Code Risk Analyzer plug-in for IBM Cloud
The IBM Cloud® command-line interface (CLI) provides code risk analysis commands. You can use the IBM Cloud CLI to analyze your code for vulnerabilities and compliance with certain rules. Code Risk Analyzer is available in all IBM Cloud regions in which toolchains are supported.
You can use the CLI to complete the following tasks:
- Generate a bill of materials (BOM) that lists the dependencies and available license information of all third-party OS packages and application packages. You can also generate this output in CycloneDX-specific format.
- Discover vulnerabilities in packages that are listed in the BOM. You can also view the generated report in CycloneDX-specific format, or use vulnerability auto-remediation for Node.js, Maven, or Gradle applications.
- Analyze a Terraform plan for compliance with certain rules.
- Analyze Kubernetes files for compliance with certain rules.
Beginning in January 2024, Code Risk Analyzer consumes vulnerability data that is provided by the Clair open source project instead of data from the commercial company Snyk Limited. No specific action is required on your part as a result of this change. However, you might observe some differences in the particulars of the CVEs reported by Code Risk Analyzer.
Supported content
Code Risk Analyzer supports the Java™, Node.js, Python, and Go languages. The following table lists and describes the content that Code Risk Analyzer supports.
| Content | Description |
|---|---|
| Java | The repo must use Maven or Gradle. For Maven, dependencies are computed by using the pom.xml file. For Gradle, dependencies are computed by using the Build.gradle file. Code Risk Analyzer can also perform auto-remediation
for both Maven and Gradle. |
| Node.js | Dependencies are computed by using the package-lock.json file. For Node.js, Code Risk analyzer can also perform auto-remediation. Make sure that the installed version of npm matches the project npm version. |
| Python | Dependencies are computed by using the requirements.txt file. |
| Golang | Supports go mod and go dep dependency management. For go mod, the go.sum file must be in the repo. For go dep, the Gopkg.lock file must be in the repo. |
| Dockerfiles | Files with the Dockerfile pattern in the repo are considered. For container images, the Debian, Red Hat Enterprise Linux®, Alpine, and Ubuntu Linux distros are supported. |
| Kubernetes | Files that are suffixed with .yaml and .yml are considered. The kind value must be set to Pod, ReplicaSet, ReplicationController, Deployment, Daemonset,
Statefulset, Job, CronJob, NetworkPolicy, or Ingress. |
| Calico | Files that are suffixed with .yaml and .yml are considered. The kind value must be set to NetworkPolicy, GlobalNetworkPolicy, Profile, NetworkSet,
GlobalNetworkSet, or HostEndpoint. |
| Terraform | The Terraform plan file must be generated by using IBM Cloud as the Terraform provider. |
Code Risk Analyzer examines source code and image dependencies in your repositories for vulnerabilities. The following table shows the sources of vulnerability information that Code Risk Analyzer consults for different kinds of dependencies.
| Dependency | Supported versions | Source of security notices |
|---|---|---|
| Alpine image | All stable versions with vendor security support. | Alpine SecDB database. |
| Debian image | All stable versions with vendor security support.
CVEs on binary packages that are associated with the Debian source package |
Debian Security Bug Tracker. |
| GoogleContainerTools distroless image | All stable versions with vendor security support. | GoogleContainerTools distroless |
| Red Hat® Enterprise Linux® (RHEL) image | RHEL 6, RHEL/UBI 7, RHEL/UBI 8, and RHEL/UBI 9 | Red Hat Security Data API. |
| Ubuntu image | All stable versions with vendor security support. | Ubuntu CVE Tracker. |
| Go, npm (JavaScript), Maven (Java), PyPI (Python), RubyGems (Ruby) and Packagist (PHP) | All stable versions with vendor security support. | Open Source Vulnerability database. |
Known issues with Code Risk Analyzer
Code Risk Analyzer cannot discover vulnerabilities on application packages that do not use a versioning scheme, such as major.minor.patch. For example, pre-release versions or versions that contain build metadata are not supported.
Prerequisites
-
Install the IBM Cloud CLI. See Download IBM Cloud CLI for instructions.
-
Install the Code Risk Analyzer CLI plug-in by running the following command:
ibmcloud plugin install cra
-
Make sure that you can access a toolchain in one of the supported regions. The toolchain is not required to have any tools. For more information about toolchains, see Creating a toolchain from an app.
-
Specify the toolchain ID by setting the
TOOLCHAIN_IDenvironment variable:
export TOOLCHAIN_ID=e22195a5-11e3-44ba-9533-e7c18a3a61a7
- Log in to a specific region of IBM Cloud by running the following command, where
[region]is the region where the toolchain was created.
ibmcloud login -r [region]
CLI usage commands
You receive notifications on the command line when updates to the IBM Cloud CLI and plug-ins are available. Make sure that you keep your CLI current so that you can use the latest commands. You can view the current version of all of the installed
plug-ins by running the ibmcloud plugin list command.
Code Risk Analyzer help
The following command displays the list of Code Risk Analyzer commands:
ibmcloud cra --help
Code Risk Analyzer command help
The following command displays the details of flags that are used with a command. Use ibmcloud cra --help to display the available commands.
ibmcloud cra <command> --help
Bill of materials (BOM)
The bom-generate command accesses artifacts in the specified directory path and performs deep discovery to identify all of the dependencies, including transitive dependencies. The command also identifies the licenses that these
dependencies are distributed under. A BOM is created that captures a snapshot of all of the dependencies. You can generate the BOM in the standard format or in CycloneDX's SBOM format.
ibmcloud cra bom-generate
BOM command requirements
The bom-generate command depends on certain external commands:
- If the path contains Dockerfiles, this command pulls down base images and build images for every build stage in each Dockerfile. In this scenario, the
bom-generatecommand requires that theDocker cliandtarcommands are available. - If the path contains Maven files, this command uses
mvnto build a list of dependencies. In this scenario, thebom-generatecommand requires themvncommand to be available. - If the path contains Gradle files, this command uses
gradleto build a list of dependencies. In this scenario, thebom-generatecommand requires thegradlecommand to be available. - If the path contains Node.js
package-jsonfiles and this command is used to generate a correspondingpackage-lock.jsonfile, thebom-generatecommand usesnpmto build the package-lock.json file. In this scenario, the command requires thenpmcommand to be available. - If the path contains the Python requirements.txt file, the command uses
pipto generate the package dependencies. In this scenario, thebom-generatecommand requires thepipcommand to be available. Both Python version 2 and Python version 3 are supported.
If you are using Dockerfiles, make sure to log in to your container registry from where the base images are to be pulled.
If your Dockerfile requires ARGS, set an individual ARG as an environment variable before you run the command. For example, if the Dockerfile is using an IAM_USER ARG, export an environment variable that is named IAM_USER:
export IAM_USER='value'. The CLI automatically passes these environment variables to the docker build command.
