- Supported languages and frameworks
- Contribute your scanner
- Reports JSON format
Introduced in GitLab 14.5.
Infrastructure as Code (IaC) Scanning scans your IaC configuration files for known vulnerabilities.
Currently, IaC scanning supports configuration files for Terraform, Ansible, AWS CloudFormation, and Kubernetes.
GitLab IaC scanning supports a variety of IaC configuration files. Our IaC security scanners also feature automatic language detection which works even for mixed-language projects. If any supported configuration files are detected in project source code we automatically run the appropriate IaC analyzers.
|Configuration File Type||Scan tool||Introduced in GitLab Version|
All open source (OSS) analyzers are availibile with the GitLab Free tier. Future propietary analyzers may be restricted to higher tiers.
Different features are available in different GitLab tiers, as shown in the following table:
|Capability||In Free||In Ultimate|
|Configure IaC Scanners v|
|View JSON Report|
|Presentation of JSON Report in Merge Request|
|Access to Security Dashboard|
The Security Scanner Integration documentation explains how to integrate other security scanners into GitLab.
To configure IaC Scanning for a project you can:
The included template creates IaC scanning jobs in your CI/CD pipeline and scans your project’s configuration files for possible vulnerabilities.
The results are saved as a SAST report artifact that you can download and analyze.
To enable IaC Scanning in a project, you can create a merge request from the Security Configuration page:
- On the top bar, select Menu > Projects and find your project.
- On the left sidebar, select Security & Compliance > Configuration.
- In the Infrastructure as Code (IaC) Scanning row, select Configure via Merge Request.
This automatically creates a merge request with the changes necessary to enable IaC Scanning that you can review and merge to complete the configuration.
The IaC tool emits a JSON report file in the existing SAST report format. For more information, see the schema for this report.
The JSON report file can be downloaded from the CI pipelines page, or the
pipelines tab on merge requests by setting
artifacts: paths to
gl-sast-report.json. For more information see Downloading artifacts.