The cloud scanner is configured using YAML files. The yaml files have two sections:
layout looks roughly like this:
--- connections: # Cloud provider connections go here rules: # Compliance rules go here
connections you configure your various cloud accounts, such as this:
exoscale-test: type: exoscale key: "" secret: ""
The respective options for each cloud provider are documented in their documentation. The connection name can then referenced with the rules.
The next section is the
rules section, which you can specify your rules in:
- type: FIREWALL_PUBLIC_SERVICE_PROHIBITED protocol: tcp ports: - 22
Each rule has two universal parameters:
type to specify the rule type and
connections which you can use to
limit the rule to only certain connections. The default is to use all connections.
If a certain cloud provider doesn't support a specific functionality, that cloud provider will be simply skipped for the specified rule.
Includes (since 0.0.5)¶
The configuration supports includes. These includes can either be local files, or http/https URLs. Include files can include other files.
For connections they work as follows:
--- connections: include: - config-file-1.yaml - https://example.com/config-file-2.yaml exoscale-test: type: exoscale key: "" secret: "" rules: # ...
In other words you have one include key and you need to list all files you want to load.
For rules it works a little different:
connections: # ... rules: - include: config-file-1.yaml - include: https://example.com/config-file-2.yaml - type: FIREWALL_PUBLIC_SERVICE_PROHIBITED protocol: tcp ports: - 22
Note that both for connections and rules the target config file only needs to have a list of connections / rules, NOT
At this time there is no way to restrict included rules to a certain resource name as the resource filtering is done on a per-rule basis.