Table of contents

Cloud One Github Template Scanner App

Currently in Preview

Location

https://github.com/apps/cloud-one-template-scanner-preview

The Cloud One Template Scanner enables you to run Trend Micro Cloud One™ – Template Scanner Rules in the infrastructure-as-code templates present in your git repositories. You can select repositories within your organization to be automatically scanned when code is pushed to Github.

We currently do not support the Github Enterprise organizations.

What is Cloud One Template Scanner app?

The Cloud One Template Scanner app is a Github application that can be installed in your Github Organization to enforce scanning infrastructure-as-code templates present in your git repositories.

Implementing Template Security scanning within Github is the earliest point in the software development lifecycle where compliance with security requirements can reasonably be enforced at a team/organisation level. Detecting security risks while developers are in the process of implementing changes in the code means not only flagging issues earlier, but also makes it easier to have the necessary context to apply the fixes.

How to install Cloud One Template Scanner app?

You can install the Cloud One Template Scanner from Github following this link.

  1. Click on Install.

  2. Choose if you want "All repositories" or "Only select repositories" to be scanned.

  3. Click on Install and you will be taken to Trend Micro Cloud One™ to link your account.

  4. Select the account you would like to link and click Go.

    Please make sure that your selected account belongs to the region us-1.

  5. Click Integrate Template Scanner.

  6. Success! You've now linked your account and finished the installation.

How to configure what gets scanned?

To configure the repository: 1. Create a directory called .template-security in the root of the repository to be scanned. 2. Add a config.json file in .template-security/ with your configurations. Example:


{
  "frameworks": {
    "terraform": { "templateFilesPattern": "**/*(*.tf|*.tfvars)" },
    "cloudformation": { "templateFilesPattern": "**/*(*.yml)" }
  }
}

Available configuration

  • frameworks: (object) contains the frameworks you would like to scan as keys. Supported values "terraform" | "cloudformation"
  • templateFilesPattern: (string) use a file pattern to match files and directories.

Special characters for matching a path portion:

  • * Matches 0 or more characters in a single path portion
  • ? Matches 1 character
  • [...] Matches a range of characters, similar to a RegExp range. If the first character of the range is ! or ^ then it matches any character not in the range.
  • !(pattern|pattern|pattern) Matches anything that does not match any of the pattern.
  • ?(pattern|pattern|pattern) Matches zero or one occurrence of the pattern.
  • +(pattern|pattern|pattern) Matches one or more occurrences of the pattern.
  • *(a|b|c) Matches zero or more occurrences of the pattern
  • @(pattern|pat*|pat?erN) Matches exactly one of the pattern
  • ** If a "globstar" is alone in a path portion, then it matches zero or more directories and subdirectories. Note that this does not crawl symlinked directories.

Note on the use of dots (.)

If a file or directory path portion has a . as the first character, then it will not match any glob pattern unless that pattern's corresponding path part also has a . as its first character.

For example, the pattern a/.*/c would match the file at a/.b/c. However the pattern a/*/c would not, because * does not start with a dot character.

Examples:

-  `*(*.tf)` Match only files ending with `.tf`
-  `**/*(*.tf|*.tfvars)` Starting from the top directory, match files ending with `.tf` or `.tfvars`
-  `*(*.tf|*.tfvars)` Match files ending with `.tf` or `.tfvars` in the root directory only

How to trigger a scan?

Supported Templates Supported Resource Types
Terraform S3
SNS
  • To trigger a scan, create a pull request in Github for the repository where you installed the Cloud One Template Scanner app.
  • You should now see the status of the scan at the bottom of your pull request in Github.