IaC Security

• 1: Git Iac Scanning
• 2: IaC Policy Controls
• 3: IaC Supportablility Matrix

1 - Git Iac Scanning

Introduction

Sysdig has introduced Git Integrations as part of its Infrastructure as Code (IaC) solution. At this time, the integrations can be used to scan incoming Pull Requests (PRs) for security violations based on predefined policies. The results of the scanning evaluation are presented in the PR itself. If passed, the user can merge; if failed the user cannot merge. Information provided in the PR also targets the problem area to assist the user in remediation.

See the Iac Supportability Matrix to review the resources and file types currently supported.

Benefits and Use Cases

Infrastructure as Code helps move security protocols and standards down into the development piipeline, highlighting and resolving potential issues as early as possible in development process. This benefits many players within the organization:

• Security and compliance personnel see reductions in violations and security risks
• DevOps managers can streamline processes and secure the pipeline
• Developers can detect issues early and have clear guidance on how remediate them with minimal effort.

Process Overview

Sysdig currently supports Github, Bitbucket, GitLab, and Azure DevOps integrations.

In each case, you log in as admin, select Git Integrations, choose your flavor, configure it, and define which parts of the source to protect:

• The repositories (selected from the list)
• The folders within each repo (or all folders using /)
• The branches (for pull request evaluations only)

Launching an Integration

1. Log in to Sysdig Secure as admin and choose the Settings button in the navigation bar.

2. Select Git Integrations.

   • If no integrations have ever been added, the page is empty. Click Add Git Integration.

   • If some integrations already exist, the Git Integrations List page is displayed, showing the integration name, status, and number of configured sources.

     

     Click Add Git Integration.

3. Select the relevant integration type from the drop-down list and begin the configuration.

Configuration Steps

Github

This configuration toggles between the Sysdig Secure interface and the Github interface.

From the Git Integrations List page, choose Github and:

1. Enter an Integration Name and click Complete in Github.

   The Github interface opens in a new tab.

2. Sign in to Github and select where to install the Sysdig Github app. Click Configure.

3. Select All Repositories or define chosen repos and click Install.

   You will be redirected to the Integration page in Sysdig Secure when installation is complete. The Integration Status should show Active.

4. Click Add Sources on the new integration listing.

   

   Note: It’s possible to stop here; when you come back to the List page, you can click Configure Sources to resume.

5. Add Repos one at a time, defining the Folder(s) to be scanned. Choose Branches where Sysdig should run a Pull Request evaluation check. Define the branch using a regular expression. You can use .* to check PRs on all branches or use main.

6. Click Add Source. Repeat as needed and click Save. The system automatically checks that valid folder names have been entered

7. Review the Status on the Integrations List page, which shows any issues in the connection between Sysdig Secure and the Sysdig Github application:

   • Active: Everything is working as expected
   • Last Scanned: As soon as the integration is fully configured and active, a scan will be run. The Last Scanned field is updated after every scan (every 24 hours by default).
   • Not Installed: The Sysdig Github App is not installed
   • Suspended: The Sysdig Github App is suspended and needs to be resumed

8. See also the Additional Options.

Bitbucket

Prerequisites

1. Open your Bitbucket organization and create a designated account for Sysdig.
2. Configure the account’s access for the relevant workspace.
3. Create a new app password for the account:
   1. Navigate to Personal Settings > App passwords, then click Create app password.
   2. Assign the following permissions:
   • Account: Read
   • Repositories: Read, Write, Admin
   • Pull requests: Read, Write
   • Webhooks: Read and write
   3. Click Create.

Add Bitbucket Integration

1. In Sysdig, navigate to the Git Integration screen.

2. Click Add Git Integration and choose Bitbucket.

   

3. Fill the details including the created app password from the prerequisites step.

4. Click Add to complete. You will be redirected to the Integration page in Sysdig Secure when installation is complete. The Integration Status should show Active.

5. Click Add Sources on the new integration listing.

6. Add Repos one at a time, defining the Folder(s) to be scanned. Choose Branches where Sysdig should run a Pull Request evaluation check. Define the branch using a regular expression. You can use .* to check PRs on all branches or use main.

