Embedding Policy Guardrails into CI/CD Pipelines
Infrastructure as Code (IaC) is bringing huge benefits, enabling more efficient and more consistent cloud infrastructure provisioning processes. However, modern cloud architectures are highly dynamic and organizations struggle to manage security risks. Embedding policy guardrails in CI/CD pipelines enables organizations to mitigate risk and ensure that cloud native infrastructure is provisioned secure and compliant.
Accurics Orb for CircleCI
The Accurics orb can be used in your CircleCI pipelines to prevent compliance and security best practice violations across Infrastructure as Code. Key benefits include:
- Automatic Risk Detection: Detect Infrastructure as Code configurations that violate compliance and security best practices on the top cloud services by leveraging 1500+ policies across popular standards such as CIS Benchmarks, GDPR, SOC 2, and PCI DSS.
- Automatic Risk Resolution: Accurics can send alerts on violations through existing workflow tools such as Jira or Slack, and you can fail the build as well. Optionally, leverage automatically generated fixes in the form of pull/merge requests. Developers simply need to review the request and merge the code to accept the change.
- Full Stack Protection: Ensure Terraform templates avoid common security pitfalls. Built-in extensibility enables support for popular cloud native technologies across your stack such as AWS CloudFormation, Azure Resource Manager, Google Deployment Manager, Kubernetes, Docker, Istio, and OpenFaaS.
Figure: Accurics Workflow with CircleCI
- Sign up for a free or paid Accurics account and download the config file from the UI environment tab to get the “app” and “env” values.
- Create two environmental variables in CircleCI called “ACCURICS_API_KEY” and “ACCURICS_ENV_ID” filled with the “app” and “env” values.
- Add or edit .circleci/config.yml in your code repository with the orbs stanza below your version, to include the accurics-cli orb.
- Add an accurics_scan job to the relevant workflows, to initiate the scan:
jobs: - accurics/accurics_scan: terraform-version: latest directories: <path to your IaC> plan-args: <any additional args for terraform plan> fail-on-violations: true fail-on-all-errors: true
- If not using the latest version of Terraform, specify the “terraform-version” parameter within the build step.
- If variables are used, add them in the “plan-args” parameter, along with any other command line parameters that should be passed when running “terraform plan”.
Check out the video below for a quick tutorial.