You can also specify the DOCKERBUILDFLAGS flag explicitly. To export DOCKERBUILDFLAGS with the ARGS Docker flag, type the following command:
export DOCKERBUILDFLAGS="--build-arg IAM_USER --build-arg API_KEY"
BOM command options
The following table lists the command options that you can use to generate a BOM with the bom-generate command.
| Command options | Required or optional | Description |
|---|---|---|
--path |
Required | The project directory path to scan. |
-r, --report |
Required | The file name in which to store the BOM report. |
-a, --asset-type |
Optional | The security checks to run (apps, image, os, all). By default, this option is set to all. The apps option is used to limit discovery to application packages. The image option is used to limit discovery
to base images that are used in Dockerfiles. The os option is used to limit discovery to build stages in Dockerfiles only. You can specify multiple values by using a comma to delimit the values, such as -a os,image,apps. |
-p, --prev-report |
Optional | Use the previous BOM report to speed up the command. For example, if a Dockerfile was not updated since the last report was generated, the command skips the discovery of packages from that Dockerfile. The same scenario applies to other
manifest files such as the package-lock.json file. |
-c, --dockerbuildcontext |
Optional | If specified, CRA uses the directory in the path parameter as the Docker build context during build stage scanning. |
-o, --output |
Optional | Select the BOM report format. You can generate the format output in either Standard BOM format (standard) or CycloneDX's SBOM format (cyclonedx). The default value is standard. You can store both
formats by inputting each format separated by a comma with no space. |
-f, --dockerbuildflags |
Optional | Customize the Docker build command for build stage scanning. Instead of using this command-line flag, you can specify the value in an environment variable named DOCKERBUILDFLAGS. By default, this command option is set to
''. If you use this option, make sure that it is the last flag that is provided to the command. |
-d, --dockerfilepattern |
Optional | The pattern to identify the Dockerfile in the repo. |
-g, --gradle.excludeconfigurations |
Optional | Exclude the Gradle configurations, for example: runtimeClasspath,testCompileClasspath. By default, this command option is set to ''. |
-l, --gradleprops |
Optional | Customize the Gradle command with properties for Gradle dependency scanning. |
-m, --maven.excludescopes |
Optional | Exclude the Maven scopes, for example: test,compile. Example: 'test,compile'. By default, this command option is set to ''. |
-n, --nodejs.createpackagelock |
Optional | Enable the task to build the package-lock.json file for node.js projects. |
--region |
Optional | The ibmcloud region where the toolchain is located. |
--toolchainid |
Optional | The target toolchain ID to use. |
-v, --verbose |
Optional | Enable verbose log messages. |
Ignoring files
If the path contains the .cra/.fileignore file, files that are specified in the .fileignore file are not scanned for dependencies. The .fileignore file must follow the rules of .gitignore files. Similar to a .gitignore file, the .fileignore file can include comments, directories to ignore, files to ignore, and other patterns.
The following example .fileignore file shows how to exclude bash scripts, node_modules, and the Dockerfile.
# Ignore nested functional_tests directory
**/functional_tests
# Ignore bash scripts
**/*.sh
# This should allow this one file
!test/gatling_tests/loginTobx.sh
# Ignore node_modules
node_modules
# Exclude the dockerfile from scanning
Dockerfile
Example
The following code snippets show how to use the bom-generate command:
ibmcloud cra bom-generate --path PATH --report REPORT [--asset-type ASSET-TYPE] [--dockerbuildcontext] [--dockerbuildflags DOCKERBUILDFLAGS] [--dockerfilepattern DOCKERFILEPATTERN] [--gradle.excludeconfigurations GRADLE.EXCLUDECONFIGURATIONS] [--maven.excludescopes MAVEN.EXCLUDESCOPES] [--nodejs.createpackagelock] [--prev-report PREV-REPORT] [--region REGION] [--toolchainid TOOLCHAINID] [--verbose]
ibmcloud cra bom --path . --report bomreport.json
Vulnerability scan
The vulnerability-scan command expects a BOM in standard format as input and detects vulnerabilities in application packages and OS packages that are listed in the BOM. Based on rich threat intelligence harvested from
multiple sources of Common Vulnerabilities and Exposures (CVEs), targeted fix recommendations are provided. Code Risk Analyzer can also perform auto-remediation on vulnerable packages for Node.js based applications only. You can also generate
this report in the standard format or in CycloneDX's Vulnerability Exploitability Exchange (VEX) format.
ibmcloud cra vulnerability-scan
Vulnerability scan command options
The following table lists the options for using the vulnerability-scan command.
| Command options | Required or optional | Description |
|---|---|---|
-b, --bom |
Required | The file path of the BOM that was generated by using the bom-generate command. This BOM must be in standard format. |
-a, --autofix |
Optional | Fixes specific types of app vulnerabilities. This option is available only for Node.js, Maven, and Gradle apps. |
-f, --commentfile |
Optional | Specifies the file where the markdown report is created. This command is available only with autofix. |
-c, --cveignore |
Optional | The file path of the CVE Ignore file that contains the list of CVEs to ignore. |
-e, --excludedev |
Optional | Specifies that you do not want the command to report CVEs for development dependencies. |
--force |
Optional | Forces an update for top-level node packages, even when the major version is different. This command is available only with autofix. |
--include-nofix |
Optional | Include or exclude the reporting of CVEs that do not have known remediations. By default, this option is set to app. The app option is used to include only app package CVEs with no fixes. The os option is used to include only OS package CVEs with no fixes. The all option is used to include both app and OS package CVEs with no fixes. The none option is used to exclude both app and OS package CVEs with
no fixes. |
--path |
Required if --autofix enabled |
The project directory path to scan. This command is available only with autofix. |
--region |
Optional | The ibmcloud region for the toolchain. |
-r, --report |
Optional | The path to the generated report. |
-o, --output |
Optional | Selects the CVE report format. You can generate the format output in either Standard CVE format (standard) or CycloneDX's VEX format (cyclonedx). The default value is standard. |
-s, --strict |
Optional | Results in command failure (exit status 2) when vulnerabilities are found. |
--toolchainid |
Optional | The ID of the target toolchain. |
Ignoring vulnerabilities
If the -c or --cveignore parameter is specified, the command looks for that file and does not report the CVEs that are specified in the file. You can configure the CVEs to omit them indefinitely until a remediation
is available, or until a specified expiration date.
The following example shows a JSON schema for the .cveignore file:
[
{
"cve": "string",
"alwaysOmit": "bool",
"untilRemediationAvailable": "bool",
"expiration": "string"
}
]
The following properties are supported for each entry in the .cveignore file:
- cve - The vulnerability to omit. The value of this property is a CVE ID.
- alwaysOmit - If this property is set to
true, the vulnerability is omitted until it is changed. This property takes precedence over other property values. - untilRemediationAvailable - If this property is set to
true, the vulnerability is omitted until a remediation path is available. If a remediation becomes available, the vulnerability is not omitted and a message is displayed. This property takes precedence over the expiration property value. - expiration - If this property is set to
trueand the expiration date is not reached, the vulnerability is omitted. If the expiration date is reached, the vulnerability is not omitted and a message is displayed. Use the RFC3339 time format (yyyy-MM-ddTHH:mm:ss[+-]Z) to define this property.
The Code Risk Analyzer uses only these defined properties. You can add properties with no effect on functions. If a vulnerability that is defined in the .cveignore is not omitted, a log is generated that explains the reason. If
a vulnerability that is defined in the .cveignore file is omitted, no individual logging is displayed. The number of omissions and a list of the vulnerability IDs, with the package name, that are omitted are logged after a report
is completed.
The following code snippet shows a sample .cveignore file:
[
{
"cve": "CVE-2021-27290",
"alwaysOmit": true
},
{
"cve": "CVE-2020-8244",
"untilRemediationAvailable": true,
}
]
Example
The following code snippets show how to use the vulnerability-scan command:
ibmcloud cra vulnerability-scan --bom BOM [--cveignore CVEIGNORE] [--report REPORT] [--excludedev] [--include-nofix app,os,all,none] [--region REGION] [--strict] [--toolchainid TOOLCHAINID] [--output OUTPUTFILE]
ibmcloud cra cve --bom ./bom-file.json --cveignore ./cveignore-example.json --report ./output-vulnerability-report.json --excludedev --include-nofix all --strict
Deployment
The deployment-analyze command runs configuration checks on Kubernetes deployment manifests.
ibmcloud cra deployment-analyze
This command provides prescriptive guidance for establishing a secure configuration posture for Docker containers. The Code Risk Analyzer uses these security configurations as a point of reference and identifies security controls to check in
deployment artifacts, such as .yaml files, for Kubernetes applications. This command also provides risk assessments for each control failure.
