In this post we'll show how MergeStat can be used in conjunction with tfsec, a static analysis tool for terraform, to secure cloud infrastructure 🛡️.
As a reminder, MergeStat accesses git repos, runs an analysis on them, and stores the results in SQL for downstream querying and operationalization:
Our integration with tfsec can be used to build a report in Grafana that surfaces terraform IaC issues and misconfigurations.
The end result here is a TFSec Grafana dashboard that can be explored and filtered, based specifically on what you're looking to target.
The dashboard looks like this:
This dashboard is available as a JSON export here and should be easy to expand on!
The Setup
To begin scanning IaC repos with MergeStat, you'll need a MergeStat instance. You can start locally by following these instructions to get a Docker Compose instance running.
You'll also want to add the ghcr.io/mergestat/sync-scan-tfsec sync to your MergeStat instance:
Once this sync has been scheduled and has run:
You should see a new view available to query: tfsec_repo_issues:
-- returns all issues found by tfsec for a given repo
SELECT * FROM tfsec_repo_issues;
And that's it! You have output from tfsec stored in your PostgreSQL database.
Query it from MergeStat, check out the Grafana board, or plug in another BI/SQL tool.
If you found this interesting, hop in our community Slack! We're always happy to chat about MergeStat there 🎉.