Skip to main content
Skyhigh Security

DevOps Templates Scan API

The DevOps Templates Scan API scans a CloudFormation Template and fetches the results. Skyhigh CASB supports AWS CloudFormation Templates (JSON, YAML, and YML), Azure Resource Manager templates (JSON), and Terraform templates for AWS, Azure, and GCP (.tf).

You need the Policy Manager role with manage permissions to the On-Demand Scan RBAC role to make a request to Shift Left Inline APIs.

Step - 1: API to get the access token

The access token provided by this API is required in further calls to scan the DevOps templates. 

API: POST https://www.myshn.net/neo/neo-auth-service/oauth/token?grant_type=password
Request Headers: x-auth-username: <<Email id of Skyhigh CASB Application>> 
                                x-auth-password: <<Password of Skyhigh CASB Application>> 

Response:

{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic3ByaW5nLWJvb3QtYXBwbGljYXRpb24iXSwidGVuYW50TmFtZSI6ImF3c3Rlc3QiLCJ1c2VyX25hbWUiOiJrcmlzaG5hX2MrYXdzdGVzdEBtY2FmZWUuY29tIiwic2NvcGUiOlsicmVhZCIsIndyaXRlIl0sInRlbmFudElEIjo1NTUxMSwiZXhwIjoxNTY0NDY2ODYxLCJ1c2VyIjoia3Jpc2huYV9jK2F3c3Rlc3RAbWNhZmVlLmNvbSIsInVzZXJJZCI6MTQxODM5LCJqdGkiOiJlZWNiOTUzMC0yYWU1LTRmYTUtYTEyOC0xZjQzNjk0MGM1YzQiLCJlbWFpbCI6ImtyaXNobmFfYythd3N0ZXN0QG1jYWZlZS5jb20iLCJjbGllbnRfaWQiOiJ0cnVzdGVkLWFwcCJ9.S1jINLsbFTUem7-hPltjW9_bS5zAIQyOL-clZqqRizi0GEYCwTiSnkqAAO5Sa-53mOmus0vX_hn5b3eKiceNOQhd7qtXAROXRd7THqwOIK3Y6apmCf2ZBKvRvwp-yVY8OyJJ2Nk2H396mEEFc56Kdy8jK6krPlLHCqOdi49d3-SFagFmW_gP3UMql1-nkrza48YoeN3z91ZMTtS650mdNfARlbLL14A_JV0OVKH3AmdC6PeODkHnXq5xcBiou02rC8GWciEdqqDiJ_V8VAU_sk8r9C4O-9aPvbumbQU5VjKGxV1XJheENEYOW5dXZ52ffBn0tsrim6E_IgWkUWn0cQ",
    "token_type": "bearer",
    "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsic3ByaW5nLWJvb3QtYXBwbGljYXRpb24iXSwidGVuYW50TmFtZSI6ImF3c3Rlc3QiLCJ1c2VyX25hbWUiOiJrcmlzaG5hX2MrYXdzdGVzdEBtY2FmZWUuY29tIiwic2NvcGUiOlsicmVhZCIsIndyaXRlIl0sImF0aSI6ImVlY2I5NTMwLTJhZTUtNGZhNS1hMTI4LTFmNDM2OTQwYzVjNCIsInRlbmFudElEIjo1NTUxMSwiZXhwIjoxNTY0NTUyMzYxLCJ1c2VyIjoia3Jpc2huYV9jK2F3c3Rlc3RAbWNhZmVlLmNvbSIsInVzZXJJZCI6MTQxODM5LCJqdGkiOiI2MWE4ZmFiNC0xODQwLTQ0ODctYjgyZC05NzU2MGJmM2I5NzYiLCJlbWFpbCI6ImtyaXNobmFfYythd3N0ZXN0QG1jYWZlZS5jb20iLCJjbGllbnRfaWQiOiJ0cnVzdGVkLWFwcCJ9.KViyhdxyPDc0ulkivqXNDzNHEzxlg02WFw-ddZSUduykiAHbNdfUWLcfzXINTVPqLtBU_9oWLtKh3HxAB_YXKwdc1A0Ko-RrGSopF710a9y4F51Sd8iEudy-sRzvhAey-huleOJaDKN1b3DeGwgtM10UG4bcri8Q3hF0NOL2Riv_HHtikq1eipPW_v5HUR81MO1rOi-uHu8R5ThlfT3Q1PF3JguePpFIdDWZ0b3EwLMEytpTtb64_68CtWEKYYDQyjtgiZj8vGfZJcN5AbzqRrcrRzBTH77NBoOCge5WpAaeHRFvff8jhb44jnEPbgetOFnXyCQPw1DOkkNirxVO5Q",
    "expires_in": 509,
    "scope": "read write",
    "tenantName": "My test",
    "tenantID": 12345,
    "user": "abc@xyz.com",
    "userId": 141839,
    "email": "abc@xyz.com",
    "jti": "eecb9530-2ae5-4fa5-a128-1f436940c5c4"
}