The following table lists the controls that you can implement within DevSecOps, as identified from CIS Docker 1.13.0. More controls are added based on open source references of the Kubernetes Common Configuration Scoring System (KCCSS).
| ID | Rule | Risk |
|---|---|---|
| 5.3 | Ensure that containers do not have the CAP_SYS_ADMIN capability. |
High |
| 5.3 | Ensure that containers do not have the CAP_NET_RAW capability. |
High |
| 5.4 | Ensure that privileged containers are not used. | High |
| 5.5 | Ensure that sensitive host system directories are not mounted on containers. | Medium |
| 5.7 | Ensure that privileged ports are not mapped within containers. | Low |
| 5.9 | Ensure that the host's network namespace is not shared. | Medium |
| 5.10 | Ensure that the memory usage for the container is limited. | Medium |
| 5.11 | Ensure that the appropriate CPU priority is set on the container. | Medium |
| 5.12 | Ensure that the container's root file system is mounted as read-only. | Medium |
| 5.15 | Ensure that the host's process namespace is not shared. | Medium |
| 5.16 | Ensure that the host's IPC namespace is not shared. | Medium |
| 5.31 | Ensure that the Docker socket is not mounted inside any containers. | High |
|
|
Ensure that containers do not allow unsafe allocation of CPU resources. | Medium |
|
|
Ensure that containers do not allow privilege escalation. | Medium |
|
|
Ensure that containers do not expose unsafe parts of /proc. |
Medium |
|
|
Ensure that containers are not exposed through a shared host port. | Medium |
Deployment command options
The following table lists the command options that you can use for the deployment-analyze command.
| Command options | Required or optional | Description |
|---|---|---|
--path |
Required | The project directory path to scan. |
-r, --report |
Required | The file name in which to create the report. |
-f, --fileignore |
Optional | The file path of the .fileignore file. |
-s, --strict |
Optional | The results of the command failure (exit status 2) when deployment risks are found. |
Example
The following code snippets show how to use the deployment-analyze command:
ibmcloud cra deployment-analyze --path PATH --report REPORT [--fileignore FILE_IGNORE] [--strict]
ibmcloud cra depl --path ./sampleDir --report deployment-report.json --strict
Terraform Analyzer
You can use the terraform-validate command to analyze a Terraform plan for compliance before applying the plan to an environment. This command analyzes the specified Terraform plan file for compliance with rules that are specified
in IBM Cloud® Security and Compliance Center. This command generates a compliance report.
You can specify a policy file that lists the rules and parameters to use for validation. If no policy file is specified, this command analyzes the plan for the default set of rules.
ibmcloud cra terraform-validate
Terraform command options
The following table lists the options that you can use for the terraform-validate command.
| Command options | Required or optional | Description |
|---|---|---|
-r, --report |
Required | The path to the generated report. |
-t, --tf-plan |
Required | The path to the input Terraform plan file. |
-p, --policy-file |
Optional | The filepath to policy profile. This flag can accept a Security and Compliance Center V2 profile or a custom JSON file with a set of Security and Compliance Center rules. |
-q, --quiet |
Optional | Displays only summarized information. |
-s, --strict |
Optional | Results in command failure (exit status 2) if policies fail. |
-v, --verbose |
Optional | Displays the list of passing Security and Compliance Center rules after the list of failed rules. |
-a, --attachment-file |
Optional | This flag accepts a file that has JSON for Security and Compliance Center V2 attachments. To use this flag, a Security and Compliance Center V2 profile must be specified with the -p flag. |
Example
The following code snippets show how to use the terraform-validate command:
ibmcloud cra terraform-validate --tf-plan TFPLANFILE --report REPORT [--policy-file POLICYFILE] [--quiet] [--region REGION] [--strict] [--toolchainid TOOLCHAINID] [--verbose] [--attachment-file ATTACHMENT_FILE]
ibmcloud cra tf -r report-user-profile.json -t ./tfplan.json -p ./user-profile.json --verbose
Example Terraform plan file for the terraform-validate command
{
"format_version": "0.2",
"terraform_version": "1.0.2",
"planned_values": {
"root_module": {
"child_modules": [
{
"resources": [
{
"address": "module.instance.ibm_resource_instance.cos_instance",
"mode": "managed",
"type": "ibm_resource_instance",
"name": "cos_instance",
"provider_name": "registry.terraform.io/ibm-cloud/ibm",
"schema_version": 0,
"values": {
"location": "global",
"parameters": null,
"plan": "lite",
"service": "cloud-object-storage",
"timeouts": null
},
"sensitive_values": {
"extensions": {},
"last_operation": {},
"plan_history": [],
"tags": []
}
}
],
"address": "module.instance"
},
{
"resources": [
{
"address": "module.instance_config.ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration[0]",
"mode": "managed",
"type": "ibm_cos_bucket",
"name": "bad_resource_cos_bucket_missing_all_configuration",
"index": 0,
"provider_name": "registry.terraform.io/ibm-cloud/ibm",
"schema_version": 0,
"values": {
"activity_tracking": [],
"allowed_ip": null,
"archive_rule": [],
"cross_region_location": null,
"endpoint_type": "public",
"expire_rule": [],
"force_delete": true,
"key_protect": null,
"metrics_monitoring": [],
"region_location": "us-south",
"retention_rule": [],
"single_site_location": null,
"storage_class": "standard",
"timeouts": null
},
"sensitive_values": {
"activity_tracking": [],
"archive_rule": [],
"expire_rule": [],
"metrics_monitoring": [],
"retention_rule": []
}
},
{
"address": "module.instance_config.ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration[1]",
"mode": "managed",
"type": "ibm_cos_bucket",
"name": "bad_resource_cos_bucket_missing_all_configuration",
"index": 1,
"provider_name": "registry.terraform.io/ibm-cloud/ibm",
"schema_version": 0,
"values": {
"activity_tracking": [],
"allowed_ip": null,
"archive_rule": [],
"cross_region_location": null,
"endpoint_type": "public",
"expire_rule": [],
"force_delete": true,
"key_protect": null,
"metrics_monitoring": [],
"region_location": "us-south",
"retention_rule": [],
"single_site_location": null,
"storage_class": "standard",
"timeouts": null
},
"sensitive_values": {
"activity_tracking": [],
"archive_rule": [],
"expire_rule": [],
"metrics_monitoring": [],
"retention_rule": []
}
}
],
"address": "module.instance_config"
}
]
}
},
"resource_changes": [
{
"address": "module.instance.ibm_resource_instance.cos_instance",
"module_address": "module.instance",
"mode": "managed",
"type": "ibm_resource_instance",
"name": "cos_instance",
"provider_name": "registry.terraform.io/ibm-cloud/ibm",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"location": "global",
