IBM Cloud Docs
Code Risk Analyzer plug-in for IBM Cloud

Code Risk Analyzer plug-in for IBM Cloud

The IBM Cloud® command-line interface (CLI) provides code risk analysis commands. You can use the IBM Cloud CLI to analyze your code for vulnerabilities and compliance with certain rules. Code Risk Analyzer is available in all IBM Cloud regions in which toolchains are supported.

You can use the CLI to complete the following tasks:

  • Generate a bill of materials (BOM) that lists the dependencies and available license information of all third-party OS packages and application packages. You can also generate this output in CycloneDX-specific format.
  • Discover vulnerabilities in packages that are listed in the BOM. You can also view the generated report in CycloneDX-specific format, or use vulnerability auto-remediation for Node.js, Maven, or Gradle applications.
  • Analyze a Terraform plan for compliance with certain rules.
  • Analyze Kubernetes files for compliance with certain rules.

Beginning in January 2024, Code Risk Analyzer consumes vulnerability data that is provided by the Clair open source project instead of data from the commercial company Snyk Limited. No specific action is required on your part as a result of this change. However, you might observe some differences in the particulars of the CVEs reported by Code Risk Analyzer.

Supported content

Code Risk Analyzer supports the Java™, Node.js, Python, and Go languages. The following table lists and describes the content that Code Risk Analyzer supports.

Table 1. Supported content
Content Description
Java The repo must use Maven or Gradle. For Maven, dependencies are computed by using the pom.xml file. For Gradle, dependencies are computed by using the Build.gradle file. Code Risk Analyzer can also perform auto-remediation for both Maven and Gradle.
Node.js Dependencies are computed by using the package-lock.json file. For Node.js, Code Risk analyzer can also perform auto-remediation. Make sure that the installed version of npm matches the project npm version.
Python Dependencies are computed by using the requirements.txt file.
Golang Supports go mod and go dep dependency management. For go mod, the go.sum file must be in the repo. For go dep, the Gopkg.lock file must be in the repo.
Dockerfiles Files with the Dockerfile pattern in the repo are considered. For container images, the Debian, Red Hat Enterprise Linux®, Alpine, and Ubuntu Linux distros are supported.
Kubernetes Files that are suffixed with .yaml and .yml are considered. The kind value must be set to Pod, ReplicaSet, ReplicationController, Deployment, Daemonset, Statefulset, Job, CronJob, NetworkPolicy, or Ingress.
Calico Files that are suffixed with .yaml and .yml are considered. The kind value must be set to NetworkPolicy, GlobalNetworkPolicy, Profile, NetworkSet, GlobalNetworkSet, or HostEndpoint.
Terraform The Terraform plan file must be generated by using IBM Cloud as the Terraform provider.

Code Risk Analyzer examines source code and image dependencies in your repositories for vulnerabilities. The following table shows the sources of vulnerability information that Code Risk Analyzer consults for different kinds of dependencies.

Table 2. Supported dependencies that Code Risk Analyzer checks for vulnerabilities
Dependency Supported versions Source of security notices
Alpine image All stable versions with vendor security support. Alpine SecDB database.
Debian image All stable versions with vendor security support.

CVEs on binary packages that are associated with the Debian source package linux, such as linux-libc-dev, are not reported. Most of these binary packages are kernel and kernel modules, which are not run in container images.

Debian Security Bug Tracker.
GoogleContainerTools distroless image All stable versions with vendor security support. GoogleContainerTools distroless
Red Hat® Enterprise Linux® (RHEL) image RHEL 6, RHEL/UBI 7, RHEL/UBI 8, and RHEL/UBI 9 Red Hat Security Data API.
Ubuntu image All stable versions with vendor security support. Ubuntu CVE Tracker.
Go, npm (JavaScript), Maven (Java), PyPI (Python), RubyGems (Ruby) and Packagist (PHP) All stable versions with vendor security support. Open Source Vulnerability database.

Known issues with Code Risk Analyzer

Code Risk Analyzer cannot discover vulnerabilities on application packages that do not use a versioning scheme, such as major.minor.patch. For example, pre-release versions or versions that contain build metadata are not supported.

Prerequisites

  • Install the IBM Cloud CLI. See Download IBM Cloud CLI for instructions.

  • Install the Code Risk Analyzer CLI plug-in by running the following command:

ibmcloud plugin install cra 
  • Make sure that you can access a toolchain in one of the supported regions. The toolchain is not required to have any tools. For more information about toolchains, see Creating a toolchain from an app.

  • Specify the toolchain ID by setting the TOOLCHAIN_ID environment variable:

export TOOLCHAIN_ID=e22195a5-11e3-44ba-9533-e7c18a3a61a7
  • Log in to a specific region of IBM Cloud by running the following command, where [region] is the region where the toolchain was created.
ibmcloud login -r [region]

CLI usage commands

You receive notifications on the command line when updates to the IBM Cloud CLI and plug-ins are available. Make sure that you keep your CLI current so that you can use the latest commands. You can view the current version of all of the installed plug-ins by running the ibmcloud plugin list command.

Code Risk Analyzer help

The following command displays the list of Code Risk Analyzer commands:

ibmcloud cra --help

Code Risk Analyzer command help

The following command displays the details of flags that are used with a command. Use ibmcloud cra --help to display the available commands.

ibmcloud cra <command> --help

Bill of materials (BOM)

The bom-generate command accesses artifacts in the specified directory path and performs deep discovery to identify all of the dependencies, including transitive dependencies. The command also identifies the licenses that these dependencies are distributed under. A BOM is created that captures a snapshot of all of the dependencies. You can generate the BOM in the standard format or in CycloneDX's SBOM format.

ibmcloud cra bom-generate

BOM command requirements

The bom-generate command depends on certain external commands:

  • If the path contains Dockerfiles, this command pulls down base images and build images for every build stage in each Dockerfile. In this scenario, the bom-generate command requires that the Docker cli and tar commands are available.
  • If the path contains Maven files, this command uses mvn to build a list of dependencies. In this scenario, the bom-generate command requires the mvn command to be available.
  • If the path contains Gradle files, this command uses gradle to build a list of dependencies. In this scenario, the bom-generate command requires the gradle command to be available.
  • If the path contains Node.js package-json files and this command is used to generate a corresponding package-lock.json file, the bom-generate command uses npm to build the package-lock.json file. In this scenario, the command requires the npm command to be available.
  • If the path contains the Python requirements.txt file, the command uses pip to generate the package dependencies. In this scenario, the bom-generatecommand requires the pip command to be available. Both Python version 2 and Python version 3 are supported.

If you are using Dockerfiles, make sure to log in to your container registry from where the base images are to be pulled.

If your Dockerfile requires ARGS, set an individual ARG as an environment variable before you run the command. For example, if the Dockerfile is using an IAM_USER ARG, export an environment variable that is named IAM_USER: export IAM_USER='value'. The CLI automatically passes these environment variables to the docker build command.

You can also specify the DOCKERBUILDFLAGS flag explicitly. To export DOCKERBUILDFLAGS with the ARGS Docker flag, type the following command:

export DOCKERBUILDFLAGS="--build-arg IAM_USER --build-arg API_KEY"

BOM command options

The following table lists the command options that you can use to generate a BOM with the bom-generate command.

Table 3. Command options for generating a BOM
Command options Required or optional Description
--path Required The project directory path to scan.
-r, --report Required The file name in which to store the BOM report.
-a, --asset-type Optional The security checks to run (apps, image, os, all). By default, this option is set to all. The apps option is used to limit discovery to application packages. The image option is used to limit discovery to base images that are used in Dockerfiles. The os option is used to limit discovery to build stages in Dockerfiles only. You can specify multiple values by using a comma to delimit the values, such as -a os,image,apps.
-p, --prev-report Optional Use the previous BOM report to speed up the command. For example, if a Dockerfile was not updated since the last report was generated, the command skips the discovery of packages from that Dockerfile. The same scenario applies to other manifest files such as the package-lock.json file.
-c, --dockerbuildcontext Optional If specified, CRA uses the directory in the path parameter as the Docker build context during build stage scanning.
-o, --output Optional Select the BOM report format. You can generate the format output in either Standard BOM format (standard) or CycloneDX's SBOM format (cyclonedx). The default value is standard. You can store both formats by inputting each format separated by a comma with no space.
-f, --dockerbuildflags Optional Customize the Docker build command for build stage scanning. Instead of using this command-line flag, you can specify the value in an environment variable named DOCKERBUILDFLAGS. By default, this command option is set to ''. If you use this option, make sure that it is the last flag that is provided to the command.
-d, --dockerfilepattern Optional The pattern to identify the Dockerfile in the repo.
-g, --gradle.excludeconfigurations Optional Exclude the Gradle configurations, for example: runtimeClasspath,testCompileClasspath. By default, this command option is set to ''.
-l, --gradleprops Optional Customize the Gradle command with properties for Gradle dependency scanning.
-m, --maven.excludescopes Optional Exclude the Maven scopes, for example: test,compile. Example: 'test,compile'. By default, this command option is set to ''.
-n, --nodejs.createpackagelock Optional Enable the task to build the package-lock.json file for node.js projects.
--region Optional The ibmcloud region where the toolchain is located.
--toolchainid Optional The target toolchain ID to use.
-v, --verbose Optional Enable verbose log messages.

Ignoring files

If the path contains the .cra/.fileignore file, files that are specified in the .fileignore file are not scanned for dependencies. The .fileignore file must follow the rules of .gitignore files. Similar to a .gitignore file, the .fileignore file can include comments, directories to ignore, files to ignore, and other patterns.

The following example .fileignore file shows how to exclude bash scripts, node_modules, and the Dockerfile.

# Ignore nested functional_tests directory
**/functional_tests

# Ignore bash scripts
**/*.sh

# This should allow this one file
!test/gatling_tests/loginTobx.sh

# Ignore node_modules
node_modules

# Exclude the dockerfile from scanning
Dockerfile

Example

The following code snippets show how to use the bom-generate command:

ibmcloud cra bom-generate --path PATH --report REPORT [--asset-type ASSET-TYPE] [--dockerbuildcontext] [--dockerbuildflags DOCKERBUILDFLAGS] [--dockerfilepattern DOCKERFILEPATTERN] [--gradle.excludeconfigurations GRADLE.EXCLUDECONFIGURATIONS] [--maven.excludescopes MAVEN.EXCLUDESCOPES] [--nodejs.createpackagelock] [--prev-report PREV-REPORT] [--region REGION] [--toolchainid TOOLCHAINID] [--verbose]
ibmcloud cra bom --path . --report bomreport.json

Vulnerability scan

The vulnerability-scan command expects a BOM in standard format as input and detects vulnerabilities in application packages and OS packages that are listed in the BOM. Based on rich threat intelligence harvested from multiple sources of Common Vulnerabilities and Exposures (CVEs), targeted fix recommendations are provided. Code Risk Analyzer can also perform auto-remediation on vulnerable packages for Node.js based applications only. You can also generate this report in the standard format or in CycloneDX's Vulnerability Exploitability Exchange (VEX) format.

ibmcloud cra vulnerability-scan

Vulnerability scan command options

The following table lists the options for using the vulnerability-scan command.

Table 4. Command options for performing a vulnerability scan
Command options Required or optional Description
-b, --bom Required The file path of the BOM that was generated by using the bom-generate command. This BOM must be in standard format.
-a, --autofix Optional Fixes specific types of app vulnerabilities. This option is available only for Node.js, Maven, and Gradle apps.
-f, --commentfile Optional Specifies the file where the markdown report is created. This command is available only with autofix.
-c, --cveignore Optional The file path of the CVE Ignore file that contains the list of CVEs to ignore.
-e, --excludedev Optional Specifies that you do not want the command to report CVEs for development dependencies.
--force Optional Forces an update for top-level node packages, even when the major version is different. This command is available only with autofix.
--include-nofix Optional Include or exclude the reporting of CVEs that do not have known remediations. By default, this option is set to app. The app option is used to include only app package CVEs with no fixes. The os option is used to include only OS package CVEs with no fixes. The all option is used to include both app and OS package CVEs with no fixes. The none option is used to exclude both app and OS package CVEs with no fixes.
--path Required if --autofix enabled The project directory path to scan. This command is available only with autofix.
--region Optional The ibmcloud region for the toolchain.
-r, --report Optional The path to the generated report.
-o, --output Optional Selects the CVE report format. You can generate the format output in either Standard CVE format (standard) or CycloneDX's VEX format (cyclonedx). The default value is standard.
-s, --strict Optional Results in command failure (exit status 2) when vulnerabilities are found.
--toolchainid Optional The ID of the target toolchain.

Ignoring vulnerabilities

If the -c or --cveignore parameter is specified, the command looks for that file and does not report the CVEs that are specified in the file. You can configure the CVEs to omit them indefinitely until a remediation is available, or until a specified expiration date.

The following example shows a JSON schema for the .cveignore file:

[
    {
        "cve": "string",
	    "alwaysOmit": "bool",
	    "untilRemediationAvailable": "bool",
	    "expiration": "string"
    }
]

The following properties are supported for each entry in the .cveignore file:

  • cve - The vulnerability to omit. The value of this property is a CVE ID.
  • alwaysOmit - If this property is set to true, the vulnerability is omitted until it is changed. This property takes precedence over other property values.
  • untilRemediationAvailable - If this property is set to true, the vulnerability is omitted until a remediation path is available. If a remediation becomes available, the vulnerability is not omitted and a message is displayed. This property takes precedence over the expiration property value.
  • expiration - If this property is set to true and the expiration date is not reached, the vulnerability is omitted. If the expiration date is reached, the vulnerability is not omitted and a message is displayed. Use the RFC3339 time format (yyyy-MM-ddTHH:mm:ss[+-]Z) to define this property.

The Code Risk Analyzer uses only these defined properties. You can add properties with no effect on functions. If a vulnerability that is defined in the .cveignore is not omitted, a log is generated that explains the reason. If a vulnerability that is defined in the .cveignore file is omitted, no individual logging is displayed. The number of omissions and a list of the vulnerability IDs, with the package name, that are omitted are logged after a report is completed.

The following code snippet shows a sample .cveignore file:

[
    {
        "cve": "CVE-2021-27290",
        "alwaysOmit": true
    },
    {
        "cve": "CVE-2020-8244",
        "untilRemediationAvailable": true,
    }
]

Example

The following code snippets show how to use the vulnerability-scan command:

ibmcloud cra vulnerability-scan --bom BOM [--cveignore CVEIGNORE] [--report REPORT] [--excludedev] [--include-nofix app,os,all,none] [--region REGION] [--strict] [--toolchainid TOOLCHAINID] [--output OUTPUTFILE]
ibmcloud cra cve --bom ./bom-file.json --cveignore ./cveignore-example.json --report ./output-vulnerability-report.json --excludedev --include-nofix all --strict

Deployment

The deployment-analyze command runs configuration checks on Kubernetes deployment manifests.

ibmcloud cra deployment-analyze

This command provides prescriptive guidance for establishing a secure configuration posture for Docker containers. The Code Risk Analyzer uses these security configurations as a point of reference and identifies security controls to check in deployment artifacts, such as .yaml files, for Kubernetes applications. This command also provides risk assessments for each control failure.

The following table lists the controls that you can implement within DevSecOps, as identified from CIS Docker 1.13.0. More controls are added based on open source references of the Kubernetes Common Configuration Scoring System (KCCSS).

