The DevSecOps Continuous Integration Toolchain is now able to validate Infrastructure as Code sources (such as Terraform definitions).
Infrastructure as Code (IaC) is used heavily to define infrastructure and tailor environments from development, testing and quality assurance to production environments.
This specialized code should be subject to the same cautious management as application source code to prevent the risk of incorporating vulnerabilities into the target infrastructure.
DevSecOps Continuous Integration for IaC can help
The DevSecOps Continuous Delivery service provides a new DevSecOps toolchain that is specialized to account for Infrastructure as Code, such as Terraform definitions source.
It includes all the expected DevSecOps best practices, including evidence collection, quality gates, artifact signing, automated tests, static code scans, vulnerability checks and more.
A new template is available in the toolchain catalog to create a Continuous Integration toolchain to develop your infrastructure code:
This template provides a default sample that illustrates the simple use-case of creating an IBM Key Protect for IBM Cloud service instance and implementing a unit-test using Terratest and an acceptance test using Jest. The DevSecOps Continuous Integration for Infrastructure as Code (IaC) pipeline comes with predefined stages implemented using default scripts. For example:
- Static-scan and compliance-checks: These stages use various tools, such as terraform validate, tflint, ibmcloud cra terraform-validate, tfsec and checkov.
- Deployment action: The Terraform configuration is deployed during the deploy-dev stage using IBM Cloud Schematics.
See the docs for more details:
IBM Cloud has already made available a complete set of DevSecOps toolchain templates for your cloud-native application development. Learn more about it here.
Report a problem or look for help
Get help directly from the IBM Cloud development teams by joining us on Slack.