Products | Aug 25, 2020

Embedding Policy Guardrails into CI/CD Pipelines

CircleCI Blog

Infrastructure as Code (IaC) is bringing huge benefits, enabling more efficient and more consistent cloud infrastructure provisioning processes. However, modern cloud architectures are highly dynamic and organizations struggle to manage security risks. Embedding policy guardrails in CI/CD pipelines enables organizations to mitigate risk and ensure that cloud native infrastructure is provisioned secure and compliant.

Accurics Orb for CircleCI

The Accurics orb can be used in your CircleCI pipelines to prevent compliance and security best practice violations across Infrastructure as Code. Key benefits include:

  • Automatic Risk Detection: Detect Infrastructure as Code configurations that violate compliance and security best practices on the top cloud services by leveraging 1500+ policies across popular standards such as CIS Benchmarks, GDPR, SOC 2, and PCI DSS.
  • Automatic Risk Resolution: Accurics can send alerts on violations through existing workflow tools such as Jira or Slack, and you can fail the build as well. Optionally, leverage automatically generated fixes in the form of pull/merge requests. Developers simply need to review the request and merge the code to accept the change.
  • Full Stack Protection: Ensure Terraform templates avoid common security pitfalls. Built-in extensibility enables support for popular cloud native technologies across your stack such as AWS CloudFormation, Azure Resource Manager, Google Deployment Manager, Kubernetes, Docker, Istio, and OpenFaaS.
Accurics CircleCI Integration

Figure: Accurics Workflow with CircleCI

Getting Started

  • Sign up for a free or paid Accurics account and download the config file from the UI environment tab to get the “app” and “env” values.
  • Create two environmental variables in CircleCI called “ACCURICS_API_KEY” and “ACCURICS_ENV_ID” filled with the “app” and “env” values.
  • Add or edit .circleci/config.yml in your code repository with the orbs stanza below your version, to include the accurics-cli orb.
orbs:
  accurics: accurics/[email protected] 
  • Add an accurics_scan job to the relevant workflows, to initiate the scan:
jobs:
- accurics/accurics_scan:
    terraform-version: latest
    directories: <path to your IaC>
    plan-args: <any additional args for terraform plan>
    fail-on-violations: true
    fail-on-all-errors: true 
  • If not using the latest version of Terraform, specify the “terraform-version” parameter within the build step.
  • If variables are used, add them in the “plan-args” parameter, along with any other command line parameters that should be passed when running “terraform plan”.

Check out the video below for a quick tutorial.

Terrascan extends Policy as Code to Kubernetes

Terrascan Leverages OPA to Make Policy as Code Extensible

We use cookies to ensure you get the best experience on our website. By continuing to browse this site, you acknowledge the use of cookies.