Open menu

Template Scanner

Last updated: 13 January 2020

Location

Top navigation bar > Template Scanner

The Template Scanner add-on enables you to run Trend Micro Cloud One™ – Conformity Rules on your AWS CloudFormation and Terraform templates, Conformity Profiles, and Accounts. You can add preventative security and governance controls to the workflow to identify and remediate issues prior to launching any services and resources.

Contents

What is Template Scanner?

Conformity provides Template Scanner capability as a preventative measure to ensure your AWS infrastructure remains compliant by detecting risks in template files before they are launched into AWS.

An API endpoint is available for CI/CD pipelines and automation.

This service can be used to scan a template file. Currently, CloudFormation, Terraform, and Conformity Profiles are supported.

Parameters can be used to customize input values to the template each time a stack is created. If a parameter is defined in a template, parameter values can be supplied using the arguments field.

How to use Template Scanner?

You can use the Template Scanner in two ways:

  1. Scanning a CloudFormation/Terraform Template, Profile, or an Account via UI
  2. Template Scanner API

API Endpoints to Retrieve Rules

You can use the following API endpoints to retrieve a list of rules that can be scanned for:

Scanning a Terraform Template

Before you upload the Terraform template to the Template Scanner, you’ll need to convert it into JSON plan by following the steps below from your Command Line tool:

  1. In the same directory as .tf template, export your provider’s access key, secret key, and export region (e.g. `export AWS_REGION=us-east-1`)
  2. Run the command ``terraform init``
  3. Run the command ``terraform plan -out=your_file``
  4. Run the command `terraform show -json your_file > your_file.json. Your Terraform template JSON plan is ready to be uploaded to the Template Scanner from the same folder as your .tf file.
  5. Follow the steps in the next section to Scan via UI or use the API endpoints.

Scan via UI

  1. Select the type of rule settings you want to scan for:
    • Default rule settings: upload and scan for rule settings in your default CloudFormation or Terraform template in either JSON or YAML format.
      You can also use the ! Condition in YAML templates
    • Profile rule settings: upload and scan for rule settings for a selected Profile.
    • Account rule settings: upload and scan for rule settings for a selected Account.

2. Click on Upload and scan to view scan results for your selected rule settings.
3. You will get a message for missing parameters while scanning your template. Decide whether you want to Proceed or Cancel the scanning process.

Note: Resources with missing parameters will not be scanned and thereby result in partial scan results.
4. Review Checks from scan results. Failed checks will display a Resolve button with a link to resolution steps. For more information on the anatomy of the rule, see Rules.

Resolution steps provided with failed checks are for workflows via CLI or Console. You can also use these steps as a guide for resolution within CloudFormation.

Why do I not see any scan results?

You may receive an empty response or an error for any of the following reasons:

  1. Unsupported resource type: See supported resource types. We have plans to add support for more source types over time. If there is a specific resource type you need as a priority, please log in to Conformity and submit a ticket to our support team.
  2. Unsupported rules: Template Scanner only supports resource-level rules. Refer to Conformity service catalog for a list of rules and services
  3. Parameter(s) with no default value: CloudFormation templates with parameters that have no default values may fail to be processed.