Checkmarx
Add support for custom Terraform module registry scanning
Is your feature request related to a problem? Please describe.
I'm using Terraform with a custom module registry and want to detect vulnerabilities introduced by Terraform modules.
Scanning Terraform modules outside of the official list is not yet supported. https://docs.kics.io/latest/platforms/#terraform_modules
A vulnerable module stored in a Terraform registry, such as GitLab, can introduce vulnerabilities which remain undetected at the moment.
https://gitlab.com/gitlab-de/use-cases/iac-tf-vuln-module is vulnerable and can be used with
module "my_module_name" {
source = "gitlab.com/gitlab-de/iac-tf-vuln-module/aws"
version = "1.0.0"
}
thus requiring authentication.
$ vim $HOME/.terraformrc
credentials "gitlab.com" {
token = "XXX"
}
Describe the solution you'd like
kics detects that Terraform modules outside of the officially supported list are being used, and instructs the user on the next steps.
- User needs to run
terraform initthemselves to do authentication, and download the modules - Downloaded cached modules are taken into account by kics
Alternatively, kics can be configured with terraform auth, and attempts to run terraform init itself to download the modules into the local cache.
Describe alternatives you've considered
Combing different scanners, e.g. tfsec which requires the user to download the modules using terraform init beforehand, and then scans the vendor/ directory with the module dependencies.
Evaluated while writing this blog post: https://about.gitlab.com/blog/2022/02/17/fantastic-infrastructure-as-code-security-attacks-and-how-to-find-them/#terraform-module-dependency-scans
Alternative: Add detection methods to CI/CD and manually warn the user when external Terraform modules are in use, about limited detection capabilities.
Additional context
Discussion in https://gitlab.com/groups/gitlab-org/-/epics/6653#note_840447132
