1. Overview

To identify potential issues you can scan content in your IaC templates such as AWS CloudFormation Templates (JSON or YAML format), HashiCorp Terraform templates (HCL format), and Kubernetes App manifests (JSON or YAML format) against a list of IaC policies.

With a valid Prisma Cloud Enterprise Edition license, you can use twistcli to scan IaC template files.

2. Command reference

twistcli iac scan -- Scan an IaC file such as AWS CloudFormation template, Terraform template and Kubernetes manifest files against a list of default and custom policies. Prisma Cloud SaaS console connectivity is required for this functionality.

3. Synopsis

twistcli iac scan [OPTIONS] [File]

4. Description

The twistcli iac scan function collects all IaC files provided, sends those back to saas service for security assessment, and provides results back.

4.1. Options

--addressURL

Complete URL for Console, including the protocol and port. Only the HTTPS protocol is supported. By default, Console listens to HTTPS on port 8083, although your administrator can configure Console to listen on a different port. Defaults to https://127.0.0.1:8083.

-u, --user

Username to access Console. If not provided, the TWISTLOCK_USER environment variable will be used if defined, or "admin" is used as the default.

-p, --password

Password for the user specified with -u, --user. If not specified on the command-line, the TWISTLOCK_PASSWORD environment variable will be used if defined, or otherwise will prompt for the user’s password before the scan runs.

--scantype

IaC template type is specified here, and allowed values are cft,k8s,tf011,tf012,tf013

--assetname

This is identified to a specific scan, and it is used to find the result in Prisma Cloud UI. This can be something like project name or team name e.g. payapp project that user can choose and decide.

--configfile

Configuration Options can be also specified as a config file. More information about config file is available here.

-- Compliance threshold

(Optional flag) a threshold that designates when a scan should fail, it’s also called failure criteria in Prisma, it can be either one of the three values Low, Medium and High. High is the default value if no threshold is specified.

-- Scan attributes

(optional flag) a comma-separated list of key:value pairs (e.g. cicd-project:payapp, pipeline:staging) to be associated with the scan and seen in Prisma UI

-- Scan tags

(optional flag) a comma-separated list of key:value pairs (e.g. env:prod, owner:dan) to be associated with the scan. These tags are used for RBAC in Prisma Cloud UI. Also, build alert rules can be configured to choose specific policies in Prisma Cloud UI.

-- Policy IDs

(Optional flag) a comma separated list of policy IDs to test against. Policy IDs can be retrieved with this https://api.docs.prismacloud.io/reference#get-policies-v2 [API]

-- Files

(Optional flag) a comma-separated list of files to scan from the provided archive to twistcli

-- Folders

(optional flag) a comma-separated list of folders to scan from the provided archive to twistcli

-- Variable files

(Optional flag) applicable in all scans except k8s, a comma separated list of variable files to consider when scanning

-- Variables

(Optional flag) applicable in all scans except k8s, a comma separated list of variables to consider when scanning

-- Output file

(Optional flag) an output file name that will additionally contain the output result (additional to displayed)