Skip to content

Feature/lab6#636

Open
MMenshikh wants to merge 2 commits intoinno-devops-labs:mainfrom
MMenshikh:feature/lab6
Open

Feature/lab6#636
MMenshikh wants to merge 2 commits intoinno-devops-labs:mainfrom
MMenshikh:feature/lab6

Conversation

@MMenshikh
Copy link
Copy Markdown

@MMenshikh MMenshikh commented Mar 26, 2026

Goal

The goal of this PR is to implement a comprehensive Security Scanning and Policy Enforcement pipeline for Infrastructure-as-Code (IaC). This includes evaluating and comparing multiple security tools across different IaC frameworks (Terraform, Pulumi, and Ansible) to establish a "Defense in Depth" approach.

Changes

  • Terraform Security Scanning: Integrated and executed tfsec, checkov, and terrascan to identify vulnerabilities in AWS configurations.
  • Pulumi Security Scanning: Implemented KICS (Checkmarx) to scan Pulumi YAML configurations.
  • Ansible Security Scanning: Used KICS to detect hardcoded secrets and insecure practices in playbooks.
  • Comparative Analysis: Created a detailed report (labs/submission6.md) comparing tool performance, coverage, and integration strategies.
  • Vulnerability Research: Documented Top 5 critical findings (S3, RDS, IAM, etc.) with remediation HCL code examples.

Testing

  • Local Tool Execution: Ran all scanners via Docker to ensure environment parity and reproducible results.
  • Report Validation: Verified JSON and text outputs for each tool in the labs/lab6/analysis/ directory.
  • Data Integration: Used jq and shell scripting to aggregate finding counts and severity levels into a final comparison matrix.

Artifacts & Screenshots

  • Comprehensive report: labs/submission6.md
  • Raw scan results: labs/lab6/analysis/*.json and *.txt
  • Comparison Matrix: Included in the submission file.

Checklist

  • Documentation updated (Submission6.md completed)
  • No secrets or large temporary files (Only reports and analysis committed)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MMenshikh