Table 5. Security controls
ID Rule Risk
5.3 Ensure that containers do not have the CAP_SYS_ADMIN capability. High
5.3 Ensure that containers do not have the CAP_NET_RAW capability. High
5.4 Ensure that privileged containers are not used. High
5.5 Ensure that sensitive host system directories are not mounted on containers. Medium
5.7 Ensure that privileged ports are not mapped within containers. Low
5.9 Ensure that the host's network namespace is not shared. Medium
5.10 Ensure that the memory usage for the container is limited. Medium
5.11 Ensure that the appropriate CPU priority is set on the container. Medium
5.12 Ensure that the container's root file system is mounted as read-only. Medium
5.15 Ensure that the host's process namespace is not shared. Medium
5.16 Ensure that the host's IPC namespace is not shared. Medium
5.31 Ensure that the Docker socket is not mounted inside any containers. High
Ensure that containers do not allow unsafe allocation of CPU resources. Medium
Ensure that containers do not allow privilege escalation. Medium
Ensure that containers do not expose unsafe parts of /proc. Medium
Ensure that containers are not exposed through a shared host port. Medium

Deployment command options

The following table lists the command options that you can use for the deployment-analyze command.

Table 6. Command options for deployment analysis.
Command options Required or optional Description
--path Required The project directory path to scan.
-r, --report Required The file name in which to create the report.
-f, --fileignore Optional The file path of the .fileignore file.
-s, --strict Optional The results of the command failure (exit status 2) when deployment risks are found.

Example

The following code snippets show how to use the deployment-analyze command:

ibmcloud cra deployment-analyze --path PATH --report REPORT [--fileignore FILE_IGNORE] [--strict]
ibmcloud cra depl --path ./sampleDir --report deployment-report.json --strict

Terraform Analyzer

You can use the terraform-validate command to analyze a Terraform plan for compliance before applying the plan to an environment. This command analyzes the specified Terraform plan file for compliance with rules that are specified in IBM Cloud® Security and Compliance Center. This command generates a compliance report.

You can specify a policy file that lists the rules and parameters to use for validation. If no policy file is specified, this command analyzes the plan for the default set of rules.

ibmcloud cra terraform-validate

Terraform command options

The following table lists the options that you can use for the terraform-validate command.

Table 7. Command options for performing Terraform analysis
Command options Required or optional Description
-r, --report Required The path to the generated report.
-t, --tf-plan Required The path to the input Terraform plan file.
-p, --policy-file Optional The filepath to policy profile. This flag can accept a Security and Compliance Center V2 profile or a custom JSON file with a set of Security and Compliance Center rules.
-q, --quiet Optional Displays only summarized information.
-s, --strict Optional Results in command failure (exit status 2) if policies fail.
-v, --verbose Optional Displays the list of passing Security and Compliance Center rules after the list of failed rules.
-a, --attachment-file Optional This flag accepts a file that has JSON for Security and Compliance Center V2 attachments. To use this flag, a Security and Compliance Center V2 profile must be specified with the -p flag.

Example

The following code snippets show how to use the terraform-validate command:

ibmcloud cra terraform-validate --tf-plan TFPLANFILE --report REPORT [--policy-file POLICYFILE] [--quiet] [--region REGION] [--strict] [--toolchainid TOOLCHAINID] [--verbose] [--attachment-file ATTACHMENT_FILE]
ibmcloud cra tf -r report-user-profile.json -t ./tfplan.json  -p ./user-profile.json --verbose