"parameters": null,
"plan": "lite",
"service": "cloud-object-storage",
"timeouts": null
},
"after_unknown": {
"account_id": true,
"allow_cleanup": true,
"created_at": true,
"created_by": true,
"crn": true,
"dashboard_url": true,
"deleted_at": true,
"deleted_by": true,
"extensions": true,
"guid": true,
"id": true,
"last_operation": true,
"locked": true,
"name": true,
"plan_history": true,
"resource_aliases_url": true,
"resource_bindings_url": true,
"resource_controller_url": true,
"resource_crn": true,
"resource_group_crn": true,
"resource_group_id": true,
"resource_group_name": true,
"resource_id": true,
"resource_keys_url": true,
"resource_name": true,
"resource_plan_id": true,
"resource_status": true,
"restored_at": true,
"restored_by": true,
"scheduled_reclaim_at": true,
"scheduled_reclaim_by": true,
"service_endpoints": true,
"state": true,
"status": true,
"sub_type": true,
"tags": true,
"target_crn": true,
"type": true,
"update_at": true,
"update_by": true
},
"before_sensitive": false,
"after_sensitive": {
"extensions": {},
"last_operation": {},
"plan_history": [],
"tags": []
}
}
},
{
"address": "module.instance_config.ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration[0]",
"module_address": "module.instance_config",
"mode": "managed",
"type": "ibm_cos_bucket",
"name": "bad_resource_cos_bucket_missing_all_configuration",
"index": 0,
"provider_name": "registry.terraform.io/ibm-cloud/ibm",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"activity_tracking": [],
"allowed_ip": null,
"archive_rule": [],
"cross_region_location": null,
"endpoint_type": "public",
"expire_rule": [],
"force_delete": true,
"key_protect": null,
"metrics_monitoring": [],
"region_location": "us-south",
"retention_rule": [],
"single_site_location": null,
"storage_class": "standard",
"timeouts": null
},
"after_unknown": {
"activity_tracking": [],
"archive_rule": [],
"bucket_name": true,
"crn": true,
"expire_rule": [],
"id": true,
"metrics_monitoring": [],
"resource_instance_id": true,
"retention_rule": [],
"s3_endpoint_private": true,
"s3_endpoint_public": true
},
"before_sensitive": false,
"after_sensitive": {
"activity_tracking": [],
"archive_rule": [],
"expire_rule": [],
"metrics_monitoring": [],
"retention_rule": []
}
}
},
{
"address": "module.instance_config.ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration[1]",
"module_address": "module.instance_config",
"mode": "managed",
"type": "ibm_cos_bucket",
"name": "bad_resource_cos_bucket_missing_all_configuration",
"index": 1,
"provider_name": "registry.terraform.io/ibm-cloud/ibm",
"change": {
"actions": [
"create"
],
"before": null,
"after": {
"activity_tracking": [],
"allowed_ip": null,
"archive_rule": [],
"cross_region_location": null,
"endpoint_type": "public",
"expire_rule": [],
"force_delete": true,
"key_protect": null,
"metrics_monitoring": [],
"region_location": "us-south",
"retention_rule": [],
"single_site_location": null,
"storage_class": "standard",
"timeouts": null
},
"after_unknown": {
"activity_tracking": [],
"archive_rule": [],
"bucket_name": true,
"crn": true,
"expire_rule": [],
"id": true,
"metrics_monitoring": [],
"resource_instance_id": true,
"retention_rule": [],
"s3_endpoint_private": true,
"s3_endpoint_public": true
},
"before_sensitive": false,
"after_sensitive": {
"activity_tracking": [],
"archive_rule": [],
"expire_rule": [],
"metrics_monitoring": [],
"retention_rule": []
}
}
}
],
"configuration": {
"provider_config": {
"ibm": {
"name": "ibm",
"version_constraint": "1.25.0",
"expressions": {
"ibmcloud_api_key": {
"constant_value": "BYwB2M3TJdDMlCpHaxaWilNHVod05TVkqjIbGqrlm9Iz"
}
}
},
"module.instance:ibm": {
"name": "ibm",
"version_constraint": "1.25.0",
"module_address": "module.instance",
"expressions": {
"ibmcloud_api_key": {
"constant_value": "BYwB2M3TJdDMlCpHaxaWilNHVod05TVkqjIbGqrlm9Iz"
}
}
},
"module.instance_config:ibm": {
"name": "ibm",
"version_constraint": "1.25.0",
"module_address": "module.instance_config"
}
},
"root_module": {
"module_calls": {
"instance": {
"source": "./instance_module",
"module": {
"outputs": {
"cos_instance_id": {
"expression": {
"references": [
"ibm_resource_instance.cos_instance.id",
"ibm_resource_instance.cos_instance"
]
}
}
},
"resources": [
{
"address": "ibm_resource_instance.cos_instance",
"mode": "managed",
"type": "ibm_resource_instance",
"name": "cos_instance",
"provider_config_key": "instance:ibm",
"expressions": {
"location": {
"constant_value": "global"
},
"name": {},
"plan": {
"constant_value": "lite"
},
"service": {
"constant_value": "cloud-object-storage"
}
},
"schema_version": 0
}
]
}
},
"instance_config": {
"source": "./instance_config_module",
"expressions": {
"cos_instance_id": {
"references": [
"module.instance.cos_instance_id",
"module.instance"
]
}
},
"module": {
"resources": [
{
"address": "ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration",
"mode": "managed",
"type": "ibm_cos_bucket",
"name": "bad_resource_cos_bucket_missing_all_configuration",
"provider_config_key": "instance_config:ibm",
"expressions": {
"bucket_name": {},
"region_location": {
"constant_value": "us-south"
},
"resource_instance_id": {
"references": [
"var.cos_instance_id"
]
},
"storage_class": {
"constant_value": "standard"
}
},
"schema_version": 0,
"count_expression": {
"constant_value": 2
}
}
],
"variables": {
"cos_instance_id": {
"description": "COS Instance ID"
}
}
},
"depends_on": [
"module.instance"
]
}
}
}
}
}
Example SCC V2 profile file schema for the terraform-validate command
{
"title": "User Profile Standard v2 Schema",
"type": "object",
"properties": {
"id": {
"type": "string"
},
"profile_name": {
"type": "string"
},
"profile_version": {
"type": "string"
},
"controls": {
"type": "array",
"items": {
"type": "object",
"properties": {
"control_specifications": {
"type": "array",
"items": {
"type": "object",
"properties": {
"assessment_count": {
"type": "number"
},
"assessments": {
"type": "array",
"items": {
"type": "object",
"properties": {
"assessment_type": {
"type": "string"
},
"assessment_method": {
"type": "string"
},
"assessment_description": {
"type": "string"
},
"assessment_id": {
"type": "string"
},
"parameter_count": {
"type": "number"
},
"parameters": {
"type": "array",
"items": {
"type": "object",
"properties": {
"parameter_name": {
"type": "string"
},
"parameter_display_name": {
"type": "string"
},
"parameter_type": {
"type": "string"
}
}
}
}
}
}
}
}
}
}
}
}
},
"default_parameters": {
"type": "array",
"items": {
"type": "object",
"properties": {
"assessment_type": {
"type": "string"
},
"assessment_id": {
"type": "string"
},
"parameter_name": {
"type": "string"
},
"parameter_default_value": {
"type": "string"
},
"parameter_display_name": {
"type": "string"
},
"parameter_type": {
"type": "string"
}
}
}
}
},
"required": ["default_parameters", "controls", "profile_name", "profile_version"]
Example SCC V2 classic profile file for the terraform-validate command
You can prefix the rule ID with rule-.
