24, 2021, 5:30pm

Does this feature supports checking Terraform code against Azure?

Alexandre_Gigleux · August 25, 2021, 2:06pm

@Raghu_Vamsi For the moment, the support of Terraform is limited to AWS and the 10 rules I mentioned. Definitely we want to add more rules for AWS and then start to look at Azure and GCP.

pethers · August 26, 2021, 11:30am

Hi,

Can this plugin be installed in Sonarqube community as well ?

Do you have a link to the plugin ?

Best regards

Alexandre_Gigleux · August 26, 2021, 11:46am

Hello,

The IaC Analyzer is not compatible yet with SonarQube but it’s part of 9.x roadmap to bring such features to SonarQube users.

Alex

Alexandre_Gigleux · September 30, 2021, 1:36pm

Update: if everything goes well, the IaC Analyzer will be embedded with SonarQube Community Edition 9.2

mghicks · December 8, 2021, 4:19pm

Is it possible to add custom rules? I don’t see it listed in the 9.2 documentation at Adding Coding Rules | SonarQube Docs

Alexandre_Gigleux · December 8, 2021, 7:57pm

This is not yet possible to add custom rules. Still, you can contribute to the project by suggesting rule ideas.

Loris_Sierra · December 9, 2021, 10:11am

Hello @Raghu_Vamsi,

We are currently working on Terraform Code Scanning for Azure resources; our work will be released soon!

Alexandre_Gigleux · December 14, 2021, 7:27pm

A post was split to a new topic: Custom rules for IaC?

Ryan_Kirk · January 28, 2022, 5:02pm

Does this work when the Terraform main.tf is calling provider modules within the terraform code? If not, is this on the roadmap as Terraform Modules are best practice fo repetitive infrastructure.