Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Infrastructure As Code Scanning -- Azure ARM/Bicep
-
I've noticed that other Artifact management systems are offering products for IaC Scanning -- looking for vulnerabilities, known misconfigurations, best practices, etc. This could be a feature that would be a nice supplement to ProGet.
Most of what I've seen has the IaC scanning centered around Terraform templates. I'm using ARM/Bicep since we're completely Azure based for cloud presence.
I'm not 100% sure how the other products are doing IaC scanning -- it may be along the lines of scanning a Terraform Private Registry, ensuring that modules there are up to standards. With Bicep/ARM, Azure provides Template Specs as a manner of storing and cataloging private modules that can be imported into templates. I don't think its prudent to reinvent Template Specs into ProGet, but it would be nice to get the best practice and quality checks to be made against ARM/Bicep templates stored inside of artifacts in ProGet.
In our instance, the templates are typically stored inside of a nuget package, although a universal package could be used instead.
Are there any others looking into IaC scanning, particularly in an Azure + ARM/Bicep organization?
-
Hi @dan-brown_0128 ,
It doesn't look like there's been much interest in this so far (we haven't heard any othe rrequests for it), but I wanted to mention that Terraform repositories are planned and something we hope to accomplish in the coming months.
Cheers,
Alana
