Template Scanner

Template Scanner enables you to run Trend Cloud One™ – Conformity Rules on your Terraform and AWS CloudFormation templates. You can add preventative security and governance controls to the workflow to identify and remediate issues prior to launching any services and resources.

This document covers Template Scanner from within the Conformity application. For documentation on the Github app to scan your infrastructure as code, please refer to Trend Cloud One™ - Template Scanner

Contents

• What is Template Scanner?
• How to use Template Scanner?
• Scanning a CloudFormation template and Terraform plan
• API Endpoints to Retrieve Rules
• Why do I not see any scan results?

What is Template Scanner?

Conformity provides Template Scanner capability as a preventative measure to ensure your AWS infrastructure remains compliant by detecting risks in template files before they are launched into AWS.

An API endpoint is available for CI/CD pipelines and automation.

You can use this service to scan a template file. Currently, we support Terraform plans and CloudFormation templates. You can configure rules through Conformity Profiles.

Parameters can be used to customize input values to the template each time a stack is created. If a parameter is defined in a template, parameter values can be supplied using the arguments field.

How to use Template Scanner?

You can use the Template Scanner for:

1. Scanning a CloudFormation Template or a Terraform plan
2. Using theTemplate Scanner API
   
   
   

API Endpoints to Retrieve Rules

You can use the following API endpoints to retrieve a list of rules that can be scanned for:

• CloudFormation Template
• Terraform plan

Scan via UI

1. Select the type of rule settings you want to scan for:
   • Default rule settings: upload and scan using rule settings from your organization.
   • Profile rule settings: upload and scan using rule settings from a selected profile.
   • Account rule settings: upload and scan using rule settings from a selected account.

Scanning a CloudFormation template

• CloudFormation templates can be uploaded in either JSON or YAML format.
• You can also use the ! Condition in YAML templates.

Scanning Terraform

• Terraform templates must be converted to a Terraform plan in JSON by following the steps below from your Command Line tool:

  1. In the same directory as .tf template, export your provider's access key, secret key, and export region (e.g. `export AWS_REGION=us-east-1`)
  2. Run the command terraform init
  3. Run the command terraform plan -out=your_file
  4. Run the command terraform show -json your_file > your_file.json. Your Terraform JSON plan is ready to be uploaded to the Template Scanner from the same folder as your .tf file.
  5. Follow the steps in the next section to Scan via UI or use the API endpoints.

• Click on Upload and scan to view scan results for your selected rule settings.

1. You will get a message for missing parameters while scanning your template. Decide whether you want to Proceed or Cancel the scanning process.
   

Resources with missing parameters will not be scanned and thereby result in partial scan results.

1. Review Checks from scan results. Failed checks will display a Resolve button with a link to resolution steps. For more information on the anatomy of the rule, see Rules.

Resolution steps provided with failed checks are for workflows via CLI or Console. You can also use these steps as a guide for resolution within CloudFormation.

Why do I not see any scan results?

You may receive an empty response or an error for any of the following reasons:

1. Unsupported resource type or rules: Template Scanner only supports resource-level rules. Please refer to the APIs for a list of supported rules and resource types. We have plans to add support for more source types over time. If there is a specific resource type you need as a priority, please log in to Conformity and submit a ticket to our support team.
2. Parameter(s) with no default value: CloudFormation templates with parameters that have no default values may fail to be processed.
3. Unsupported intrinsic function: The following are not fully supported:
   • Fn::ImportValue
   • Fn::Cidr
   • Fn::Transform
   • Fn::ToJsonString

You may want to temporarily replace these functions for static values so your template can be correctly scanned.