Skip to content

IaC config v1.3 documentation #37097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
whitemerch wants to merge 1 commit into
base: master
Choose a base branch
from
+100 −8
Draft

IaC config v1.3 documentation #37097

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
108 changes: 100 additions & 8 deletions content/en/security/code_security/iac_security/configuration.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
text: "IaC Security Rules"
---

Infrastructure as Code (IaC) Security detects IaC misconfigurations. By default, IaC Security scans repositories with [all supported rules][3]. You can customize which rules run and on which paths, as well as their severities and categories. Configure these settings under the `iac` key in the Code Security configuration, either in Datadog or in a `code-security.datadog.yaml` file.
Infrastructure as Code (IaC) Security detects IaC misconfigurations. By default, IaC Security scans repositories with [all supported rules][3]. You can customize which rules run and on which paths, as well as their severities, categories, and platforms. Configure these settings under the `iac` key in the Code Security configuration, either in Datadog or in a `code-security.datadog.yaml` file.

For information on configuration locations, precedence, and merging, see [Code Security Configuration Reference][1].

Expand All @@ -33,10 +33,14 @@

The following configuration format applies to all configuration locations: org-level, repository-level, and repository-level (file).

The configuration file must begin with `schema-version: v1.2`, followed by an `iac` key containing the analysis configuration. The full structure is as follows:
The configuration file must begin with a `schema-version`, followed by an `iac` key containing the analysis configuration.

Use `schema-version: v1.2` for global rule, severity, category, and path settings. Use `schema-version: v1.3` to also enable per-rule path scoping, per-rule severity overrides, and platform filters.

The full structure for `v1.3` is as follows:

{{< code-block lang="yaml" >}}
schema-version: v1.2
schema-version: v1.3
iac:
# Do not run these rules.
ignore-rules:
Expand Down Expand Up @@ -68,15 +72,32 @@
# Report only findings in these categories.
only-categories:
- "Encryption"
# Do not run rules from these platforms (v1.3+).
ignore-platforms:
- Dockerfile
# Only run rules from these platforms (v1.3+).
only-platforms:
- Terraform
- Kubernetes
# Per-rule configurations (v1.3+).
rule-configs:
terraform-aws-s3-bucket-without-encryption:
ignore-paths:
- "test/"
severity: low
kubernetes-deployment-without-resource-limits:
only-paths:
- "k8s/production/"
{{< /code-block >}}

The `iac` key supports the following fields:

| **Property** | **Type** | **Description** |
| --- | --- | --- |
| `ignore-rules` | Array | A list of rule IDs to ignore. |
| `use-rules` | Array | A list of rule IDs to run. If this field is set, rules not listed are ignored. |
| `global-config` | Object | Global settings for the repository. |
| `ignore-rules` | Array | A list of rule IDs that will not be applied in scans. |

Check warning on line 97 in content/en/security/code_security/iac_security/configuration.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.tense 

Avoid temporal words like 'will'.
| `use-rules` | Array | A list of rule IDs that will be applied in scans. If specified, only these rules will be used (unless other configuration causes them to be ignored). |

Check warning on line 98 in content/en/security/code_security/iac_security/configuration.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.tense 

Avoid temporal words like 'will'.

Check warning on line 98 in content/en/security/code_security/iac_security/configuration.md

View workflow job for this annotation

GitHub Actions / vale

Datadog.tense 

Avoid temporal words like 'will'.
| `global-config` | Object | Global settings for the IaC scanner. |
| `rule-configs` | Object | Per-rule configurations. Keys are rule IDs. Requires `schema-version: v1.3`. |

## Rule configuration

Expand Down Expand Up @@ -110,10 +131,12 @@
| --- | --- | --- |
| `only-paths` | Array | File paths or glob patterns. Only matching files are analyzed. |
| `ignore-paths` | Array | File paths or glob patterns to exclude. Matching files are not analyzed. |
| `only-severities` | Array | Severity levels to report. Findings with other severities are ignored. |
| `only-severities` | Array | Severity levels to report. Findings with other severities are not reported. |
| `ignore-severities` | Array | Severity levels to ignore. |
| `only-categories` | Array | Categories to report. Findings in other categories are ignored. |
| `only-categories` | Array | Categories to report. Findings in other categories are not reported. |
| `ignore-categories` | Array | Categories to ignore. |
| `ignore-platforms` | Array | Platforms to skip. Rules from these platforms are not applied in scans. Requires `schema-version: v1.3`. |
| `only-platforms` | Array | Platforms to scan. Only rules from these platforms are applied in scans. Requires `schema-version: v1.3`. |

### Severities

Expand Down Expand Up @@ -180,6 +203,75 @@
- "Best Practices"
{{< /code-block >}}

### Platforms

Use `ignore-platforms` to skip specific platforms. Use `only-platforms` to restrict scanning to specific platforms. Requires `schema-version: v1.3`.

**Possible values:**

- `Ansible`
- `CICD`
- `CloudFormation`
- `Dockerfile`
- `Kubernetes`
- `Terraform`

{{< code-block lang="yaml" >}}
schema-version: v1.3
iac:
global-config:
only-platforms:
- Terraform
- Kubernetes
{{< /code-block >}}

## Per-rule configuration

Use `rule-configs` to configure a specific rule. Requires `schema-version: v1.3`.

Each key under `rule-configs` is a rule ID. The following properties are supported per rule:

| **Property** | **Type** | **Description** |
| --- | --- | --- |
| `only-paths` | Array | File paths or glob patterns. The rule is applied only to files matching these patterns. |
| `ignore-paths` | Array | File paths or glob patterns to exclude. The rule is not applied to files matching these patterns. |
| `severity` | String | Change the severity of findings generated by this rule. Accepted values: `critical`, `high`, `medium`, `low`, `info`. |

### Per-rule path scoping

Exclude a rule from certain paths, or restrict it to specific paths:

{{< code-block lang="yaml" >}}
schema-version: v1.3
iac:
rule-configs:
terraform-aws-s3-bucket-without-encryption:
# Do not apply this rule in test directories.
ignore-paths:
- "test/"
- "**/testdata/"
kubernetes-deployment-without-resource-limits:
# Apply this rule only in production manifests.
only-paths:
- "k8s/production/"
{{< /code-block >}}

Path patterns support glob syntax (`*`, `**`, `?`). Paths are relative to the repository root.

### Per-rule severity override

Change the severity of findings generated by a specific rule:

{{< code-block lang="yaml" >}}
schema-version: v1.3
iac:
rule-configs:
terraform-aws-s3-bucket-without-encryption:
severity: low
{{< /code-block >}}

The configured severity is used for all findings generated by that rule.

## Legacy configuration

IaC Security previously used a different configuration file (`dd-iac-scan.config`) and schema. This schema is deprecated and does not receive new updates, but it is [documented][2] in the `datadog-iac-scanner` repository.
Expand Down
Loading