Example Terraform plan file for the terraform-validate command

{
    "format_version": "0.2",
    "terraform_version": "1.0.2",
    "planned_values": {
        "root_module": {
            "child_modules": [
                {
                    "resources": [
                        {
                            "address": "module.instance.ibm_resource_instance.cos_instance",
                            "mode": "managed",
                            "type": "ibm_resource_instance",
                            "name": "cos_instance",
                            "provider_name": "registry.terraform.io/ibm-cloud/ibm",
                            "schema_version": 0,
                            "values": {
                                "location": "global",
                                "parameters": null,
                                "plan": "lite",
                                "service": "cloud-object-storage",
                                "timeouts": null
                            },
                            "sensitive_values": {
                                "extensions": {},
                                "last_operation": {},
                                "plan_history": [],
                                "tags": []
                            }
                        }
                    ],
                    "address": "module.instance"
                },
                {
                    "resources": [
                        {
                            "address": "module.instance_config.ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration[0]",
                            "mode": "managed",
                            "type": "ibm_cos_bucket",
                            "name": "bad_resource_cos_bucket_missing_all_configuration",
                            "index": 0,
                            "provider_name": "registry.terraform.io/ibm-cloud/ibm",
                            "schema_version": 0,
                            "values": {
                                "activity_tracking": [],
                                "allowed_ip": null,
                                "archive_rule": [],
                                "cross_region_location": null,
                                "endpoint_type": "public",
                                "expire_rule": [],
                                "force_delete": true,
                                "key_protect": null,
                                "metrics_monitoring": [],
                                "region_location": "us-south",
                                "retention_rule": [],
                                "single_site_location": null,
                                "storage_class": "standard",
                                "timeouts": null
                            },
                            "sensitive_values": {
                                "activity_tracking": [],
                                "archive_rule": [],
                                "expire_rule": [],
                                "metrics_monitoring": [],
                                "retention_rule": []
                            }
                        },
                        {
                            "address": "module.instance_config.ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration[1]",
                            "mode": "managed",
                            "type": "ibm_cos_bucket",
                            "name": "bad_resource_cos_bucket_missing_all_configuration",
                            "index": 1,
                            "provider_name": "registry.terraform.io/ibm-cloud/ibm",
                            "schema_version": 0,
                            "values": {
                                "activity_tracking": [],
                                "allowed_ip": null,
                                "archive_rule": [],
                                "cross_region_location": null,
                                "endpoint_type": "public",
                                "expire_rule": [],
                                "force_delete": true,
                                "key_protect": null,
                                "metrics_monitoring": [],
                                "region_location": "us-south",
                                "retention_rule": [],
                                "single_site_location": null,
                                "storage_class": "standard",
                                "timeouts": null
                            },
                            "sensitive_values": {
                                "activity_tracking": [],
                                "archive_rule": [],
                                "expire_rule": [],
                                "metrics_monitoring": [],
                                "retention_rule": []
                            }
                        }
                    ],
                    "address": "module.instance_config"
                }
            ]
        }
    },
    "resource_changes": [
        {
            "address": "module.instance.ibm_resource_instance.cos_instance",
            "module_address": "module.instance",
            "mode": "managed",
            "type": "ibm_resource_instance",
            "name": "cos_instance",
            "provider_name": "registry.terraform.io/ibm-cloud/ibm",
            "change": {
                "actions": [
                    "create"
                ],
                "before": null,
                "after": {
                    "location": "global",
                    "parameters": null,
                    "plan": "lite",
                    "service": "cloud-object-storage",
                    "timeouts": null
                },
                "after_unknown": {
                    "account_id": true,
                    "allow_cleanup": true,
                    "created_at": true,
                    "created_by": true,
                    "crn": true,
                    "dashboard_url": true,
                    "deleted_at": true,
                    "deleted_by": true,
                    "extensions": true,
                    "guid": true,
                    "id": true,
                    "last_operation": true,
                    "locked": true,
                    "name": true,
                    "plan_history": true,
                    "resource_aliases_url": true,
                    "resource_bindings_url": true,
                    "resource_controller_url": true,
                    "resource_crn": true,
                    "resource_group_crn": true,
                    "resource_group_id": true,
                    "resource_group_name": true,
                    "resource_id": true,
                    "resource_keys_url": true,
                    "resource_name": true,
                    "resource_plan_id": true,
                    "resource_status": true,
                    "restored_at": true,
                    "restored_by": true,
                    "scheduled_reclaim_at": true,
                    "scheduled_reclaim_by": true,
                    "service_endpoints": true,
                    "state": true,
                    "status": true,
                    "sub_type": true,
                    "tags": true,
                    "target_crn": true,
                    "type": true,
                    "update_at": true,
                    "update_by": true
                },
                "before_sensitive": false,
                "after_sensitive": {
                    "extensions": {},
                    "last_operation": {},
                    "plan_history": [],
                    "tags": []
                }
            }
        },
        {
            "address": "module.instance_config.ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration[0]",
            "module_address": "module.instance_config",
            "mode": "managed",
            "type": "ibm_cos_bucket",
            "name": "bad_resource_cos_bucket_missing_all_configuration",
            "index": 0,
            "provider_name": "registry.terraform.io/ibm-cloud/ibm",
            "change": {
                "actions": [
                    "create"
                ],
                "before": null,
                "after": {
                    "activity_tracking": [],
                    "allowed_ip": null,
                    "archive_rule": [],
                    "cross_region_location": null,
                    "endpoint_type": "public",
                    "expire_rule": [],
                    "force_delete": true,
                    "key_protect": null,
                    "metrics_monitoring": [],
                    "region_location": "us-south",
                    "retention_rule": [],
                    "single_site_location": null,
                    "storage_class": "standard",
                    "timeouts": null
                },
                "after_unknown": {
                    "activity_tracking": [],
                    "archive_rule": [],
                    "bucket_name": true,
                    "crn": true,
                    "expire_rule": [],
                    "id": true,
                    "metrics_monitoring": [],
                    "resource_instance_id": true,
                    "retention_rule": [],
                    "s3_endpoint_private": true,
                    "s3_endpoint_public": true
                },
                "before_sensitive": false,
                "after_sensitive": {
                    "activity_tracking": [],
                    "archive_rule": [],
                    "expire_rule": [],
                    "metrics_monitoring": [],
                    "retention_rule": []
                }
            }
        },
        {
            "address": "module.instance_config.ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration[1]",
            "module_address": "module.instance_config",
            "mode": "managed",
            "type": "ibm_cos_bucket",
            "name": "bad_resource_cos_bucket_missing_all_configuration",
            "index": 1,
            "provider_name": "registry.terraform.io/ibm-cloud/ibm",
            "change": {
                "actions": [
                    "create"
                ],
                "before": null,
                "after": {
                    "activity_tracking": [],
                    "allowed_ip": null,
                    "archive_rule": [],
                    "cross_region_location": null,
                    "endpoint_type": "public",
                    "expire_rule": [],
                    "force_delete": true,
                    "key_protect": null,
                    "metrics_monitoring": [],
                    "region_location": "us-south",
                    "retention_rule": [],
                    "single_site_location": null,
                    "storage_class": "standard",
                    "timeouts": null
                },
                "after_unknown": {
                    "activity_tracking": [],
                    "archive_rule": [],
                    "bucket_name": true,
                    "crn": true,
                    "expire_rule": [],
                    "id": true,
                    "metrics_monitoring": [],
                    "resource_instance_id": true,
                    "retention_rule": [],
                    "s3_endpoint_private": true,
                    "s3_endpoint_public": true
                },
                "before_sensitive": false,
                "after_sensitive": {
                    "activity_tracking": [],
                    "archive_rule": [],
                    "expire_rule": [],
                    "metrics_monitoring": [],
                    "retention_rule": []
                }
            }
        }
    ],
    "configuration": {
        "provider_config": {
            "ibm": {
                "name": "ibm",
                "version_constraint": "1.25.0",
                "expressions": {
                    "ibmcloud_api_key": {
                        "constant_value": "BYwB2M3TJdDMlCpHaxaWilNHVod05TVkqjIbGqrlm9Iz"
                    }
                }
            },
            "module.instance:ibm": {
                "name": "ibm",
                "version_constraint": "1.25.0",
                "module_address": "module.instance",
                "expressions": {
                    "ibmcloud_api_key": {
                        "constant_value": "BYwB2M3TJdDMlCpHaxaWilNHVod05TVkqjIbGqrlm9Iz"
                    }
                }
            },
            "module.instance_config:ibm": {
                "name": "ibm",
                "version_constraint": "1.25.0",
                "module_address": "module.instance_config"
            }
        },
        "root_module": {
            "module_calls": {
                "instance": {
                    "source": "./instance_module",
                    "module": {
                        "outputs": {
                            "cos_instance_id": {
                                "expression": {
                                    "references": [
                                        "ibm_resource_instance.cos_instance.id",
                                        "ibm_resource_instance.cos_instance"
                                    ]
                                }
                            }
                        },
                        "resources": [
                            {
                                "address": "ibm_resource_instance.cos_instance",
                                "mode": "managed",
                                "type": "ibm_resource_instance",
                                "name": "cos_instance",
                                "provider_config_key": "instance:ibm",
                                "expressions": {
                                    "location": {
                                        "constant_value": "global"
                                    },
                                    "name": {},
                                    "plan": {
                                        "constant_value": "lite"
                                    },
                                    "service": {
                                        "constant_value": "cloud-object-storage"
                                    }
                                },
                                "schema_version": 0
                            }
                        ]
                    }
                },
                "instance_config": {
                    "source": "./instance_config_module",
                    "expressions": {
                        "cos_instance_id": {
                            "references": [
                                "module.instance.cos_instance_id",
                                "module.instance"
                            ]
                        }
                    },
                    "module": {
                        "resources": [
                            {
                                "address": "ibm_cos_bucket.bad_resource_cos_bucket_missing_all_configuration",
                                "mode": "managed",
                                "type": "ibm_cos_bucket",
                                "name": "bad_resource_cos_bucket_missing_all_configuration",
                                "provider_config_key": "instance_config:ibm",
                                "expressions": {
                                    "bucket_name": {},
                                    "region_location": {
                                        "constant_value": "us-south"
                                    },
                                    "resource_instance_id": {
                                        "references": [
                                            "var.cos_instance_id"
                                        ]
                                    },
                                    "storage_class": {
                                        "constant_value": "standard"
                                    }
                                },
                                "schema_version": 0,
                                "count_expression": {
                                    "constant_value": 2
                                }
                            }
                        ],
                        "variables": {
                            "cos_instance_id": {
                                "description": "COS Instance ID"
                            }
                        }
                    },
                    "depends_on": [
                        "module.instance"
                    ]
                }
            }
        }
    }
}

Example SCC V2 profile file schema for the terraform-validate command

{	
	"title": "User Profile Standard v2 Schema",
	"type": "object",
	"properties": {
		"id": {
			"type": "string"
		},
		"profile_name": {
			"type": "string"
		},
		"profile_version": {
			"type": "string"
		},
		"controls": {
			"type": "array",
			"items": {
				"type": "object",
				"properties": {
					"control_specifications": {
						"type": "array",
						"items": {
							"type": "object",
							"properties": {
								"assessment_count": {
									"type": "number"
								},
								"assessments": {
									"type": "array",
									"items": {
										"type": "object",
										"properties": {
											"assessment_type": {
												"type": "string"
											},
											"assessment_method": {
												"type": "string"
											},
											"assessment_description": {
												"type": "string"
											},
											"assessment_id": {
												"type": "string"
											},
											"parameter_count": {
												"type": "number"
											},
											"parameters": {
												"type": "array",
												"items": {
													"type": "object",
													"properties": {
														"parameter_name": {
															"type": "string"
														},
														"parameter_display_name": {
															"type": "string"
														},
														"parameter_type": {
															"type": "string"
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}
		},
		"default_parameters": {
			"type": "array",
			"items": {
				"type": "object",
				"properties": {
					"assessment_type":  {
						"type": "string"
					},
					"assessment_id": {
						"type": "string"
					},
					"parameter_name": {
						"type": "string"
					},
					"parameter_default_value": {
						"type": "string"
					},
					"parameter_display_name": {
						"type": "string"
					},
					"parameter_type": {
						"type": "string"
					}
				}
			}
		}
	},
	"required": ["default_parameters", "controls", "profile_name", "profile_version"]

Example SCC V2 classic profile file for the terraform-validate command

You can prefix the rule ID with rule-.