{
"schema_version": "2.0",
"scc_rules": [
{
"scc_rule_id": "548a3321-6a39-400c-9c2d-0df9a13afd02"
},
{
"scc_rule_id": "726ec899-505e-4de9-ac1b-9578ef62f89f"
},
{
"scc_rule_id": "962e2bde-2a4f-4e07-a352-ce17708b1e85"
},
{
"scc_rule_id": "9653d2c7-6290-4128-a5a3-65487ba40370"
},
{
"scc_rule_id": "d8d13c3e-5ca0-46c5-a055-2475852c4ec6"
},
{
"scc_rule_id": "0f7e7e60-a05c-43a7-be74-70615f14a342"
},
{
"scc_rule_id": "979fd713-d39f-4efe-ba02-bf6fc07e57bb"
},
{
"scc_rule_id": "rule-e76a3a81-b0d0-41fc-947d-13dc9cfff379"
},
{
"scc_rule_id": "caf5e45d-ccc8-4e35-b124-e1b4c8bcab71"
},
{
"scc_rule_id": "rule-1edc74ae-0dad-4ea1-865d-89e3214d240f"
},
{
"scc_rule_id": "064d9004-8728-4988-b19a-1805710466f6"
},
{
"scc_rule_id": "rule-caf5e45d-ccc8-4e35-b124-e1b4c8bcab71"
}
],
"scc_parameters": {
"ibm_minimum_password_length": 12,
"ibm_password_reuse_prevention": 4,
"allowed_admins_per_account": "10",
"api_keys_rotated_days": 90,
"account_owner_last_login_days": 30,
"no_of_admins_for_iam": 3,
"no_of_service_id_admins_for_iam": 3,
"no_of_managers_for_iam": 0,
"no_of_service_id_managers_for_iam": 0,
"iam_service_ids_max_count": 3,
"ssh_port": 25,
"rdp_port": 3390,
"no_pre_shared_key_characters": 30,
"dns_port": 60,
"vm_nic_count": 1,
"no_of_admins_for_container_registry ": 3,
"no_of_service_id_admins_for_container_registry": 3,
"no_of_managers_for_container_registry": 0,
"no_of_service_id_managers_for_container_registry": 0,
"access_tokens_expire": 120
}
}
Security and Compliance Center rules
The Terraform Analyzer supports the following Security and Compliance Center rules:
rule-f8722625-1968-4d7a-93cb-4b0f8da726da - Check whether IBMid password policy requires at least one uppercase letter
rule-789cb35b-5bdf-46d3-8b59-e1377e3b211c - Check whether IBMid password policy requires at least one lowercase letter
rule-81b36ae4-0f15-41c7-adac-fa9586ff46ab - Check whether IBMid password policy requires at least one number
rule-979fd713-d39f-4efe-ba02-bf6fc07e57bb - Check whether IBMid password policy requires minimum length of 12 characters
rule-e76a3a81-b0d0-41fc-947d-13dc9cfff379 - Check whether IBMid password policy prevents password reuse below the minimum of #
rule-759d504b-9eed-4602-8b5b-7244bf3f5690 - Check whether IBMid password can contain only printable ASCII characters (in the range 33 - 126)
rule-bcbd57e1-3cdc-4b6d-820b-2c63bc777e19 - Check whether IBMid password policy contains spaces or any of the following characters: ;:("?)<>
rule-fa06f6f2-b98e-49ac-aa55-d57de9e320d3 - Check whether IBMid uses a password meter that coaches users to create strong passwords that exceed the minimum requirements
rule-548a3321-6a39-400c-9c2d-0df9a13afd02 - Check whether IAM roles are used to create IAM policies for IBM resources
rule-726ec899-505e-4de9-ac1b-9578ef62f89f - Check whether a support role has been assigned in IAM to manage cases in the IBM Cloud Support Center
rule-962e2bde-2a4f-4e07-a352-ce17708b1e85 - Check whether API keys are not created in IAM during the initial setup of IAM users
rule-61fa114a-2bb9-43fd-8068-b873b48bdf79 - Check whether IAM users are attached to at least one access group
rule-4d86c074-097e-4ff3-a763-ccff128388e2 - Check whether multifactor authentication (MFA) is enabled at the account level
rule-0704e840-e443-4781-b9be-ec57469d09c1 - Check whether permissions for API key creation are limited and configured in IAM settings for the account owner
rule-d61c20c9-c0be-443b-af0c-0d900601e154 - Check whether Cloud Object Storage public access is disabled in IAM settings (not applicable to ACLs managed using S3 APIs)
rule-0244c010-fde6-4db3-95aa-8952bd292ac3 - Check whether permissions for service ID creation are limited and configured in IAM settings for the account owner
rule-ed64fa73-81e5-4920-8519-acfad845dd6c - Check whether Identity and Access Management (IAM) is enabled with audit logging
rule-b2232217-34a6-4fe8-a791-5903f1cc89ca - Check whether Cloud Shell is disabled in account settings
rule-10de7433-19e4-40a7-aebf-eddf1f75a68c - Check whether Cloud Object Storage is enabled with encryption
rule-7c86bb59-d677-422d-875c-0259053fad20 - Check whether Cloud Object Storage is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-222d6531-1fc7-4485-8771-35eb46c78877 - Check whether Cloud Object Storage is accessible only through HTTPS
rule-7c52a1ce-26cd-4cde-baa7-3bfb3703cf74 - Check whether Cloudant is accessible only through HTTPS
rule-f6197ee2-31bf-4d73-aacd-316c41a48df3 - Check whether Cloud Object Storage is accessible only by using private endpoints
rule-8cbd597c-7471-42bd-9c88-36b2696456e9 - Check whether Cloud Object Storage network access is restricted to a specific IP range
rule-c97259ee-336d-4c5f-b436-1868107a9558 - Check whether Cloud Object Storage is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
rule-ef1db4bb-2490-48a9-883c-a20fea3db0e5 - Check whether Databases for MongoDB is enabled with encryption
rule-7f7ca588-9412-40a9-9bd8-0e5d19141e98 - Check whether Databases for MongoDB is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-77b99b6f-51dc-4290-b20c-7003941c7a46 - Check whether Databases for MongoDB is accessible only through HTTPS
rule-7b210b18-f849-4fa8-bd92-8e47921de51d - Check whether Databases for MongoDB is accessible only by using private endpoints
rule-c58bb2b9-7942-45ab-b9d4-e39c8430f570 - Check whether Databases for Redis is enabled with encryption
rule-e3cad136-17a8-4227-b8af-0be609da1da0 - Check whether Databases for Redis is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-90e3908d-27c3-4050-bb12-413dfc606f5c - Check whether Databases for Redis is accessible only through HTTPS
rule-c48dfb73-ede0-4ebf-b912-214379cd4ce7 - Check whether Databases for Redis is accessible only by using private endpoints
rule-ac09e136-8581-416a-a865-e9fc35a758be - Check whether Databases for Elasticsearch is enabled with encryption
rule-871594ca-0a70-492b-8a42-6f9474445f01 - Check whether Databases for Elasticsearch is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-47ca5017-27e9-4b8b-95d3-c2529271fbb1 - Check whether Databases for Elasticsearch is accessible only through HTTPS
rule-026e6d36-6a15-4623-846d-cab6f3b789d9 - Check whether Databases for Elasticsearch is accessible only by using private endpoints
rule-d634caeb-e5a6-467a-a4ac-8da8fd39f9ef - Check whether Databases for etcd is enabled with encryption
rule-42612696-2b8e-4fa7-8c17-78f191d2e1a0 - Check whether Databases for etcd is accessible only through HTTPS
rule-458decc2-a081-4c49-8f31-eeaf4833d8c8 - Check whether Databases for etcd is accessible only by using private endpoints
rule-4d7e56d6-f657-418c-9e49-6d248b2cf5a6 - Check whether Databases for PostgreSQL is enabled with encryption
