Bridgecrew brings IaC security to GitHub with a code scanning integration

Although automated source code analysis, dynamic application security testing, and container scanning are well-established in the DevSecOps tool-kit, cloud security has lagged. Until recently, cloud infrastructure management has happened mainly outside of the development lifecycle, so securing it has too.

Infrastructure as code (IaC) aims at changing that.

IaC frameworks such as Terraform and CloudFormation enable developers to build cloud infrastructure as part of day-to-day development workflows—and secure it there as well.

With IaC security scanning, we can programmatically identify cloud misconfigurations and compliance policy violations before resources are deployed. But the key to success lies in not just how good your policy coverage is, but also how continuous and actionable the feedback is. IaC scanning needs to be accessible to everyone—from security and compliance to DevOps and engineering.

To make that happen, we at Bridgecrew have prioritized our native integrations with tools teams are already using. That’s why we’re thrilled to take our GitHub ecosystem integration to the next level with GitHub code scanning.

GitHub’s security capabilities combine all the tooling necessary to foster collaboration between security and engineering in a unified space and a native, automated workflow. With GitHub code scanning, Bridgecrew now provides native IaC security scanning for any GitHub repository.

Getting started with Bridgecrew IaC code scanning

To get started with Bridgecrew for IaC scanning, first enable code scanning on your Terraform, CloudFormation, Azure Resource Manager, Serverless, or Kubernetes repository. The Bridgecrew code scanning integration uses our GitHub Action to run automated scanning of your IaC files on every git push and outputs scan results to SARIF.

Create a Bridgecrew IaC code scanning workflow in the Actions tab in your repository using the example code here. Make sure to configure an environment variable with your Bridgecrew API key from your Bridgecrew account and save it as a secret.

Once you’ve committed changes to your main branch, Bridgecrew will scan your repository against hundreds of pre-built policies for IaC—from secure development best practices to industry compliance frameworks such as ISO27001, NIST-800-53, and SOC2.

By continuously scanning your IaC repositories against those policies on every commit and pull request, Bridgecrew helps identify security and compliance errors earlier in the development lifecycle. Identified errors get organized in the Security tab on your GitHub repository, allowing you to manage who can access the feedback.

Bridgecrew’s code scanning integration provides continuous security feedback on your IaC projects by automating it as part of code review processes. Errors detected by Bridgecrew will include policy details and guidance for fixing them.

Code scanning complements the Bridgecrew platform where you can review and fix errors just as fast as you find them. With pull request fixes, you get the context and code necessary to fix errors without having to context switch.

Our goal at Bridgecrew is to bridge the divide between security and engineering. We hope this integration makes it even easier for teams using GitHub to secure their infrastructure and improve DevSecOps efficiencies.