We use Terraform from Hashicorp to deploy AWS services and resources.
Just like source code, it is vital to scan configuration files, especially cloud-centric, for things like secrets etc.
Is there an existing plugin or one planned in near future for scanning Terraform configuration files?
We’ve recently started work on this & should have something to report “soon”.
Please let us know expect ETA for this feature for enterprise users.
I’ve got a question for you @mohitmehral and @ashish2_sapra2.
As a user of AWS so a user who deploy on the cloud his softwares, would it be an option to move to SonarCloud.io instead of using SonarQube to get the scan of your Terraform files?
Or is it mandatory for you to get this feature on SonarQube? In that case, why?
hi @Alexandre_Gigleux yes, we already in the process of move to sonarcloud.io. We are not going to be using SonarQube, after a couple of months.
Will this be able to report on the cost of the deployment through something like; https://www.infracost.io/docs/integrations/cicd?
It would be really good to be able to create a qualitygate to prevent a merge when the cost of the deployment exceeds a given threshhold… This would be great way to catch fat-finger typos and would stop you getting a huge EC2 bill at the end of the month.
this is available but there are no docs. How do I use this? https://portal.productboard.com/sonarsource/1-sonarcloud/c/53-analyze-terraform-files
Is there a new scanner exe or something?
This is a default part of analysis on SonarCloud and in recent versions of SonarQube. Just make sure your Terraform files are included in your
sonar.sources directory and the rest should happen automatically.
Which scanner do I use just the generic one?
If this is just about Terraform files, then yes. If this is part of a Java or .NET project, then use the scanner related to your build system (and you may need some extra configuration in that case to get your Terraform files included in analysis).