rule-041ff30b-7167-4411-985d-5ad32ab6f850 - Check whether Databases for PostgreSQL is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-872db4fc-2f7c-4ba0-ace7-dc468f6813c7 - Check whether Databases for PostgreSQL is accessible only through HTTPS
rule-094495cf-c092-4dcb-96b8-3654c4bcf787 - Check whether Databases for PostgreSQL is accessible only by using private endpoints
rule-beb7b289-706b-4dc0-b01d-b1d15d4331e3 - Check whether Databases for MongoDB network access is restricted to a specific IP range
rule-04d856f1-68ce-4cba-b800-ba49f3c4f1a1 - Check whether Databases for Redis network access is restricted to specific IP range
rule-b5c06228-3f38-4d98-837f-2fe10d6ff9d5 - Check whether Databases for Elasticsearch network access is restricted to a specific IP range
rule-18540c4e-b96d-4ab9-a619-d541cc5a2824 - Check whether Databases for etcd network access is restricted to a specific IP range
rule-9b2d8054-bc93-44fd-901b-91f677287e84 - Check whether Databases for PostgreSQL network access is restricted to a specific IP range
rule-f6b7a692-8e48-4e74-b957-f5d591a7a15d - Check whether Key Protect has high availability
rule-d0725d07-27e6-4079-a3bc-746d5ccae00f - Check whether Hyper Protect Crypto Services instance is enabled with a dual authorization deletion policy
rule-da567ec9-8e24-4c65-993b-ad290bfdb855 - Check whether Cloud Object Storage buckets are enabled with IBM Activity Tracker
rule-0fb54bb2-773b-4cec-81b0-1ca7d8049ba0 - Check whether Cloud Object Storage buckets are enabled with IBM Cloud Monitoring
rule-5910ed25-7ad7-42d0-8e42-905df0123346 - Check whether IBM Activity Tracker is provisioned in multiple regions in an account
rule-d592e06a-8756-4efc-a401-1ec215168f48 - Check whether IBM Activity Tracker trails are integrated with LogDNA logs
rule-c98fab05-5119-451a-b100-35df840d2326 - Check whether IBM Activity Tracker logs are encrypted at rest
rule-1cdad315-c39e-4d7e-99ef-8af88ba410c1 - Check whether Cloud Internet Services (CIS) has web application firewall enabled
rule-564ed93b-1927-4562-8a90-fbae173cdee1 - Check whether Cloud Internet Services (CIS) has DDoS protection enabled
rule-7c5f6385-67e4-4edf-bec8-c722558b2dec - Check whether Virtual Private Cloud (VPC) security groups have no inbound rules that specify source IP 0.0.0.0/0 to SSH port
rule-9653d2c7-6290-4128-a5a3-65487ba40370 - Check whether Virtual Private Cloud (VPC) security groups have no inbound rules that specify source IP 0.0.0.0/0 to RDP port
rule-96527f89-1867-4581-b923-1400e04661e0 - Check whether Virtual Private Cloud (VPC) has no rules in the default security group
rule-4f477e09-c9aa-4bfb-a6b1-eaeaca15c06a - Check whether Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)
rule-9407e5a8-ec51-4228-a01a-0f32364224a6 - Check whether Virtual Private Cloud (VPC) security groups have no outbound ports open to the internet (0.0.0.0/0)
rule-65f42d91-d537-4532-a2c8-c5cd377500a7 - Check whether all virtual server instances have at least one Virtual Private Cloud (VPC) security group attached
rule-9e16b8a4-1255-474e-a8a3-afed67de2627 - Check whether all network interfaces of a virtual server instance have at least one Virtual Private Cloud (VPC) security group attached
rule-9ecf7e84-aa51-42ad-875e-58e9522a5e65 - Check whether VPN for VPC has Internet Key Exchange (IKE) policy encryption that is not set to "triple_des"
rule-b4c58eff-4d19-4d33-840e-56b2ac76585a - Check whether VPN for VPC has Internet Key Exchange (IKE) policy authentication that is set to minimum "sha256"
rule-a8a69cd6-a902-4144-b652-8be68600a029 - Check whether VPN for VPC has a Diffie-Hellman group set to at least group #
rule-f98453ba-ebb9-4d96-aa13-09ef808fb4ba - Check whether VPN for VPC has IPsec policy encryption that is not set to "triple_des"
rule-09298b01-e2c5-43f1-a1b4-0b413fe4f998 - Check whether VPN for VPC has IPsec policy authentication that is set to minimum "sha256"
rule-115eb377-e256-459d-9e17-a868e128bd0c - Check whether VPN for VPC has an IPsec policy that does not have Perfect Forward Secrecy (PFS) disabled
rule-d8d13c3e-5ca0-46c5-a055-2475852c4ec6 - Check whether VPN for VPC authentication is configured with a strong pre-shared key with at least # characters
rule-53895d42-9190-47d8-9a70-0c1ebea5f7c7 - Check whether VPN for VPC has a Dead Peer Detection policy that is set to "restart"
rule-200dc6e7-96f1-49a9-9999-7e4645dc7ea6 - Check whether Application Load Balancer for VPC has public access disabled
rule-0e5151b1-9caf-433c-b4e5-be3d505e458e - Check whether Application Load Balancer for VPC is configured with multiple members in the pool
rule-bfc9d304-a086-43c0-b3ba-d0f101f616df - Check whether Application Load Balancer for VPC listener is configured with default pool
rule-8c923215-afdc-41b1-886c-64ce78741f8c - Check whether Application Load Balancer for VPC has health check configured when created
rule-d491a44c-e7bc-46bc-af07-231da0bb6501 - Check whether Application Load Balancer for VPC has a health check protocol that is either HTTP or HTTPS
rule-cb1180b7-2f8c-40ba-b2dd-207bee6bc17f - Check whether Application Load Balancer for VPC pool uses the HTTPS protocol for HTTPS listeners
rule-65b61a0f-ffdb-41ba-873d-ad329e7fc0ee - Check whether Application Load Balancer for VPC is configured to convert HTTP client requests to HTTPS
rule-d544f217-3723-4376-b3aa-037c5f201e8d - Check whether Application Load Balancer for VPC uses HTTPS (SSL & TLS) instead of HTTP
rule-773385ab-4654-4088-883d-fe9d58bc4ecb - Check whether Block Storage for VPC is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-8ffe83cb-0ba1-47d6-a1e0-53e9932a5691 - Check whether Block Storage for VPC is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
rule-f87929f7-0787-4749-a1ce-35c1f2320401 - Check whether data disks are encrypted with customer-managed keys
rule-390aa9af-c497-4ebc-9958-d572a5b7be3d - Check whether unattached disks are encrypted with customer-managed keys
rule-0f7e7e60-a05c-43a7-be74-70615f14a342 - Check whether Security Groups for VPC contains no outbound rules in security groups that specify source IP 8.8.8.8/32 to DNS port
rule-c4d50b06-9331-4f5c-a3f8-9fe8060efc9b - Check whether Security Groups for VPC doesn't allow PING for the default security group
rule-936158a6-40ff-48ca-91a1-f184aa9b0dff - Check whether Virtual Private Cloud (VPC) classic access is disabled
rule-64c0bea0-8760-4a6b-a56c-ee375a48961e - Check whether Virtual Private Cloud (VPC) has no public gateways attached
rule-64e628f7-4f3a-4c0e-85a4-40300bafe856 - Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to any port
rule-f9137be8-2490-4afb-8cd5-a201cb167eb2 - Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to SSH port
rule-f1e80ee7-88d5-4bf2-b42f-c863bb24601c - Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to RDP port
rule-faacfd1f-454f-4e60-95d7-8fe01158840d - Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port
