- Supported languages and frameworks
- Contribute your scanner
- Reports JSON format
Introduced in GitLab 14.5.
Infrastructure as Code (IaC) Scanning scans your IaC configuration files for known vulnerabilities.
Currently, IaC scanning supports configuration files for Terraform, Ansible, AWS CloudFormation, and Kubernetes.
IaC Scanning runs in the
test stage, which is available by default. If you redefine the stages in the
.gitlab-ci.yml file, the
test stage is required.
GitLab IaC scanning supports a variety of IaC configuration files. Our IaC security scanners also feature automatic language detection which works even for mixed-language projects. If any supported configuration files are detected in project source code we automatically run the appropriate IaC analyzers.
|Configuration File Type||Scan tool||Introduced in GitLab Version|
|Azure Resource Manager 1||KICS||14.5|
|Google Deployment Manager||KICS||14.5|
- IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the Bicep language, you must use the bicep CLI to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
- Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow this issue for the proposed feature.
GitLab scanners are provided with a base alpine image for size and maintainability.
Introduced in GitLab 14.10.
GitLab also offers FIPS-enabled Red Hat UBI
versions of the images. You can therefore replace standard images with FIPS-enabled
images. To configure the images, set the
-fips or modify the
standard tag plus the
variables: SAST_IMAGE_SUFFIX: '-fips' include: - template: Jobs/SAST-IaC.gitlab-ci.yml
All open source (OSS) analyzers are available with the GitLab Free tier. Future proprietary analyzers may be restricted to higher tiers.
Different features are available in different GitLab tiers, as shown in the following table:
|Capability||In Free & Premium||In Ultimate|
|Configure IaC scanner|
|Download JSON Report|
|See new findings in merge request widget|
|Access the Security Dashboard|
The Security Scanner Integration documentation explains how to integrate other security scanners into GitLab.
To configure IaC Scanning for a project you can:
include: - template: Jobs/SAST-IaC.gitlab-ci.yml
The included template creates IaC scanning jobs in your CI/CD pipeline and scans your project’s configuration files for possible vulnerabilities.
The results are saved as a SAST report artifact that you can download and analyze.
To enable IaC Scanning in a project, you can create a merge request:
- On the top bar, select Main menu > Projects and find your project.
- On the left sidebar, select Security & Compliance > Configuration.
- In the Infrastructure as Code (IaC) Scanning row, select Configure with a merge request.
- Review and merge the merge request to enable IaC Scanning.
Pipelines now include an IaC job.
The IaC tool emits a JSON report file in the existing SAST report format. For more information, see the schema for this report.
The JSON report file can be downloaded from the CI pipelines page, or the
pipelines tab on merge requests by setting
artifacts: paths to
gl-sast-report.json. For more information see Downloading artifacts.
To help troubleshoot IaC jobs, you can increase the Secure scanner log verbosity
by using a global CI/CD variable set to
variables: SECURE_LOG_LEVEL: "debug"
If a previously detected finding unexpectedly shows as
No longer detected, it might
be due to an update to the scanner. An update can disable rules that are found to
be ineffective or false positives, and the findings are marked as
No longer detected:
- In GitLab 15.3, secret detection in the KICS SAST IaC scanner was disabled,
so IaC findings in the “Passwords and Secrets” family show as
No longer detected.