Terraform

This article shows you how to analyze your Terraform projects and modules using NG SAST.

Prerequisites

You must have:

If you're integrating NG SAST into a CI/CD system, you must use a Linux build agent.

CI/CD-Based Scans

If you're integrating NG SAST into a CI/CD system, you must use a Linux build agent.

If you're using Azure Pipelines or GitHub Actions, make sure that you use ubuntu-20.04 as the VM image:

runs-on: ubuntu-20.04

If you cannot use ubuntu-20.04 as the VM image, you may be able to use a Docker-based invocation. However, few CI systems, such as GitHub Actions, support this approach. To use a Docker-based invocation, include the --use-docker flag as part of your sl analyze command:

sl analyze --app appName --use-docker --terraform .

Analyzing Your Terraform Projects and Modules

To analyze your Terraform projects and modules, run:

sl analyze --app <name> --terraform [<path>]
ParameterDescription
--app <name>The name of the project/module to be analyzed
--terraformThe flag identifying the application is a Terraform project
<path>The path to the project/module to be analyzed

See the CLI reference for additional sl analyze options.

Terraform Vulnerabilities