Code Risk Analyzer Adds Terraform Scanning

2 min read

The expansion of Code Risk Analyzer extends scanning capabilities.

In November 2020, IBM introduced the Code Risk Analyzer to IBM Cloud Continuous Delivery to help "shift left" security. Code Risk Analyzer identifies multiple classes of security risks by scanning source files. Misconfiguration of infrastructure and cloud service dependencies can put enterprise applications and data at risk. Now, Code Risk Analyzer will look for these issues by scanning Terraform Infrastructure as Code (IaC) files. 

Code Risk Analyzer helps developers find and remediate security and legal vulnerabilities that are potentially introduced into their source code and provides feedback directly in their Git artifacts (for example, pull/merge requests). Code Risk Analyzer is provided as a set of Tekton tasks, which can be easily incorporated into delivery pipelines.

DevSecOps for Infrastructure

IBM Cloud Schematics provides powerful tools to automate your cloud infrastructure provisioning and management process and the configuration and operation of your cloud resources and the deployment of your app workloads. To do so, Schematics leverages open source projects, such as Terraform. Terraform allows infrastructure to be expressed as code in a simple, human-readable language. It reads configuration files and provides an execution plan of changes that can be reviewed for safety and then applied and provisioned.

Infrastructure as Code (IaC) provides development teams with the opportunity to manage infrastructure definitions in Git repos and deploy with DevOps  pipelines, just like any other code. IaC modules can be reused between workloads and across multi-regions and accounts.

With this new expansion of Code Risk Analyzer, we can extend our scanning capabilities to help prevent misconfiguration of cloud accounts and compliance with regulations through scanning of IaC before it is deployed. The new IaC capability in Code Risk Analyzer scans ibm-terraform files and helps you ensure that they meet National Institute of Standards and Technology (NIST) frameworks. Today, it supports 57 compliance goals, covering 18 NIST checks, and the list is growing. 

With this new capability, you can now scan the compliance of your Infrastructure as Code and make sure that any planned changes to your account are compliant with NIST regulations. You can control this process from IBM Cloud Continuous Delivery toolchains and consume the output both in your Git repository and in your IBM Cloud Continuous Delivery PipelineRun dashboard. You can create gates that block the deployment of the IaC when misconfigurations are found and remediate misconfigurations as soon as they are created:

You can create gates that block the deployment of the IaC when misconfigurations are found and remediate misconfigurations as soon as they are created:

More information

For more details on the new capability within Code Risk Analyzer, please see the following resources:

In addition, you can get help directly from the IBM Cloud development teams by joining us on Slack.

Be the first to hear about news, product updates, and innovation from IBM Cloud