rule-c0314fad-f377-465e-9f16-fa5aa3d5ebbe - Check whether Virtual Servers for VPC instance has the minimum # interfaces
rule-17b54156-373a-48f9-b340-a7e47acd87b6 - Check whether Virtual Servers for VPC instance doesn't have a floating IP
rule-1af31459-ec38-4a58-91b0-956a17a38954 - Check whether Virtual Servers for VPC boot volumes are enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-4aead0cd-fe26-44f1-b552-8ffdbb86422a - Check whether Virtual Servers for VPC boot volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
rule-a99b5f58-98ef-4208-9a23-e4fa25115d79 - Check whether Virtual Servers for VPC data volumes are enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-df7323fd-0b20-493c-89fe-c0b287817c99 - Check whether Virtual Servers for VPC data volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
rule-6970e312-329d-44dc-b683-5ab14acd6a42 - Check whether Virtual Servers for VPC is provisioned from an encrypted image
rule-24e259fb-608e-486f-bb9d-99b78ae0383c - Check whether Virtual Servers for VPC instances are identifable by the workload they are running based on the Auto Scale for VPC instance group definition
rule-250a7311-0cfd-4b43-8987-e5629f8d99ae - Check whether Application Load Balancer for VPC has application port of the workload that is identifiable by the Auto Scale for VPC instance group definition
rule-c2dd768e-9a49-4d6d-8ac5-8fcfb233a7b0 - Check whether Virtual Private Cloud (VPC) has no subnet with public gateway attached
rule-24508beb-c00a-4c6b-bd04-d38dd8cb7d71 - Check whether App ID user data is encrypted
rule-65196a37-ddcc-422d-8096-09955c4b4e5d - Check whether Event Streams is accessible through public endpoints
rule-3b2768e5-d783-4b0c-a47f-81479af34689 - Check whether Event Streams is accessible only by using private endpoints
rule-c471b983-9dc5-4659-8fb1-4d20c9d516cc - Check whether App ID redirect URIs are using HTTPS only
rule-f4d30138-01c1-409d-a469-fa99a23f2fbd - Check whether App ID redirect URIs are not using localhost or 127.0.0.1
rule-6e0c618d-523d-4352-a1d1-12bb9905b914 - Check whether App ID redirect URIs are not using wildcards (*)
rule-1d2287c7-954e-4425-897b-351c30be723c - Check whether App ID Cloud Directory users aren't able to update their own accounts
rule-9786160b-ee91-45ab-b84b-9806541e0fc6 - Check whether App ID Cloud Directory users aren't able to self-sign up to applications
rule-d9247d0e-dce5-4854-849a-4a9033c8fe8d - Check whether App ID anonymous authentication is disabled
rule-9246d682-f7c5-4aac-8751-3947e4f27b0b - Check whether App ID password strength regex is configured
rule-168f8081-dbd6-4cbc-bf19-f9934b39d59c - Check whether App ID advanced password policies are enabled
rule-dd1600d2-2e69-4ada-bca5-9e70b76ccd21 - Check whether App ID avoid password reuse policy is enabled
rule-5b662adf-fcac-4081-a10d-1aa7109aba4e - Check whether App ID password expiration policy is enabled
rule-59cb7d09-feab-48fc-b18b-ee581ca1761e - Check whether App ID prevent username in password policy is enabled
rule-0b082506-2481-4212-a150-d198357fcc3a - Check whether App ID multifactor authentication (MFA) is enabled for Cloud Directory users
rule-91734f9f-b8ff-4bfd-afb3-db4f789ac38f - Check whether App ID access tokens are configured to expire within # minutes
rule-ded212fe-7def-44ce-9480-0487067b64c4 - Check whether Kubernetes Service clusters are accessible only by using private endpoints
rule-2325054a-c338-474a-9740-0b7034487e40 - Check whether OpenShift clusters are accessible only by using private endpoints
rule-de84afba-b83a-41d6-8c80-d0b6acafe039 - Check whether OpenShift version is up-to-date
NetworkPolicy analysis
This is a beta feature that is available for evaluation and testing purposes.
The netpol-analyze command runs configuration checks on Kubernetes and Calico NetworkPolicy manifests.
ibmcloud cra netpol-analyze
This command checks the connectivity-configuration posture of a Kubernetes application against the NIST SP 800-53 SC-7(5) control. It verifies that the connectivity of every workload is controlled by at least one NetworkPolicy resource, and that nonsecure ports are blocked for both ingress and egress.
The netpol-analyze command can also provide a connectivity report for the scanned application, showing all of the allowed connections between the application workloads. You can use this report as evidence for compliance, or to help
debug connectivity issues. You can also use this command to provide lint results for the scanned network policies and then use these results to improve network-policy efficiency and readability. In some cases, lint results might also point
to an error in the network policy definitions.
NetworkPolicy analysis command options
The following table lists the command options that you can use for the netpol-analyze command.
| Command options | Required or optional | Description |
|---|---|---|
--path |
Required | The project directory path to scan. |
-r, --report |
Required | The file name in which to create the compliance report. |
-c, --connectivity |
Optional | The file name in which to create the connectivity report. |
-l, --lint |
Optional | The file name in which to create the lint report. |
-s, --strict |
Optional | Results in command failure (exit status 2) when connectivity risks are found. |
Example
The following sample code snippets show how you can use the netpol-analyze command:
ibmcloud cra netpol-analyze --path PATH --report REPORT [--connectivity CONNFILE] [--lint LINTFILE] [--strict]
ibmcloud cra np --path ./sampleDir --report netpol-report.json --strict
Network config analyzer image
The netpol-analyze command runs as part of IBM's Network Config Analyzer (NCA). Because this command runs NCA as a Docker image, you
must install Docker on your computer.
The image URL for the network policy analyzer is icr.io/continuous-delivery/cra/nca.
If the analyzer image is not already in your local registry, the netpol-analyze command pulls the latest analyzer image (including fixes for any vulnerabilities) from the global IBM Cloud® Container Registry.
Using Code Risk Analyzer in Tekton pipelines
You can use the task-cra task in Tekton pipelines. Use the Tekton pipeline definition when you create a pull request, a manual trigger, or issue a commit. You can also create your own Tekton tasks and run the Code Risk Analyzer from those tasks.
Using Code Risk Analyzer in DevSecOps
You can use Code Risk Analyzer in DevSecOps. The following table lists and describes the supported Code Risk Analyzer parameters for DevSecOps.
For more information about the dependent utility commands that are required by the pipeline image to run the bom-generate command, see BOM requirements. If commands are missing, you can use the cra-custom-script-path parameter to reference a script to install those commands.