7. Repeat as needed and click Save. The system automatically checks that valid folder names have been entered

8. Review the Status on the Integrations List page, which shows any issues in the connection between Sysdig Secure and the Sysdig Bitbucket application:

   • Active: Everything is working as expected
   • Not Installed: The Sysdig Bitbucket App is not installed
   • Suspended: The Sysdig Bitbucket App is suspended and needs to be resumed

9. See also the Additional Options.

GitLab

Prerequisites in GitLab UI:

• Log in to your GitLab organization and create a designated account for Sysdig Secure
• Configure the account’s access for Projects
• Create a unique personal access token, setting a:
  • Unique name for the token
  • Token expiration date
  • The following scopes for the token:
    • api
    • read_repository
    • write_repository
• Copy the token value

Add the Integration

From the Git Integrations List page, choose GitLab and:

1. Enter an Integration Name and the Token from the prerequisite step.

   

2. Click Test Connection, then click Add. The Manage Integration page is displayed.

3. Click Add Sources on the new integration listing.

4. Add Repos one at a time, defining the Folder(s) to be scanned. Choose Branches where Sysdig should run a Pull Request evaluation check. Define the branch using a regular expression. You can use .* to check PRs on all branches or use main.

5. The system automatically checks that valid folder names have been entered

6. Review the Status on the Integrations List page.

7. See also the Additional Options.

Azure DevOps

Prerequisites in Azure DevOps UI

• Log in to your Azure DevOps organization and create a designated account for Sysdig Secure for cloud

• Account Access: Configure the account’s access for Repositories and Projects

• Account Subscription Permissions: Assign View, Edit, and Delete subscriptions permissions to the account.

  HINT: To grant the required subscription access usiing the Azure CLI:

  • ServiceHooks Namespace: Run az devops security permission namespace list --output table and record the ServiceHooks namespace ID
  • PublisherSecurity Token: Run az devops security permission update --allow-bit 7 --namespace-id {{ServiceHooks namespace Id}} --subject {{accountUserEmail}} --token PublisherSecurity --output table

• Personal Access Token: Retrieve a unique personal access token
  • Record the token value
  • Token Scope: Set to Custom Defined
  • Code Scope: Choose Read, Write, and Status permissions
  • Extensions Scope: Choose Read permission
  • For additional help, see the Azure DevOps documentation

Add the Integration

From the Git Integrations List page, choose Azure DevOps and:

1. Enter an Integration Name, Organization Name, and the Personal Access Token from the prerequisite step.

   

2. Click Test Connection, then click Add. The Manage Integration page is displayed.

3. Click Add Sources on the new integration listing.

4. Add Repos one at a time, defining the Folder(s) to be scanned. Choose Branches where Sysdig should run a Pull Request evaluation check (below). Define the branch using a regular expression. You can use .* to check PRs on all branches or use main.

5. The system automatically checks that valid folder names have been entered

6. Review the Status on the Integrations List page.

7. See also the Additional Options.

Additional Options

From the Integrations List page, you can use the burger (3-dot) menu for additional options on an integration.

Start Code Scan Manually

Use this option to trigger a scan before the default 24-hour time is reached.

Delete an Integration

This action deletes associated sources as well.

Pull Request Policy Evaluation

For the branches defined in Git Sources, Sysdig will run a Pull Request Policy Evaluation check. The check scans the Infrastructure-as-Code files in the pull request and identifies violations against the predefined policies.

The result of the check contain the list of violations, their severity and the failed resources list per file.

Example output for GitHub:

2 - IaC Policy Controls

Introduction

When running a Github integration to check the compliance of a pull request during development, Sysdig will run the controls from the following policies, depending on the resource type.

You can navigate in the product to Policies > CSPM Policies to find the list of requirements and controls for each policy.

Kubernetes Workloads

• CIS Kubernetes Benchmark
• Sysdig Kubernetes - based on Sysdig’s security research and best practices
• Custom policies

Amazon Web Services

• CIS Amazon Web Services Foundations Benchmark
• Custom policies

3 - IaC Supportablility Matrix

At this time, Sysdig’s Infrastructure as Code (IaC) Git-integrated scanning supports the following resource and source types: