Why I created InfraScanšŸ“£ ā€” an IaC security ToolšŸ› ļø

Aniket Sharma
4 min readSep 21, 2024

--

In todayā€™s rapidly evolving DevOps and cloud landscape, securing infrastructure is crucial. As organizations embrace Infrastructure as Code (IaC) to manage their cloud resources, thereā€™s a growing need for security checks to ensure infrastructure is free from vulnerabilities. This is where InfraScan comes in ā€” a user-friendly web tool I built to automate security checks on IaC files. InfraScan leverages Checkov, a popular open-source static code analysis tool that scans for security and compliance issues in IaC.

Let me take you through the journey of building InfraScan and how it works to simplify infrastructure scanning.

InfraScan by @TechWithAniket

The Idea Behind InfraScan

The goal behind InfraScan was simple: allow users to upload their IaC files ā€” whether itā€™s a Terraform, Kubernetes, Cloud Formation, or other formats ā€” and quickly scan them for vulnerabilities without having to install or configure any tools locally. By integrating Checkov directly into a web-based interface, users can perform security scans on the fly, get comprehensive reports, and improve the security posture of their cloud infrastructure.

Technologies and Tools Used

  1. Flask: I used Flask as the backend framework for InfraScan. Itā€™s lightweight, easy to use, and perfect for building web applications quickly.
  2. Checkov: At the heart of the tool is Checkov, which scans various IaC frameworks like Terraform, Cloud Formation, Kubernetes, and more. It ensures that the infrastructure youā€™re deploying is compliant with industry best practices.
  3. HTML, CSS, and JavaScript: These were used to create a smooth, intuitive user interface for the web application.
  4. Python: Python powers the backend of the application, handling file uploads, framework validation, and invoking Checkov to perform scans.
Workflow of InfraScan

How I Built InfraScan

1. Setting Up File Uploads

The first step was to create a user-friendly interface where users could upload their IaC files. Using Flaskā€™s request.files, I allowed users to select files for upload and chose from a list of supported frameworks such as Terraform, Kubernetes, Dockerfile, and more.

Hereā€™s a snippet from the code:

@app.route('/', methods=['GET', 'POST'])
def upload_file():
if request.method == 'POST':
file = request.files['file']
framework = request.form['framework']
...
file.save(file_path)

The uploaded files are temporarily stored, scanned, and then automatically deleted to keep the system lightweight.

Upload button

2. Using Checkov for Scanning

The next step was integrating Checkov to scan the files for security issues. Each framework has its own Checkov runner, such as TerraformRunner or KubernetesRunner. Based on the user's file type selection, InfraScan runs the corresponding Checkov runner to check for misconfigurations and compliance issues.

def get_checkov_runner(framework):
runners = {
'terraform': TerraformRunner(),
'cloudformation': CloudFormationRunner(),
...
}
return runners.get(framework, None)

The scan results are displayed in a user-friendly format, highlighting issues with the code snippets, showing guidelines on how to fix them, and providing detailed information on each vulnerability detected.

scanning process

3. Handling Results

Once the file is scanned, the results are displayed on a dedicated results page. I designed the page to include filters, so users can easily toggle between passed and failed checks.

The code snippet for handling results:

checkov_results = scan_file(file_path, framework)
return render_template('results.html', results=checkov_results)
Result Page

4. File Cleanup

After the scan is complete, InfraScan deletes the uploaded file to avoid unnecessary storage bloat. This helps keep the platform efficient.

if os.path.exists(file_path):
os.remove(file_path)

User Experience and Design

While building InfraScan, I focused on making it as intuitive and responsive as possible. The homepage includes a hero section, explaining the tool and its features. Users can easily upload files, view results with filters, and return to the homepage with one click.

Additionally, the background and overall theme were designed to ensure a smooth, dark aesthetic, providing a clean and professional look thatā€™s easy on the eyes.

Future Enhancements

InfraScan is just the beginning! There are many features planned, including:

  • More Integrations: Adding support for additional security tools like AWS Security Hub and Azure Security Center.
  • Detailed Reporting: Allow users to download detailed PDF reports of their scan results.
  • Team Collaboration: Allow multiple users within an organization to collaborate and share scan results.

Conclusion

InfraScan makes securing Infrastructure as Code effortless. By integrating Checkov with a web interface, Iā€™ve created a tool that makes vulnerability detection fast, easy, and accessible. Whether youā€™re a developer, security engineer, or cloud architect, InfraScan simplifies IaC security scanning, helping you ensure your infrastructure is secure before deployment.

Give InfraScan a try and safeguard your infrastructure today!

Happy scanning!

If this blog has sparked your curiosity and youā€™re eager for more insights, discussions, or perhaps a bit of magical banter, letā€™s stay connected! šŸŒŸ

Every post is a new adventure, and Iā€™d love for you to be a part of the ongoing conversation. Feel free to reach out, share your thoughts, or simply drop by to say hello. Until the next magical encounter, stay curious and keep exploring! šŸš€

--

--

Aniket Sharma
Aniket Sharma

Written by Aniket Sharma

If you want to learn DevSecOps and Cloud Security, you must follow along with me!