As a latest addition to the vulnerability scanning capabilities of Amazon Inspector across multiple AWS services, it now supports scanning of your application source code, dependencies and Infrastructure as Code (IAC). It has a native integration with your SCMs - GitHub and GitLab and it helps you build a shift left security approach while taking proactive decisions securing your SDLC.
Let's Get Up and Running
Currently Amazon Inspector Code Security scan is available in 10 AWS Regions, you can get the full list here.
Considering you are in one of the listed regions and have activated Inspector, select Code Security on the left pane.
Once I click on ConnectTo, I get two options. As I am using GitHub as my SCM, I select it and proceed.
You can choose the default scan configuration or customise it according to your usecase. I will create a custom scan configuration for now.
In here you fix a scan frequency, I chose change based and periodic scanning which means whenever you create a pull or merge request or push new code a scan will be triggered. Alongside you can set weekly or monthly periodic scans, and in weekly scans you can choose the day you want the scan to run, this could be based off of your release cycles.
Next, you choose the scope of the scan analysis, in my case I need all the three options enabled, so I will keep things as it is and create the scan configuration.
Now I will provide a name to my configuration and connect to Github.
I will use the link mentioned in the pop up screen to authorize to GitHub.
Accept the authorization
Once authorized, I got a message on the top of Inspector Console asking me to visit the GitHub connections page
I will install a new GitHub App
Installed the app with a selected repository from my personal account.
We have a successful GitHub connection.
I pushed a commit to Master to trigger a scan.
Once the analysis is concluded (it might take some time), you can see the Scan status as Active against your Code Repositories.
In the Findings section you can see all the vulnerabilities in your code and you can get assisted remediation and fix with other details when you select the particular vulnerability. Also you can filter out the vulnerabilites based on SCM provider, severity, etc.
Testing Terraform IAC
Added one more repo with Terraform code to my GitHub application and it is listed in Code Security Console but pending inital scan, let's push a commit to the repository.
Code Security scanned the newly added repo and flagged issues in the code and also suggested remediation with code fixes which is super useful.
I created a seperate branch in my newly added repository and updated the Terraform code. Post which I created a PR to merge the changes with main, which triggered a CodeSecurity Scan on the GitHub console and once concluded it highlighted the code snippets that needed to be checked and stated the reason for flagging those with severity.
On-Demand Scan
I added a third repository to my GitHub Application, and it is listed in my Code Security console. This time instead of pushing some code or creating a PR, I will generate an On-Demand Scan for the repository.
I get a message saying that the On-Demand Scan generation is successful.
Within sometime I see findings generated :)
Lets Talk About Pricing
You are charged for each scan and each scan type 0.15 USD, against a single repository.
So a scan of a single repository with all three scan types enabled would cost 1*0.15*3 = 0.45 USD
If your repository does not contain IAC, you should create a new scanning configuration with IAC disabled to save costs.
Also there is an option in your scanning configuration to disable scanning when code is changed or disable periodic scanning if you want to save further costs and just rely on On-Demand scans, but this will not let you utilize the full potential of this tool.
More details related to pricing here.
Wrapping Up
I feel this feature is a great addition to the current capabilities of Amazon Inspector by helping find code vulnerabilities and misconfigurations early in the development lifecycle and I hope this blog will help you get started with Code Security 🤘
Top comments (0)