Views:
Location Top navigation bar > Template Scanner
Template Scanner enables you to run Trend Cloud One™ – Conformity Rules on your Terraform, AWS Cloud Development Kit (CDK), Serverless Framework, and AWS CloudFormation templates for detecting risks in your AWS, Azure and GCP accounts. You can add preventative security and governance controls to the workflow to identify and remediate issues prior to launching any services and resources.

What is Template Scanner?

Template Scanner provides a preventative measure to ensure your cloud infrastructure for Azure, AWS and GCP remains compliant by detecting risks in your Infrastructure as Code (IaC) before it's deployed.
You can use this service to scan Cloudformation templates and terraform configuration files.

Supported Cloud Providers

Template Scanner currently supports the following cloud providrers. For details on specific coverage support for each cloud provider, see: Template Scanner Coverage
  1. AWS
  2. Azure
  3. GCP

Supported features

To scan your IaC files, you can use one or a combination of the following:
  • Using the application UI to upload templates
  • Using the API to post requests with templates
  • By installing the Template Scanner GitHub App and creating pull requests.
Feature
Template Scanner UI/API
Github Application
Graphical interface to load files
check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
error=d3416c96-6ca9-432d-8c5f-8da4aebfc7c5.png
Public API
check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
error=d3416c96-6ca9-432d-8c5f-8da4aebfc7c5.png
Account and Profile Rule settings
check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
error=d3416c96-6ca9-432d-8c5f-8da4aebfc7c5.png
Github Integration
error=d3416c96-6ca9-432d-8c5f-8da4aebfc7c5.png
check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
AWS CloudFormation
check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
AWS Cloud Development Kit (CDK)
check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
error=d3416c96-6ca9-432d-8c5f-8da4aebfc7c5.png
Serverless Framework (AWS)
check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
error=d3416c96-6ca9-432d-8c5f-8da4aebfc7c5.png
Terraform (AWS, Azure and GCP)
 check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
Supported through Terraform Plan files (.json) and HCL templates (.tf)
 check=c0ac712e-8485-46cf-ba14-b6043fb05ff6.png
Can interpret multiple Terraform language features: input variables, local values, reference expressions, jsonencode function call.
Child modules are also supported for Terraform.

Scan via UI

  1. Select the type of rule settings you want to scan for:
    • Default rule settings: upload and scan using rule settings from your organization.
    • Profile rule settings: upload and scan using rule settings from a selected profile.
    • Account rule settings: upload and scan using rule settings from a selected account.

Scanning a CloudFormation template

  • CloudFormation templates can be uploaded in either JSON or YAML format.
  • You can also use the ! Condition in YAML templates.

Scanning AWS Cloud Development Kit (CDK)

Template scanner supports the evaluation of your CDK files by synthesizing a Cloudformation template out of the CDK code.
  1. Install the AWS CDK CLI
  2. In the directory with your CDK code, run cdk synth. This will output a YAML CloudFormation file (can also use --json if desired).
  3. Use Template Scanner UI or API endpoints to scan the CloudFormation file generated by cdk synth.

Scanning Serverless Framework

Template scanner supports the evaluation of your Serverless Framework applications by synthesizing a Cloudformation template out of the serverless code.
  1. In the directory with your serverless file, run serverless package to generate a JSON file in .serverless/cloudformation-template-update-stack.json.
  2. Use Template Scanner UI or API endpoints to scan the CloudFormation file generated by serverless package.

Scanning Terraform Plans

  1. Terraform templates must be converted to a Terraform plan in JSON by following the steps below from your Command Line tool:
    1. In the same directory as .tf template, export your provider's access key, secret key, and export region (e.g. `export AWS_REGION=us-east-1`)
    2. Run the command terraform init
    3. Run the command terraform plan -out=your_file
    4. Run the command terraform show -json your_file > your_file.json. Your Terraform JSON plan is ready to be uploaded to the Template Scanner from the same folder as your .tf file.
  2. Click on Upload and scan to view scan results for your selected rule settings.
  3. You will get a message for missing parameters while scanning your template. Decide whether you want to Proceed or Cancel the scanning process.
    Note
    Note
    Resources with missing parameters will not be scanned and thereby result in partial scan results.
  4. Review Checks from scan results. Failed checks will display a Resolve button with a link to resolution steps. For more information on the anatomy of the rule, see Rules.
    Note
    Note
    Resolution steps provided with failed checks are for workflows via CLI or Console. You can also use these steps as a guide for resolution within CloudFormation.

Scanning Terraform HCL templates

  1. Create a ZIP file containing your .tf files
  2. Click on the Template Scanner menu
  3. Click on the Terraform tab
  4. Browse your ZIP file
  5. Click Upload and scan.

Scan via API

See API reference for how to use Template Scanner API in your automation or build pipelines.
Additional examples can be found below:

Scan via Github Pull Requests

The Template Scanner Github App can be used to automatically trigger scans of CloudFormation templates and Terraform configuration files.

Supported rules

The following API endpoints can be used to retrieve a list of rules supported by Template Scanner:
Please refer to this page for an overview of the supported resources.

Why do I not see any scan results?

You may receive an empty response or an error for any of the following reasons:
  1. Unsupported resource type or rules - Template Scanner only supports resource-level rules. Please refer to the APIs for a list of supported rules and resource types. We have plans to add support for more source types over time. If there is a specific resource type you need as a priority, please log in to Conformity and submit a ticket to our support team.
  2. Parameter(s) with no default value - CloudFormation templates with parameters that have no default values may fail to be processed.
  3. Unsupported AWS CloudFormation intrinsic functions - CloudFormation templates with unsupported intrinsic functions may not process or may not generate complete results. The following are the supported intrinsic functions in CloudFormation templates:
    • Fn::Base64
    • Fn::And
    • Fn::Equals
    • Fn::If
    • Fn::Not
    • Fn::Or
    • Fn::FindInMap
    • Fn::GetAtt
    • Fn::GetAZs
    • Fn::Join
    • Fn::Select
    • Fn::Split
    • Fn::Sub
    • Ref
You may want to temporarily replace these functions for static values so your template can be correctly scanned.