Step - 2: API to submit the DevOps template file for scan

 API: POST https://www.myshn.net/neo/config-audit/devops/v1/scan?service=azure (for Azure) 

         POST https://www.myshn.net/neo/config-audit/devops/v1/scan?service=aws (for AWS)

Request Headers: x-access-token: <<Access token from the 1st API>>
                                Content-Type: multipart/form-data
Request Body:      Content-Disposition: form-data; name="templateFile"; filename=<<file location>>
 

Response:
If you do not have Policy Manager role with manage privilege to On-Demand Scan role, you will get the following response:

{
    "error": "access_denied",
    "error_description": "Access is denied"
}

If the file is successfully submitted for evaluation, you will get the following response:

{
    "file_name": "vpc.cfn.json",
    "message": "https://www.myshn.net/neo/config-audit/devops/v1/scan/result/466a4f71-a169-4b19-b26e-ec90d7fe5846",
    "status": "The request is being processed. Please call the API to get the evaluation result.",
    "additional_details": null
}

Note: Copy the "message" from the response for getting result

If the template is invalid, you will get the following error:

{
    "file_name": "ec2.cfn.json",
    "message": "Not a valid template file : ec2.cfn.json",
    "status": "Failure",
    "additional_details": null
}

There is a limit of 250 total requests across all tenants that can be evaluated at any point of time. If the request exceeds this overall or the file is submitted again, you will get Http status 429 and the following response:

 {
    "file_name": "vpc.cfn.json",
    "message": "Requested cannot be processed at this time. Please try again later.",
    "status": "Failure",
    "additional_details": null
}

If you have provided an incorrect service name, you will get the following response:

{
    "file_name": "vpc.cfn.json",
    "message": "Unsupported service: aws1. Supported services are Aws, Azure",
    "status": "Failure",
    "additional_details": null
}

Step - 3: API to get the evaluation result of the DevOps template file 

API: GET https://www.myshn.net/neo/config-audit/devops/v1/scan/result/33fe19f5-6550-435e-a030-bda35028b9ab

Note: You will get this URL with request id as a result of Step - 2

RequestHeaders: x-access-token: <<Access token from the 1st API>>

Response:
If you do not have Policy Manager role with manage privilege to On-Demand Scan role, you will get the following response:

{
    "error": "access_denied",
    "error_description": "Access is denied"
}

You will get the following response if the evaluation is in progress:

{
    "file_name": "Storage_account_violation_template.json",
    "message": "The request is being processed for file: Storage_account_violation_template.json",
    "status": "In Progress",
    "additional_details": null
} 

Once the evaluation is complete, you will get the following response with violations count: 

{
    "file_name": "Storage_account_violation_template.json",
    "status": "Success",
    "message": {
        "file_name": "Storage_account_violation_template.json",
        "violation_count": 5,
        "policies_violated": [
            "Storage Service Encryption for Storage Accounts",
            "Unrestricted access to storage account",
            "Unrestricted access of storage account to wide network",
            "World Readable Azure Blob Storage Containers",
            "Secure Transfer for Storage Accounts"
        ]
    },
    "additional_details": null
}
{
    "file_name": "Storage_account_violation_template.json",
    "status": "Success",
    "message": {
        "file_name": "Storage_account_violation_template.json",
        "violation_count": 0,
        "policies_violated": [
        ]
    },
    "additional_details": null
} 

If there are any errors while processing, you will get the following response:

{
    "file_name": "Storage_account_violation_template.json",
    "status": "Failure",
    "message": "Error while processing the file: Storage_account_violation_template.json",
    "additional_details": null
}
  • Was this article helpful?