In my I highlighted the key steps and important solutions with regard to the security of pipelines. In this article, I would like to share the basic CI/CD configuration for Checkov and KICS, two Infrastructure as Code (IaC) analysis tools that can look through your IaC templates for potential vulnerabilities or misconfigurations. These tools support various languages, including Terraform, CloudFormation, Kubernetes, ARM, and others. I will use GitHub Actions and Gitlab CI to utilize them. previous article , CI/CD Please keep in mind that all configuration files should be adapted to your environment and project requirements. Checkov https://github.com/bridgecrewio/checkov 1. Configuration with GitHub Actions: In your GitHub repository, create a new file named . Add the following configuration to the file: .github/workflows/IaC_scan.yml IaC_scan.yml name: IaC scanning stage on: push: branches: [ "main", "master" ] pull_request: branches: [ "main", "master" ] jobs: IaC_scan: runs-on: ubuntu-latest steps: # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it - name: Checkout repository uses: actions/checkout@v3 - name: Set up Python uses: actions/setup-python@v2 with: python-version: 3.9 - name: Install Checkov run: pip install checkov - name: Run Checkov run: checkov --directory . This GitHub Actions workflow triggers a Checkov scan on every push and pull request to the repository. 2. Configuration with Gitlab CI: In your Gitlab repository, create a new file named . Add the following configuration to the file: .gitlab-ci.yml .gitlab-ci.yml stages: - IaC_scan Checkov: stage: IaC_scan image: python:3.9 allow_failure: true before_script: - pip install checkov script: - checkov -d . In the GitLab CI pipeline configuration, an stage is defined with a job named . It uses the Python Docker image to set up a Python environment, installs Checkov, and runs Checkov to scan the IaC code. IaC_scan Checkov KICS https://kics.io/ 1. Configuration with GitHub Actions: In your GitHub repository, create a new file named . Add the following configuration to the file: .github/workflows/IaC_scan.yml IaC_scan.yml name: IaC scanning stage on: push: branches: [ "main", "master" ] pull_request: branches: [ "main", "master" ] jobs: kics: runs-on: ubuntu-latest steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: Checkout repository uses: actions/checkout@v3 # Scan Iac with kics - name: Run KICS scan uses: checkmarx/kics-github-action@v1.7.0 with: path: "." This GitHub Actions workflow triggers a KICS scan on every push and pull request to the repository. Configuration with Gitlab CI: In your Gitlab repository, create a new file named (or update it if you already have one). Add the following configuration to the file: .gitlab-ci.yml .gitlab-ci.yml stages: - IaC_scan kics: stage: IaC_scan image: name: checkmarx/kics:latest entrypoint: [""] script: - kics scan -p ${PWD} -o ${PWD} --report-formats json --output-name kics-results artifacts: name: kics-results.json paths: - kics-results.json In the GitLab CI pipeline configuration, an stage is defined with a job named . This job uses the KICS Docker image to run the KICS scan against the IaC code. IaC_scan kics As a closing remark, I strongly suggest using Infrastructure as Code (IaC) scanner tools at an early stage to enhance your security measures. With this proactive approach, misconfigurations can be prevented. This preemptive tactic allows you to detect and address potential security risks early in the lifecycle, thus mitigating the threat of these risks infiltrating your live infrastructure.