| Name | Type | Description | Required or optional |
|---|---|---|---|
| artifactory-dockerconfigjson | SECRET | The base64-encoded Docker config.json file that stores credential information for Artifactory. |
Optional |
| baseimage-auth-user | text | The credentials for the base image of the application Dockerfile that is required by the Code Risk Analyzer scan. | Optional |
| baseimage-auth-email | text | The credentials for the base image of the application Dockerfile that is required by the Code Risk Analyzer scan. | Optional |
| baseimage-auth-host | text | The credentials for the base image of the application Dockerfile that is required by the Code Risk Analyzer scan. | Optional |
| baseimage-auth-password | SECRET | The credentials for the base image of the application Dockerfile that is required by the Code Risk Analyzer scan. | Optional |
| cra-cveignore-path | text | The path to the cveignore file that is relative to the root of the application repo. The default file path is .cra/.cveignore. |
Optional |
| cra-custom-script-path | text | The path to a custom script that runs before Code Risk Analyzer scanning. This script is sourced to provide the option to set ENV variables in the context of the Code Risk Analyzer BOM tool. |
Optional |
| cra-docker-buildflags | text | The custom Docker build command for build stage scanning. This parameter is empty by default. | Optional |
| cra-docker-build-context | text | If specified, Code Risk Analyzer uses the directory in the path parameter as the Docker build context. | Optional |
| cra-exclude-devdependencies | text | Specifies whether to exclude dev dependencies from scanning (true or false). The default value is false. |
Optional |
| cra-gradle-exclude-configs | text | Specifies which Gradle configurations to exclude dependencies from in scanning. For example, runtimeClasspath,testCompileClasspath. This parameter is empty by default. |
Optional |
| cra-maven-exclude-scopes | text | Specifies which Maven scopes to exclude dependencies from in scanning. For example, test,compile. This parameter is empty by default. |
Optional |
| cra-nodejs-create-package-lock | text | Enables Code Risk Analyzer discovery to build the package-lock.json file for node.js repos. This parameter is set to false by default. |
Optional |
| ibmcloud-api-key | SECRET | The IBM Cloud® API key that interacts with the ibmcloud CLI tool. |
Required |
| pipeline-dockerconfigjson | SECRET | The base64-encoded Docker config.json file that pulls images from a private registry. |
Optional |
| onepipeline-dockerconfigjson | SECRET | Deprecated. The base64-encoded Docker config.json file that pulls images from a private registry. |
Optional |
| pipeline-debug | select | The pipeline debug mode switch. | Optional |
| opt-in-cra-auto-remediation | text | Enables Code Risk Analyzer to run the cra auto remediation command (true or false). The default value is false. This command is supported only in the Continuous Compliance Pipeline. |
Optional |
| opt-in-cra-auto-remediation-enabled-repos | text | Specifies the list of comma-separated repository names to enable for the cra auto remediation command. This parameter is considered only if opt-in-cra-auto-remediation is set to true and is supported
only in the Continuous Compliance Pipeline. |
Optional |
| opt-in-cra-auto-remediation-force | text | Forces the cra auto remediation command to update the packages even if the major version is different from the current vulnerable package version (true or false). This parameter is considered only
if opt-in-cra-auto-remediation is set to true and is supported only in the Continuous Compliance Pipeline. |
Optional |
Example custom scripts for DevSecOps
If your Dockerfile requires ARGS, you can use the cra-custom-script-path parameter to set an individual ARG as an environment variable before you run the command. The custom script path is the path to a script that resides in
the user's project. For example, if the Dockerfile uses IAM_USER ARG, export an environment variable inside the script that is named IAM_USER: export IAM_USER='value'. If the ARG that is required by your Dockerfile
is set as an environment property within toolchains, you can use get_env to get the value. In this instance, you can export an environment variable within the IAM_USER: export IAM_USER=$(get_env iam_user_environment_property_name) script. The run-cra task automatically picks up these environment variables and passes them to the Docker build commands.
The following example shows how to use the cra-custom-script to export the ENV variable:
#!/usr/bin/env bash
if [[ "${PIPELINE_DEBUG:-0}" == 1 ]]; then
trap env EXIT
env | sort
set -x
fi
export IAM_USER=$(get_env iam_user_environment_property_name)
You can also use the cra-custom-script-path parameter for scenarios in which the DevSecOps base image tool versions might be outdated, based on your project. For example, you can update commands such as pip/pip3 for
discovering Python packages that require a later pip version.
The following example shows how to use the cra-custom-script to update the pip version:
#!/usr/bin/env bash
if [[ "${PIPELINE_DEBUG:-0}" == 1 ]]; then
trap env EXIT
env | sort
set -x
fi
python3 -m pip install --upgrade pip
If your Dockerfile uses an image from a private Docker registry, you can use the cra-custom-script-path parameter to authenticate to a private Docker registry before you run Code Risk Analyzer and to allow Code Risk Analyzer to
pull this image for scanning.
The following example shows how to use the cra-custom-script to authenticate to the ibmcloud container registry:
#!/usr/bin/env bash
if [[ "${PIPELINE_DEBUG:-0}" == 1 ]]; then
trap env EXIT
env | sort
set -x
fi
ibmcloud cr login
Debugging the Code Risk Analyzer in DevSecOps
To help with debugging, you can run the Code Risk Analyzer locally as a command-line interface (CLI) on your own local machine. For information about running the ibmcloud cra bom-generate command to generate a BOM, see Bill of materials (BOM).
After you generate the BOM, use the ibmcloud cra cve command to list any vulnerabilities. For more information about running the ibmcloud cra cve command, see Vulnerability scan.
Make sure that the run-cra task does not contain any errors. If the task contains errors, check whether your pipeline uses the current version of DevSecOps. If the issue is not resolved by checking the version of DevSecOps, the
following examples provide some common errors and proposed solutions.
FAILED
Error executing docker pull cmd: [docker pull us.icr.io/opentoolchain/ibmnode:14ubisecure]
You can verify that you have access to the private registry. If you do not have access, you can use the cra-custom-script-path parameter and specify the path to a custom script that runs before Code Risk Analyzer to authenticate
to the private registry.
FAILED
Error executing docker build cmd for stage-0: exit status 1
If your Dockerfile requires ARGS, the docker build command for the build stages fails to build because of the missing ARGS. The cra-custom-script-path is required to set up the ARGS as environment variables. For more
information about setting up the custom script, see Example custom scripts for DevSecOps.
FAILED
Error executing docker build cmd for stage-0: exit status 1
...
COPY file-to-copy.js file-to-copy.js:
------
failed to compute cache key: "/file-to-copy.js" not found: not found
By default, the Code Risk Analyzer bom-generate command builds the Dockerfiles from the context of the location of the Dockerfile itself. If you want to build the Dockerfiles from the context of the root project directory, use
the cra-docker-build-context parameter to allow the Code Risk Analyzer to build the Dockerfiles from this context.
Removing stored Code Risk Analyzer data
The Code Risk Analyzer plug-in does not store any client data in its databases. However, earlier versions of Code Risk Analyzer Tekton tasks securely stored the results of vulnerability scans in its database.
To request the removal of any client data that might be stored in the Code Risk Analyzer, contact IBM Support.
FAQs
Get answers to frequently asked questions about using the Code Risk Analyzer CLI.
How can I determine why the CLI failed?
Before you call the Code Risk Analyzer CLI, set the IBMCLOUD_TRACE environment variable to true to turn on the debug log.
export IBMCLOUD_TRACE=true
Observe the API calls and the responses that are shown in the log to determine the exact reason for failure.
How can I debug a BOM command that fails to pull a base image from a private registry.
Make sure that you are authenticated with the registry where the base image resides by using the ibmcloud cr login command or the docker login command.
How can I debug a BOM command that is failing to analyze a Dockerfile?
- Verify that the Dockerfile does not have any issues by running the
docker buildcommand and making sure that it passes. - If your Dockerfile requires ARG to be passed, make sure that the ARG is set as an environment variable. You can also use the
DOCKERBUILDFLAGenvironment variable. - Authenticate with the registry that contains the base images.
I am seeing unexpected false positive results. What should I do?
Run the DevSecOps Continuous Deployment (CD) pipeline to generate an updated SBOM in the evidence locker. This might address a potential cause of false positives that results from the presence of an older SBOM that was generated by the DevSecOps Continuous Compliance (CC) pipeline.
Why is the severity of the report or issue different from the one of the associated vulnerability link?
Since our source of vulnerability information has changed recently, you might see that the severity associated with a particular vulnerability has changed. Code Risk Analyzer will determine the optimal severity based on a computation of all the sources of vulnerabilities.