The expansion of Code Risk Analyzer extends scanning capabilities.

In November 2020, IBM introduced the Code Risk Analyzer to IBM Cloud Continuous Delivery to help “shift left” security. Code Risk Analyzer identifies multiple classes of security risks by scanning source files. Misconfiguration of infrastructure and cloud service dependencies can put enterprise applications and data at risk. Now, Code Risk Analyzer will look for these issues by scanning Terraform Infrastructure as Code (IaC) files. 

Code Risk Analyzer helps developers find and remediate security and legal vulnerabilities that are potentially introduced into their source code and provides feedback directly in their Git artifacts (for example, pull/merge requests). Code Risk Analyzer is provided as a set of Tekton tasks, which can be easily incorporated into delivery pipelines.

DevSecOps for Infrastructure

IBM Cloud Schematics provides powerful tools to automate your cloud infrastructure provisioning and management process and the configuration and operation of your cloud resources and the deployment of your app workloads. To do so, Schematics leverages open source projects, such as Terraform. Terraform allows infrastructure to be expressed as code in a simple, human-readable language. It reads configuration files and provides an execution plan of changes that can be reviewed for safety and then applied and provisioned.

Infrastructure as Code (IaC) provides development teams with the opportunity to manage infrastructure definitions in Git repos and deploy with DevOps  pipelines, just like any other code. IaC modules can be reused between workloads and across multi-regions and accounts.

With this new expansion of Code Risk Analyzer, we can extend our scanning capabilities to help prevent misconfiguration of cloud accounts and compliance with regulations through scanning of IaC before it is deployed. The new IaC capability in Code Risk Analyzer scans ibm-terraform files and helps you ensure that they meet National Institute of Standards and Technology (NIST) frameworks. Today, it supports 57 compliance goals, covering 18 NIST checks, and the list is growing. 

With this new capability, you can now scan the compliance of your Infrastructure as Code and make sure that any planned changes to your account are compliant with NIST regulations. You can control this process from IBM Cloud Continuous Delivery toolchains and consume the output both in your Git repository and in your IBM Cloud Continuous Delivery PipelineRun dashboard. You can create gates that block the deployment of the IaC when misconfigurations are found and remediate misconfigurations as soon as they are created:

More information

For more details on the new capability within Code Risk Analyzer, please see the following resources:

In addition, you can get help directly from the IBM Cloud development teams by joining us on Slack.


More from Announcements

IBM TechXchange underscores the importance of AI skilling and partner innovation

3 min read - Generative AI and large language models are poised to impact how we all access and use information. But as organizations race to adopt these new technologies for business, it requires a global ecosystem of partners with industry expertise to identify the right enterprise use-cases for AI and the technical skills to implement the technology. During TechXchange, IBM's premier technical learning event in Las Vegas last week, IBM Partner Plus members including our Strategic Partners, resellers, software vendors, distributors and service…

Introducing Inspiring Voices, a podcast exploring the impactful journeys of great leaders

< 1 min read - Learning about other people's careers, life challenges, and successes is a true source of inspiration that can impact our own ambitions as well as life and business choices in great ways. Brought to you by the Executive Search and Integration team at IBM, the Inspiring Voices podcast will showcase great leaders, taking you inside their personal stories about life, career choices and how to make an impact. In this first episode, host David Jones, Executive Search Lead at IBM, brings…

IBM watsonx Assistant and NICE CXone combine capabilities for a new chapter in CCaaS

5 min read - In an age of instant everything, ensuring a positive customer experience has become a top priority for enterprises. When one third of customers (32%) say they will walk away from a brand they love after just one bad experience (source: PWC), organizations are now applying massive investments to this experience, particularly with their live agents and contact centers.  For many enterprises, that investment includes modernizing their call centers by moving to cloud-based Contact Center as a Service (CCaaS) platforms. CCaaS solutions…

See what’s new in SingleStoreDB with IBM 8.0

3 min read - Despite decades of progress in database systems, builders have compromised on at least one of the following: speed, reliability, or ease. They have two options: one, they could get a document database that is fast and easy, but can’t be relied on for mission-critical transactional applications. Or two, they could rely on a cloud data warehouse that is easy to set up, but only allows lagging analytics. Even then, each solution lacks something, forcing builders to deploy other databases for…