Create an On-Demand Scan for DevOps
On-Demand Scans for DevOps run scans of policies against templates, allowing you to resolve security issues before deploying and ensuring compliance with the config audit policies.
To create an On-Demand Scan for DevOps:
- Go to Policy > On-Demand Scan.
- Click Actions > Create a Scan.
- On the General Info page, click DevOps Templates. Configure the following:
- Name. Enter a name for the scan.
- Description (Optional). Enter the description.
- Service Instance. Choose a Service Instance that contains the templates you'd like to scan.
- Click Next.
- On the Select Policies page, click Next.
- Based on the selection of Service instances on the General Info page, you can view different options for cloud services on the Configure Scan page.
- For AWS scans:
- Under Buckets to Scan, select:
- Use a Predefined Dictionary to choose an option from the dictionaries defined in your account.
- Manually Enter Buckets and then type a comma-separated list of buckets that contain the CloudFormation or Terraform templates.
- Accounts to scan. Choose All Accounts to scan or select Specific Accounts to Include or Exclude from the scan.
- Under Buckets to Scan, select:
- Click Next.
- For Azure scans:
- Storage Accounts to Scan:
- Use a Predefined Dictionary to choose an option from the dictionaries defined in your account.
- Manually Enter Storage Accounts and then type a comma-separated list of accounts.
- Blob Containers to Scan:
- Use a Predefined Dictionary
- Manually Enter Blob Containers and type a comma-separated list of Blobs to include in the scan that contains the Azure Resource Manager or Terraform templates.
- Subscription to scan. Choose All Subscriptions to scan, or select Subscriptions to Include or Exclude from the scan.
- Storage Accounts to Scan:
- Click Next.
- For GCP scans:
- Buckets to Scan:
- Use a Predefined Dictionary to choose an option from the dictionaries defined in your account.
- Manually Enter Buckets and type a comma-separated list of Buckets to include in the scan that contains the Terraform templates.
- Projects to scan. Choose All Projects to scan or select Specific Projects to Include or Exclude from the scan.
- Buckets to Scan:
- Click Next.
- On the Schedule Scan page > Frequency, select the required frequency to execute the scan from the menu:
- None (On-Demand Only). Creates the Scan, but does not set a schedule to automatically run the scan.
- Daily. Runs the scan every 24 hours.
- Weekly. Runs the Scan once every seven days.
- Click Next.
- On the Review & Activate page, review your setting for the On-Demand Scan. You can edit any options that need to be changed. Once reviewed and modified the scan, click Save.
The scan is added to the On-Demand Scan page so you can run it.