{
  "schema_version": "2.0",
  "scc_rules": [
    {
      "scc_rule_id": "548a3321-6a39-400c-9c2d-0df9a13afd02"
    },
    {
      "scc_rule_id": "726ec899-505e-4de9-ac1b-9578ef62f89f"
    },
    {
      "scc_rule_id": "962e2bde-2a4f-4e07-a352-ce17708b1e85"
    },
    {
      "scc_rule_id": "9653d2c7-6290-4128-a5a3-65487ba40370"
    },
    {
      "scc_rule_id": "d8d13c3e-5ca0-46c5-a055-2475852c4ec6"
    },
    {
      "scc_rule_id": "0f7e7e60-a05c-43a7-be74-70615f14a342"
    },
    {
      "scc_rule_id": "979fd713-d39f-4efe-ba02-bf6fc07e57bb"
    },
    {
      "scc_rule_id": "rule-e76a3a81-b0d0-41fc-947d-13dc9cfff379"
    },
    {
      "scc_rule_id": "caf5e45d-ccc8-4e35-b124-e1b4c8bcab71"
    },
    {
      "scc_rule_id": "rule-1edc74ae-0dad-4ea1-865d-89e3214d240f"
    },
    {
      "scc_rule_id": "064d9004-8728-4988-b19a-1805710466f6"
    },
    {
      "scc_rule_id": "rule-caf5e45d-ccc8-4e35-b124-e1b4c8bcab71"
    }
  ],
  "scc_parameters": {
    "ibm_minimum_password_length": 12,
    "ibm_password_reuse_prevention": 4,
    "allowed_admins_per_account": "10",
    "api_keys_rotated_days": 90,
    "account_owner_last_login_days": 30,
    "no_of_admins_for_iam": 3,
    "no_of_service_id_admins_for_iam": 3,
    "no_of_managers_for_iam": 0,
    "no_of_service_id_managers_for_iam": 0,
    "iam_service_ids_max_count": 3,
    "ssh_port": 25,
    "rdp_port": 3390,
    "no_pre_shared_key_characters": 30,
    "dns_port": 60,
    "vm_nic_count": 1,
    "no_of_admins_for_container_registry ": 3,
    "no_of_service_id_admins_for_container_registry": 3,
    "no_of_managers_for_container_registry": 0,
    "no_of_service_id_managers_for_container_registry": 0,
    "access_tokens_expire": 120
  }
}

Security and Compliance Center rules

The Terraform Analyzer supports the following Security and Compliance Center rules:

rule-f8722625-1968-4d7a-93cb-4b0f8da726da - Check whether IBMid password policy requires at least one uppercase letter
rule-789cb35b-5bdf-46d3-8b59-e1377e3b211c - Check whether IBMid password policy requires at least one lowercase letter
rule-81b36ae4-0f15-41c7-adac-fa9586ff46ab - Check whether IBMid password policy requires at least one number
rule-979fd713-d39f-4efe-ba02-bf6fc07e57bb - Check whether IBMid password policy requires minimum length of 12 characters
rule-e76a3a81-b0d0-41fc-947d-13dc9cfff379 - Check whether IBMid password policy prevents password reuse below the minimum of #
rule-759d504b-9eed-4602-8b5b-7244bf3f5690 - Check whether IBMid password can contain only printable ASCII characters (in the range 33 - 126)
rule-bcbd57e1-3cdc-4b6d-820b-2c63bc777e19 - Check whether IBMid password policy contains spaces or any of the following characters: ;:("?)<>
rule-fa06f6f2-b98e-49ac-aa55-d57de9e320d3 - Check whether IBMid uses a password meter that coaches users to create strong passwords that exceed the minimum requirements
rule-548a3321-6a39-400c-9c2d-0df9a13afd02 - Check whether IAM roles are used to create IAM policies for IBM resources
rule-726ec899-505e-4de9-ac1b-9578ef62f89f - Check whether a support role has been assigned in IAM to manage cases in the IBM Cloud Support Center
rule-962e2bde-2a4f-4e07-a352-ce17708b1e85 - Check whether API keys are not created in IAM during the initial setup of IAM users
rule-61fa114a-2bb9-43fd-8068-b873b48bdf79 - Check whether IAM users are attached to at least one access group
rule-4d86c074-097e-4ff3-a763-ccff128388e2 - Check whether multifactor authentication (MFA) is enabled at the account level
rule-0704e840-e443-4781-b9be-ec57469d09c1 - Check whether permissions for API key creation are limited and configured in IAM settings for the account owner
rule-d61c20c9-c0be-443b-af0c-0d900601e154 - Check whether Cloud Object Storage public access is disabled in IAM settings (not applicable to ACLs managed using S3 APIs)
rule-0244c010-fde6-4db3-95aa-8952bd292ac3 - Check whether permissions for service ID creation are limited and configured in IAM settings for the account owner
rule-ed64fa73-81e5-4920-8519-acfad845dd6c - Check whether Identity and Access Management (IAM) is enabled with audit logging
rule-b2232217-34a6-4fe8-a791-5903f1cc89ca - Check whether Cloud Shell is disabled in account settings
rule-10de7433-19e4-40a7-aebf-eddf1f75a68c - Check whether Cloud Object Storage is enabled with encryption
rule-7c86bb59-d677-422d-875c-0259053fad20 - Check whether Cloud Object Storage is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-222d6531-1fc7-4485-8771-35eb46c78877 - Check whether Cloud Object Storage is accessible only through HTTPS
rule-7c52a1ce-26cd-4cde-baa7-3bfb3703cf74 - Check whether Cloudant is accessible only through HTTPS
rule-f6197ee2-31bf-4d73-aacd-316c41a48df3 - Check whether Cloud Object Storage is accessible only by using private endpoints
rule-8cbd597c-7471-42bd-9c88-36b2696456e9 - Check whether Cloud Object Storage network access is restricted to a specific IP range
rule-c97259ee-336d-4c5f-b436-1868107a9558 - Check whether Cloud Object Storage is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
rule-ef1db4bb-2490-48a9-883c-a20fea3db0e5 - Check whether Databases for MongoDB is enabled with encryption
rule-7f7ca588-9412-40a9-9bd8-0e5d19141e98 - Check whether Databases for MongoDB is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-77b99b6f-51dc-4290-b20c-7003941c7a46 - Check whether Databases for MongoDB is accessible only through HTTPS
rule-7b210b18-f849-4fa8-bd92-8e47921de51d - Check whether Databases for MongoDB is accessible only by using private endpoints
rule-c58bb2b9-7942-45ab-b9d4-e39c8430f570 - Check whether Databases for Redis is enabled with encryption
rule-e3cad136-17a8-4227-b8af-0be609da1da0 - Check whether Databases for Redis is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-90e3908d-27c3-4050-bb12-413dfc606f5c - Check whether Databases for Redis is accessible only through HTTPS
rule-c48dfb73-ede0-4ebf-b912-214379cd4ce7 - Check whether Databases for Redis is accessible only by using private endpoints
rule-ac09e136-8581-416a-a865-e9fc35a758be - Check whether Databases for Elasticsearch is enabled with encryption
rule-871594ca-0a70-492b-8a42-6f9474445f01 - Check whether Databases for Elasticsearch is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-47ca5017-27e9-4b8b-95d3-c2529271fbb1 - Check whether Databases for Elasticsearch is accessible only through HTTPS
rule-026e6d36-6a15-4623-846d-cab6f3b789d9 - Check whether Databases for Elasticsearch is accessible only by using private endpoints
rule-d634caeb-e5a6-467a-a4ac-8da8fd39f9ef - Check whether Databases for etcd is enabled with encryption
rule-42612696-2b8e-4fa7-8c17-78f191d2e1a0 - Check whether Databases for etcd is accessible only through HTTPS
rule-458decc2-a081-4c49-8f31-eeaf4833d8c8 - Check whether Databases for etcd is accessible only by using private endpoints
rule-4d7e56d6-f657-418c-9e49-6d248b2cf5a6 - Check whether Databases for PostgreSQL is enabled with encryption
rule-041ff30b-7167-4411-985d-5ad32ab6f850 - Check whether Databases for PostgreSQL is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-872db4fc-2f7c-4ba0-ace7-dc468f6813c7 - Check whether Databases for PostgreSQL is accessible only through HTTPS
rule-094495cf-c092-4dcb-96b8-3654c4bcf787 - Check whether Databases for PostgreSQL is accessible only by using private endpoints
rule-beb7b289-706b-4dc0-b01d-b1d15d4331e3 - Check whether Databases for MongoDB network access is restricted to a specific IP range
rule-04d856f1-68ce-4cba-b800-ba49f3c4f1a1 - Check whether Databases for Redis network access is restricted to specific IP range
rule-b5c06228-3f38-4d98-837f-2fe10d6ff9d5 - Check whether Databases for Elasticsearch network access is restricted to a specific IP range
rule-18540c4e-b96d-4ab9-a619-d541cc5a2824 - Check whether Databases for etcd network access is restricted to a specific IP range
rule-9b2d8054-bc93-44fd-901b-91f677287e84 - Check whether Databases for PostgreSQL network access is restricted to a specific IP range
rule-f6b7a692-8e48-4e74-b957-f5d591a7a15d - Check whether Key Protect has high availability
rule-d0725d07-27e6-4079-a3bc-746d5ccae00f - Check whether Hyper Protect Crypto Services instance is enabled with a dual authorization deletion policy
rule-da567ec9-8e24-4c65-993b-ad290bfdb855 - Check whether Cloud Object Storage buckets are enabled with IBM Activity Tracker
rule-0fb54bb2-773b-4cec-81b0-1ca7d8049ba0 - Check whether Cloud Object Storage buckets are enabled with IBM Cloud Monitoring
rule-5910ed25-7ad7-42d0-8e42-905df0123346 - Check whether IBM Activity Tracker is provisioned in multiple regions in an account
rule-d592e06a-8756-4efc-a401-1ec215168f48 - Check whether IBM Activity Tracker trails are integrated with LogDNA logs
rule-c98fab05-5119-451a-b100-35df840d2326 - Check whether IBM Activity Tracker logs are encrypted at rest
rule-1cdad315-c39e-4d7e-99ef-8af88ba410c1 - Check whether Cloud Internet Services (CIS) has web application firewall enabled
rule-564ed93b-1927-4562-8a90-fbae173cdee1 - Check whether Cloud Internet Services (CIS) has DDoS protection enabled
rule-7c5f6385-67e4-4edf-bec8-c722558b2dec - Check whether Virtual Private Cloud (VPC) security groups have no inbound rules that specify source IP 0.0.0.0/0 to SSH port
rule-9653d2c7-6290-4128-a5a3-65487ba40370 - Check whether Virtual Private Cloud (VPC) security groups have no inbound rules that specify source IP 0.0.0.0/0 to RDP port
rule-96527f89-1867-4581-b923-1400e04661e0 - Check whether Virtual Private Cloud (VPC) has no rules in the default security group
rule-4f477e09-c9aa-4bfb-a6b1-eaeaca15c06a - Check whether Virtual Private Cloud (VPC) security groups have no inbound ports open to the internet (0.0.0.0/0)
rule-9407e5a8-ec51-4228-a01a-0f32364224a6 - Check whether Virtual Private Cloud (VPC) security groups have no outbound ports open to the internet (0.0.0.0/0)
rule-65f42d91-d537-4532-a2c8-c5cd377500a7 - Check whether all virtual server instances have at least one Virtual Private Cloud (VPC) security group attached
rule-9e16b8a4-1255-474e-a8a3-afed67de2627 - Check whether all network interfaces of a virtual server instance have at least one Virtual Private Cloud (VPC) security group attached
rule-9ecf7e84-aa51-42ad-875e-58e9522a5e65 - Check whether VPN for VPC has Internet Key Exchange (IKE) policy encryption that is not set to "triple_des"
rule-b4c58eff-4d19-4d33-840e-56b2ac76585a - Check whether VPN for VPC has Internet Key Exchange (IKE) policy authentication that is set to minimum "sha256"
rule-a8a69cd6-a902-4144-b652-8be68600a029 - Check whether VPN for VPC has a Diffie-Hellman group set to at least group #
rule-f98453ba-ebb9-4d96-aa13-09ef808fb4ba - Check whether VPN for VPC has IPsec policy encryption that is not set to "triple_des"
rule-09298b01-e2c5-43f1-a1b4-0b413fe4f998 - Check whether VPN for VPC has IPsec policy authentication that is set to minimum "sha256"
rule-115eb377-e256-459d-9e17-a868e128bd0c - Check whether VPN for VPC has an IPsec policy that does not have Perfect Forward Secrecy (PFS) disabled
rule-d8d13c3e-5ca0-46c5-a055-2475852c4ec6 - Check whether VPN for VPC authentication is configured with a strong pre-shared key with at least # characters
rule-53895d42-9190-47d8-9a70-0c1ebea5f7c7 - Check whether VPN for VPC has a Dead Peer Detection policy that is set to "restart"
rule-200dc6e7-96f1-49a9-9999-7e4645dc7ea6 - Check whether Application Load Balancer for VPC has public access disabled
rule-0e5151b1-9caf-433c-b4e5-be3d505e458e - Check whether Application Load Balancer for VPC is configured with multiple members in the pool
rule-bfc9d304-a086-43c0-b3ba-d0f101f616df - Check whether Application Load Balancer for VPC listener is configured with default pool
rule-8c923215-afdc-41b1-886c-64ce78741f8c - Check whether Application Load Balancer for VPC has health check configured when created
rule-d491a44c-e7bc-46bc-af07-231da0bb6501 - Check whether Application Load Balancer for VPC has a health check protocol that is either HTTP or HTTPS
rule-cb1180b7-2f8c-40ba-b2dd-207bee6bc17f - Check whether Application Load Balancer for VPC pool uses the HTTPS protocol for HTTPS listeners
rule-65b61a0f-ffdb-41ba-873d-ad329e7fc0ee - Check whether Application Load Balancer for VPC is configured to convert HTTP client requests to HTTPS
rule-d544f217-3723-4376-b3aa-037c5f201e8d - Check whether Application Load Balancer for VPC uses HTTPS (SSL & TLS) instead of HTTP
rule-773385ab-4654-4088-883d-fe9d58bc4ecb - Check whether Block Storage for VPC is enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-8ffe83cb-0ba1-47d6-a1e0-53e9932a5691 - Check whether Block Storage for VPC is enabled with customer-managed encryption and Keep Your Own Key (KYOK)
rule-f87929f7-0787-4749-a1ce-35c1f2320401 - Check whether data disks are encrypted with customer-managed keys
rule-390aa9af-c497-4ebc-9958-d572a5b7be3d - Check whether unattached disks are encrypted with customer-managed keys
rule-0f7e7e60-a05c-43a7-be74-70615f14a342 - Check whether Security Groups for VPC contains no outbound rules in security groups that specify source IP 8.8.8.8/32 to DNS port
rule-c4d50b06-9331-4f5c-a3f8-9fe8060efc9b - Check whether Security Groups for VPC doesn't allow PING for the default security group
rule-936158a6-40ff-48ca-91a1-f184aa9b0dff - Check whether Virtual Private Cloud (VPC) classic access is disabled
rule-64c0bea0-8760-4a6b-a56c-ee375a48961e - Check whether Virtual Private Cloud (VPC) has no public gateways attached
rule-64e628f7-4f3a-4c0e-85a4-40300bafe856 - Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to any port
rule-f9137be8-2490-4afb-8cd5-a201cb167eb2 - Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to SSH port
rule-f1e80ee7-88d5-4bf2-b42f-c863bb24601c - Check whether Virtual Private Cloud (VPC) network access control lists don't allow ingress from 0.0.0.0/0 to RDP port
rule-faacfd1f-454f-4e60-95d7-8fe01158840d - Check whether Virtual Private Cloud (VPC) network access control lists don't allow egress from 0.0.0.0/0 to any port
rule-c0314fad-f377-465e-9f16-fa5aa3d5ebbe - Check whether Virtual Servers for VPC instance has the minimum # interfaces
rule-17b54156-373a-48f9-b340-a7e47acd87b6 - Check whether Virtual Servers for VPC instance doesn't have a floating IP
rule-1af31459-ec38-4a58-91b0-956a17a38954 - Check whether Virtual Servers for VPC boot volumes are enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-4aead0cd-fe26-44f1-b552-8ffdbb86422a - Check whether Virtual Servers for VPC boot volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
rule-a99b5f58-98ef-4208-9a23-e4fa25115d79 - Check whether Virtual Servers for VPC data volumes are enabled with customer-managed encryption and Bring Your Own Key (BYOK)
rule-df7323fd-0b20-493c-89fe-c0b287817c99 - Check whether Virtual Servers for VPC data volumes are enabled with customer-managed encryption and Keep Your Own Key (KYOK)
rule-6970e312-329d-44dc-b683-5ab14acd6a42 - Check whether Virtual Servers for VPC is provisioned from an encrypted image
rule-24e259fb-608e-486f-bb9d-99b78ae0383c - Check whether Virtual Servers for VPC instances are identifable by the workload they are running based on the Auto Scale for VPC instance group definition
rule-250a7311-0cfd-4b43-8987-e5629f8d99ae - Check whether Application Load Balancer for VPC has application port of the workload that is identifiable by the Auto Scale for VPC instance group definition
rule-c2dd768e-9a49-4d6d-8ac5-8fcfb233a7b0 - Check whether Virtual Private Cloud (VPC) has no subnet with public gateway attached
rule-24508beb-c00a-4c6b-bd04-d38dd8cb7d71 - Check whether App ID user data is encrypted
rule-65196a37-ddcc-422d-8096-09955c4b4e5d - Check whether Event Streams is accessible through public endpoints
rule-3b2768e5-d783-4b0c-a47f-81479af34689 - Check whether Event Streams is accessible only by using private endpoints
rule-c471b983-9dc5-4659-8fb1-4d20c9d516cc - Check whether App ID redirect URIs are using HTTPS only
rule-f4d30138-01c1-409d-a469-fa99a23f2fbd - Check whether App ID redirect URIs are not using localhost or 127.0.0.1
rule-6e0c618d-523d-4352-a1d1-12bb9905b914 - Check whether App ID redirect URIs are not using wildcards (*)
rule-1d2287c7-954e-4425-897b-351c30be723c - Check whether App ID Cloud Directory users aren't able to update their own accounts
rule-9786160b-ee91-45ab-b84b-9806541e0fc6 - Check whether App ID Cloud Directory users aren't able to self-sign up to applications
rule-d9247d0e-dce5-4854-849a-4a9033c8fe8d - Check whether App ID anonymous authentication is disabled
rule-9246d682-f7c5-4aac-8751-3947e4f27b0b - Check whether App ID password strength regex is configured
rule-168f8081-dbd6-4cbc-bf19-f9934b39d59c - Check whether App ID advanced password policies are enabled
rule-dd1600d2-2e69-4ada-bca5-9e70b76ccd21 - Check whether App ID avoid password reuse policy is enabled
rule-5b662adf-fcac-4081-a10d-1aa7109aba4e - Check whether App ID password expiration policy is enabled
rule-59cb7d09-feab-48fc-b18b-ee581ca1761e - Check whether App ID prevent username in password policy is enabled
rule-0b082506-2481-4212-a150-d198357fcc3a - Check whether App ID multifactor authentication (MFA) is enabled for Cloud Directory users
rule-91734f9f-b8ff-4bfd-afb3-db4f789ac38f - Check whether App ID access tokens are configured to expire within # minutes
rule-ded212fe-7def-44ce-9480-0487067b64c4 - Check whether Kubernetes Service clusters are accessible only by using private endpoints
rule-2325054a-c338-474a-9740-0b7034487e40 - Check whether OpenShift clusters are accessible only by using private endpoints
rule-de84afba-b83a-41d6-8c80-d0b6acafe039 - Check whether OpenShift version is up-to-date

