This article covers everything you need to know about Infrastructure as Code (IaC) in Nexus IQ Server. We’ll go over what IaC is, how it works, and how to use it with Nexus IQ Server.
More specifically, this article will help you:
- Understand what Infrastructure as Code is and how it’s used in modern software development.
- Explain how Nexus IQ Server scans IaC and what information is available from the scans.
- Run scans in Nexus IQ Server using the CLI or Web UI.
- Analyze the results of a scan and use that information to better understand the health of your infrastructure.
- The latest release of IQ Server (release 107 or newer required).
- Infrastructure as Code Pack license.
- Terraform version 0.12 or newer.
- A resolved Terraform plan file named
What is Infrastructure as Code?
Infrastructure as Code is a means of expressing cloud infrastructure using code, which can be run against cloud provider APIs to create, configure, and modify cloud infrastructure. IaC is used in place of the cloud provider console.
IaC is a far more efficient way of building and managing cloud infrastructure environments than cloud consoles are. You can express some, or all, of a cloud infrastructure environment in an IaC file before you build any infrastructure. One can build a global network in minutes using IaC —something that would’ve taken weeks using the console (and months before cloud).
IaC is a predictable and scalable way to manage cloud infrastructure. IaC files can be shared, code-reviewed, and replicated. They can be evaluated and certified by security and compliance teams and vended across an organization.
Infrastructure as Code templates may include potentially sensitive data when describing the target environment and infrastructure. While this information is sent encrypted on Sonatype servers during evaluations, it is strongly recommended that best practices are followed: Information like passwords or API keys should not be exposed in plaintext wherever possible. Vaults are a common solution for storing secrets and referencing them inside configuration files.
How does IQ Server scan IaC?
Now that you have some basic knowledge on IaC, let’s talk about how Nexus IQ Server works with it.
To scan a Terraform plan file, the first step is to generate it. This is typically done using the
terraform plan -out=terraform.plan command during the build process. You can easily create a JSON representation of the resolved plan using
terraform show -json terraform.plan > terraform.tfplan
Executing a scan via the CLI, Web UI, or as a build step with Jenkins will automatically search for files with the extension
.tfplan and include the results as part of the application scan.
Data Security Practices
In order for the Infrastructure as Code Pack to evaluate an application’s cloud infrastructure for vulnerabilities and misconfigurations, the IaC product will scan the applicable IaC template provided by the end user and will provide the results of such scan within the Nexus IQ report. Due to the nature of IaC templates, there is potential for unprotected sensitive data to be transmitted (including information regarding your environment and infrastructure). As such, prior to running a scan using Sonatype’s IaC Pack, please ensure that such sensitive data is not transmitted to Sonatype and that any such sensitive information is protected in accordance with information security best practices. Specifically, please ensure that (a) sensitive information like usernames, passwords, API tokens and SSH keys are not exposed in plaintext, and( b) where possible, you use protective measures like environment variables and vaults. Sonatype neither requires nor wants to receive any such sensitive information.
What will I see in the evaluation results?
When scanning IaC, all of the policies set up in your instance of IQ Server are applied, giving you a breakdown as it would in any other application. The report will contain information on the application layers, and provide a breakdown in terms of the IaC vulnerabilities, what is breaking policy, and how you can resolve vulnerabilities.
Information provided from the scan report helps you understand the quality of the applications alongside your infrastructure, and Nexus Lifecycle provides that intelligence throughout the development pipeline.
An example - running a scan from the CLI
- Navigate to a workspace that has a .tfplan file.
- Run the Nexus IQ CLI:
java -jar nexus-iq-cli-1.105.0-SNAPSHOT.jar -i test-app -s http://localhost:8070 -a admin:admin123 -t develop .
The example above is using release 105 of the IQ CLI.
test-app is the name of the application we are running the evaluation against,
localhost:8070 is the location of our IQ Server,
admin:admin123 are our login credentials, and
. means we are scanning everything in the workspace. It is also possible to scan individual terraform plan files, by replacing the
myfile.tfplan (or multiple files).
Once the scan is complete, you’ll see a link to the report in your CLI. Copy the link and then paste it into your browser to access the scan results.
Figure 1: Infrastructure violations in the Nexus IQ report.
The report shows you the components identified, customized policy violations, a detailed bill of materials, and will also automatically kick off notifications, if that feature is enabled.
For more information on running scans in the CLI, please see our Nexus IQ CLI help docs.
IQ Webhook Listener
In addition to the CLI and CI plugins, there’s also an option to scan your IaC using a webhooks listener. Using this option lets you scan after a build is pushed to Nexus Repository, triggering a scan from the repository.
This may be your best option if you don’t have access to your CI build steps, but still want to kick-off evaluations when things are pushed to your repos.
For help with this, see our docs on the IQ Webhook Listener.
IaC in IQ Server FAQs
How does Nexus IQ Server evaluate containers?
Terraform files are resolved into a
.tfplan plan file. This is automatically detected during a scan and IaC results will be included in the results along with the regular application scan information.
Where can I integrate Sonatype’s container scanning into my SDLC?
Coming soon: Docker CLI, Bamboo plugin, Gitlab, CircleCI
Talk to Us
And visit my.sonatype.com for all things Sonatype.