Terraform

This article shows you how to analyze your Terraform projects and modules using NG SAST.

Prerequisites

You must have:

If you're integrating NG SAST into a CI/CD system, you must use a Linux build agent.

CI/CD-based scans

If you're integrating NG SAST into a CI/CD system, you must use a Linux build agent.

If you're using Azure Pipelines or GitHub Actions, make sure that you use ubuntu-20.04 as the VM image:

runs-on: ubuntu-20.04

If you cannot use ubuntu-20.04 as the VM image, you may be able to use a Docker-based invocation. However, few CI systems, such as GitHub Actions, support this approach. To use a Docker-based invocation, include the --use-docker flag as part of your sl analyze command:

sl analyze --app appName --use-docker --terraform .

Analyzing your Terraform projects and modules

To analyze your Terraform projects and modules, run:

sl analyze --app <name> --terraform [<path>]
ParameterDescription
--app <name>The name of the project/module to be analyzed
--terraformThe flag identifying the application is a Terraform project
<path>The path to the project/module to be analyzed

See the CLI reference for additional sl analyze options.

Terraform Vulnerabilities

Tagging results with your branch name

To include the branch name in your NG SAST results, allowing you to distinguish one set of results from another, add the following to your invocation of ShiftLeft:

sl analyze --tag branch=`git symbolic-ref --short HEAD`

If you're working in a GitHub environment (e.g., GitHub Actions), you can also use --tag branch=${{ github.head_ref }} to populate your branch name.

If you don't provide a branch name, but ShiftLeft detects one available in your environment, it will use that name.