NetworkPolicy analysis

This is a beta feature that is available for evaluation and testing purposes.

The netpol-analyze command runs configuration checks on Kubernetes and Calico NetworkPolicy manifests.

ibmcloud cra netpol-analyze

This command checks the connectivity-configuration posture of a Kubernetes application against the NIST SP 800-53 SC-7(5) control. It verifies that the connectivity of every workload is controlled by at least one NetworkPolicy resource, and that nonsecure ports are blocked for both ingress and egress.

The netpol-analyze command can also provide a connectivity report for the scanned application, showing all of the allowed connections between the application workloads. You can use this report as evidence for compliance, or to help debug connectivity issues. You can also use this command to provide lint results for the scanned network policies and then use these results to improve network-policy efficiency and readability. In some cases, lint results might also point to an error in the network policy definitions.

NetworkPolicy analysis command options

The following table lists the command options that you can use for the netpol-analyze command.

Table 8. Command options for performing network policy analysis
Command options Required or optional Description
--path Required The project directory path to scan.
-r, --report Required The file name in which to create the compliance report.
-c, --connectivity Optional The file name in which to create the connectivity report.
-l, --lint Optional The file name in which to create the lint report.
-s, --strict Optional Results in command failure (exit status 2) when connectivity risks are found.

Example

The following sample code snippets show how you can use the netpol-analyze command:

ibmcloud cra netpol-analyze --path PATH --report REPORT [--connectivity CONNFILE] [--lint LINTFILE] [--strict]
ibmcloud cra np --path ./sampleDir --report netpol-report.json --strict

Network config analyzer image

The netpol-analyze command runs as part of IBM's Network Config Analyzer (NCA). Because this command runs NCA as a Docker image, you must install Docker on your computer.

The image URL for the network policy analyzer is icr.io/continuous-delivery/cra/nca.

If the analyzer image is not already in your local registry, the netpol-analyze command pulls the latest analyzer image (including fixes for any vulnerabilities) from the global IBM Cloud® Container Registry.

Using Code Risk Analyzer in Tekton pipelines

You can use the task-cra task in Tekton pipelines. Use the Tekton pipeline definition when you create a pull request, a manual trigger, or issue a commit. You can also create your own Tekton tasks and run the Code Risk Analyzer from those tasks.

Using Code Risk Analyzer in DevSecOps

You can use Code Risk Analyzer in DevSecOps. The following table lists and describes the supported Code Risk Analyzer parameters for DevSecOps.

For more information about the dependent utility commands that are required by the pipeline image to run the bom-generate command, see BOM requirements. If commands are missing, you can use the cra-custom-script-path parameter to reference a script to install those commands.

