The Zscaler Infrastructure-as-Code (IaC) Scan extension for Azure Pipeline scans and identifies security misconfigurations in the IaC Terraform, Kubernetes, Helm, and CloudFormation templates for pipeline jobs in Microsoft Azure. The IaC Scan extension automatically triggers a scan of the IaC templates, identifies configuration errors and policy violations. The IaC extension can pass or fail the build based on the configuration parameters that are applied to the pipeline job.
Scans IaC templates with built-in policies for Azure Pipeline.
Supports creating exemptions for policies within a template.
Highlights policy violations with severity for failed resources.
Configuring the Zscaler IaC Scan Extension for Azure Pipeline
Install the Zscaler IaC Scan extension in the Azure DevOps organization account.
Select a Pipeline into which you want to add the Zscaler IaC Scan task.
Click Edit to view the YAML pipeline.
Click Show Assistant to view the list of tasks.
Select Zscaler IaC Scan to view the configuration parameter fields, as shown in the image below.
Fill in the configuration parameters:
Region: Select the region that you use for ZPC.
Client ID: Paste the value you copied on the ZPC Admin Portal.
Client Secret: Paste the value you copied on the ZPC Admin Portal.
The above three parameters are mandatory. Otherwise, the Zscaler IaC Scan does not perform a scan.
If you want to secure the Client ID and Client Secret, then add these values to the Azure Key Vault and specify the parameters in the YAML pipeline. To learn more, see the Azure DevOps Documentation.
IaC Directory to Scan: Enter the name of the directory that must be scanned. If you don’t add a directory, then the entire repository is scanned.
IaC File to Scan: Enter the name of the IaC file that must be scanned. If you don’t enter the file name, then the entire repository is scanned.
Output format: Enter the format that must be used to display the output. For example, JSON.
Log level: Enter the required log level.
Fail build: Select the checkbox to fail the build when misconfigurations and policy violations are detected in the code.
Click Add to add the parameters to the YAML pipeline. A sample YAML file is shown below.
In case if you use the client id and client secret from azure key vault. A sample YAML file is shown below.
If you want to edit the YAML pipeline, click on Settings within the script to edit the parameters.
Click Save and run.
The Zscaler IaC scan performs a scan on the IaC files or directories and displays the policy violations in the console output.