Cliff Kim
Infrastructure-as-code (IaC) tools like Terraform and CloudFormation allow teams to define, manage, and provision their cloud infrastructure using code, as opposed to clicking through consoles or executing commands via a CLI. IaC adoption is now widespread and helps teams increase productivity and efficiency, but it also introduces new surface area for mistakes, defects, and other risks. For example, IaC templates can include misconfigurations such as overprivileged access policies or hardcoded credentials, which could provide threat actors with a potential attack path.
To catch these issues, many organizations use one tool to scan IaC in pull requests and another to scan the deployed cloud environment. This approach can work temporarily for smaller environments—but as infrastructure grows, producing reports and managing detection rules across multiple tools becomes difficult.
Datadog IaC Security addresses these challenges by surfacing IaC misconfigurations so you can monitor and mitigate risks from code to cloud. In this post we will discuss how Datadog IaC Security enables your team to:
Detect cloud misconfigurations in code before they get to production
View code and cloud misconfigurations together in one place
Unify detection rules across code and infrastructure
IaC scanning is most commonly done in two places: in pull requests where new changes are suggested and in pipelines where IaC is processed and prepared for deployment. With Terraform, for example, scanning at the pull request stage involves parsing the Terraform HCL for misconfigurations in code. Scanning at the pipeline stage involves looking at the Terraform plan or state to see if there are misconfigurations in planned changes or existing infrastructure.
With Datadog IaC Security, you can install a GitHub app that will scan the Terraform HCL changes within pull requests. When misconfigurations are found, Datadog will leave a comment directly on the pull request with details about the finding and remediation steps where applicable. This keeps developers within the tool where code review normally happens and prevents context-switching, which is inefficient and error-prone. In the first half of 2025, we will introduce IaC scanning within pipelines via CLI.
In addition to commenting on pull requests that contain misconfigured code, Datadog IaC Security also enables you to view all IaC issues in the Cloud Security Misconfigurations Explorer. Simply toggle the Explorer to Static view to see the list of IaC findings with severity and code location.
Clicking into a misconfiguration finding will open the side panel where you can find additional details, including a brief description of the IaC rule associated with the finding, a preview of the offending code, and suggested steps for remediation.
In Datadog Cloud Security, out-of-the-box and custom cloud misconfiguration rules are written in the Rego policy language and executed using Open Policy Agent. Datadog IaC Security uses the same engine and rule language which makes writing and managing rules easier for your team as your cloud environment grows.
Datadog IaC Security offers will come with several out-of-the-box rules to help you catch common IaC misconfigurations, such as unencrypted EBS volumes and unsafe YAML deserializations. By detecting these issues at the pull request stage, IaC Security helps you prevent these types of misconfigurations from ever reaching your production environment.
Datadog IaC Security provides end-to-end coverage of your cloud environment, helping you detect issues before they make it to production. IaC Security also integrates seamlessly into your developer workflows to provide a unified view of findings across code and cloud. Because you can use IaC Security alongside Cloud Security and other Datadog products, you can manage all of your detection rules in a single platform.
To learn more, check out our IaC Security documentation. If you’re not already using Datadog, get started today with a 14-day free trial.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。