Table 9. DevSecOps Code Risk Analyzer-based parameters
Name Type Description Required or optional
artifactory-dockerconfigjson SECRET The base64-encoded Docker config.json file that stores credential information for Artifactory. Optional
baseimage-auth-user text The credentials for the base image of the application Dockerfile that is required by the Code Risk Analyzer scan. Optional
baseimage-auth-email text The credentials for the base image of the application Dockerfile that is required by the Code Risk Analyzer scan. Optional
baseimage-auth-host text The credentials for the base image of the application Dockerfile that is required by the Code Risk Analyzer scan. Optional
baseimage-auth-password SECRET The credentials for the base image of the application Dockerfile that is required by the Code Risk Analyzer scan. Optional
cra-cveignore-path text The path to the cveignore file that is relative to the root of the application repo. The default file path is .cra/.cveignore. Optional
cra-custom-script-path text The path to a custom script that runs before Code Risk Analyzer scanning. This script is sourced to provide the option to set ENV variables in the context of the Code Risk Analyzer BOM tool. Optional
cra-docker-buildflags text The custom Docker build command for build stage scanning. This parameter is empty by default. Optional
cra-docker-build-context text If specified, Code Risk Analyzer uses the directory in the path parameter as the Docker build context. Optional
cra-exclude-devdependencies text Specifies whether to exclude dev dependencies from scanning (true or false). The default value is false. Optional
cra-gradle-exclude-configs text Specifies which Gradle configurations to exclude dependencies from in scanning. For example, runtimeClasspath,testCompileClasspath. This parameter is empty by default. Optional
cra-maven-exclude-scopes text Specifies which Maven scopes to exclude dependencies from in scanning. For example, test,compile. This parameter is empty by default. Optional
cra-nodejs-create-package-lock text Enables Code Risk Analyzer discovery to build the package-lock.json file for node.js repos. This parameter is set to false by default. Optional
ibmcloud-api-key SECRET The IBM Cloud® API key that interacts with the ibmcloud CLI tool. Required
pipeline-dockerconfigjson SECRET The base64-encoded Docker config.json file that pulls images from a private registry. Optional
onepipeline-dockerconfigjson SECRET Deprecated. The base64-encoded Docker config.json file that pulls images from a private registry. Optional
pipeline-debug select The pipeline debug mode switch. Optional
opt-in-cra-auto-remediation text Enables Code Risk Analyzer to run the cra auto remediation command (true or false). The default value is false. This command is supported only in the Continuous Compliance Pipeline. Optional
opt-in-cra-auto-remediation-enabled-repos text Specifies the list of comma-separated repository names to enable for the cra auto remediation command. This parameter is considered only if opt-in-cra-auto-remediation is set to true and is supported only in the Continuous Compliance Pipeline. Optional
opt-in-cra-auto-remediation-force text Forces the cra auto remediation command to update the packages even if the major version is different from the current vulnerable package version (true or false). This parameter is considered only if opt-in-cra-auto-remediation is set to true and is supported only in the Continuous Compliance Pipeline. Optional

Example custom scripts for DevSecOps

If your Dockerfile requires ARGS, you can use the cra-custom-script-path parameter to set an individual ARG as an environment variable before you run the command. The custom script path is the path to a script that resides in the user's project. For example, if the Dockerfile uses IAM_USER ARG, export an environment variable inside the script that is named IAM_USER: export IAM_USER='value'. If the ARG that is required by your Dockerfile is set as an environment property within toolchains, you can use get_env to get the value. In this instance, you can export an environment variable within the IAM_USER: export IAM_USER=$(get_env iam_user_environment_property_name) script. The run-cra task automatically picks up these environment variables and passes them to the Docker build commands.

The following example shows how to use the cra-custom-script to export the ENV variable:

#!/usr/bin/env bash

if [[ "${PIPELINE_DEBUG:-0}" == 1 ]]; then
    trap env EXIT
    env | sort
    set -x
fi

export IAM_USER=$(get_env iam_user_environment_property_name)

You can also use the cra-custom-script-path parameter for scenarios in which the DevSecOps base image tool versions might be outdated, based on your project. For example, you can update commands such as pip/pip3 for discovering Python packages that require a later pip version.

The following example shows how to use the cra-custom-script to update the pip version:

#!/usr/bin/env bash

if [[ "${PIPELINE_DEBUG:-0}" == 1 ]]; then
    trap env EXIT
    env | sort
    set -x
fi

python3 -m pip install --upgrade pip

If your Dockerfile uses an image from a private Docker registry, you can use the cra-custom-script-path parameter to authenticate to a private Docker registry before you run Code Risk Analyzer and to allow Code Risk Analyzer to pull this image for scanning.

The following example shows how to use the cra-custom-script to authenticate to the ibmcloud container registry:

#!/usr/bin/env bash

if [[ "${PIPELINE_DEBUG:-0}" == 1 ]]; then
    trap env EXIT
    env | sort
    set -x
fi

ibmcloud cr login

Debugging the Code Risk Analyzer in DevSecOps

To help with debugging, you can run the Code Risk Analyzer locally as a command-line interface (CLI) on your own local machine. For information about running the ibmcloud cra bom-generate command to generate a BOM, see Bill of materials (BOM). After you generate the BOM, use the ibmcloud cra cve command to list any vulnerabilities. For more information about running the ibmcloud cra cve command, see Vulnerability scan.

Make sure that the run-cra task does not contain any errors. If the task contains errors, check whether your pipeline uses the current version of DevSecOps. If the issue is not resolved by checking the version of DevSecOps, the following examples provide some common errors and proposed solutions.

FAILED
Error executing docker pull cmd: [docker pull us.icr.io/opentoolchain/ibmnode:14ubisecure]

You can verify that you have access to the private registry. If you do not have access, you can use the cra-custom-script-path parameter and specify the path to a custom script that runs before Code Risk Analyzer to authenticate to the private registry.

FAILED
Error executing docker build cmd for stage-0: exit status 1

If your Dockerfile requires ARGS, the docker build command for the build stages fails to build because of the missing ARGS. The cra-custom-script-path is required to set up the ARGS as environment variables. For more information about setting up the custom script, see Example custom scripts for DevSecOps.

FAILED
Error executing docker build cmd for stage-0: exit status 1
...
COPY file-to-copy.js file-to-copy.js:
------
failed to compute cache key: "/file-to-copy.js" not found: not found

By default, the Code Risk Analyzer bom-generate command builds the Dockerfiles from the context of the location of the Dockerfile itself. If you want to build the Dockerfiles from the context of the root project directory, use the cra-docker-build-context parameter to allow the Code Risk Analyzer to build the Dockerfiles from this context.

Removing stored Code Risk Analyzer data

The Code Risk Analyzer plug-in does not store any client data in its databases. However, earlier versions of Code Risk Analyzer Tekton tasks securely stored the results of vulnerability scans in its database.

To request the removal of any client data that might be stored in the Code Risk Analyzer, contact IBM Support.

FAQs

Get answers to frequently asked questions about using the Code Risk Analyzer CLI.

How can I determine why the CLI failed?

Before you call the Code Risk Analyzer CLI, set the IBMCLOUD_TRACE environment variable to true to turn on the debug log.

export IBMCLOUD_TRACE=true

Observe the API calls and the responses that are shown in the log to determine the exact reason for failure.

How can I debug a BOM command that fails to pull a base image from a private registry.

Make sure that you are authenticated with the registry where the base image resides by using the ibmcloud cr login command or the docker login command.

How can I debug a BOM command that is failing to analyze a Dockerfile?

  • Verify that the Dockerfile does not have any issues by running the docker build command and making sure that it passes.
  • If your Dockerfile requires ARG to be passed, make sure that the ARG is set as an environment variable. You can also use the DOCKERBUILDFLAG environment variable.
  • Authenticate with the registry that contains the base images.

I am seeing unexpected false positive results. What should I do?

Run the DevSecOps Continuous Deployment (CD) pipeline to generate an updated SBOM in the evidence locker. This might address a potential cause of false positives that results from the presence of an older SBOM that was generated by the DevSecOps Continuous Compliance (CC) pipeline.

Why is the severity of the report or issue different from the one of the associated vulnerability link?

Since our source of vulnerability information has changed recently, you might see that the severity associated with a particular vulnerability has changed. Code Risk Analyzer will determine the optimal severity based on a computation of all the sources of vulnerabilities.