Checkmarx Infrastructure as Code Scanning Engine (ICE)
ICE is a infrastructure-as-code Engine that scans infrastructure provisioned using Terraform.
ICE identifies security vulnerabilties and misconfigurations that may expose IaC files owners to cyber attacks.
ICE also powers Checkmarx SAST product, the security-first platform that streamlines code security throughout DevSecOps lifecycle.
-
ICE scans terraform files and leverages over 40 built-in queries that cover security and compliance best practices for AWS, Azure and Google Cloud.
-
ICE users can create their own customer queries to support specific use-cases and prevent unique attack scenarios.
-
ICE Output is currently available as CLI, JSON and references to remediation guides.
This section describes installation procedure of ICE.
To have a fully working environment to use and develop in ICE you will need:
- Download and install Go: https://golang.org/dl/
- Install VS Code (or another IDE of your choosing): https://code.visualstudio.com/Download
- Inside VS Code, install the following extensions:
- Go
- Open Policy Agent
- Git Lens
- Install PostgreSQL: https://www.postgresql.org/download/ (optional, not needed for CLI usage)
- Clone the repository of ICE to VS Code: https://github.com/CheckmarxDev/ice
- Test if the application is running properly by running in the terminal, in the root of the project:
go run ./cmd/console/main.go -p assets/queries/terraform
Contribution is welcome and appreciated!!
Start by reviewing the contribution guidelines
Looking to contribute new scanning queries? Learn how to do it here