Scan AWS CDK CloudFormation templates

Overview

The Bridgecrew CLI can execute as a job in your CI / CD pipeline to scan infrastructure-as-code (IaC) files. This includes IaC files that are generated on the fly in your build pipeline, such as CloudFormation templates generated using the AWS Cloud Development Kit (CDK). You can even report violations at build time straight to the Bridgecrew platform to be visible in the application.

Pipeline

A typical pipeline using the AWS CDK will use the cdk synth command to generate a template file, and the cdk deploy command to deploy the CloudFormation stack.

By inserting the Bridgecrew CLI in between these commands, you can report on and / or block the deployment of resources with violations. Optionally, you can also report violations to the Bridgecrew platform to view in the app.

  1. Follow the steps for setting up the Bridgecrew CLI here. Use the API token to report violations to the platform.
  2. Use the following command in your pipeline (or locally in your workspace) to scan the CloudFormation template generated by the cdk synth command.
bridgecrew -f cdk.out/<project-name>.template.json --bc-api-key <key> --repo-id <repo_id> --branch <branch>

If you do not want to report results to the Bridgecrew platform, you can omit --bc-api-key, --repo-id, and --branch.

This command assumes you are in a standard AWS CDK project structure. If you are unsure of the file to use for the -f argument, try running the command cdk synth locally and look for newly-generated files.

The command will return a non-zero exit code if any violations are found, which will block subsequent steps in the pipeline. You can "soft-fail" to report violations but not block deployment using the --soft-fail argument.

Full project setup example

The commands below show how to set up a new AWS CDK project using Python and install and run the Bridgecrew CLI. It assumes you have installed the AWS CDK and obtained your Bridgecrew API token.

mkdir my-cdk-project && cd my-cdk-project
cdk init app --language python
source .env/bin/activate
pip install bridgecrew
# install any other AWS CDK modules as well, like aws-cdk.aws-s3

# now, modify the generated files to create some resources

# generate the CloudFormation template
cdk synth

# scan the generated template with Bridgecrew and report the results to the platform
bridgecrew -f cdk.out/my-cdk-project.template.json --bc-api-key <BC_API_KEY> --repo-id <repo/name> --branch <branch>

# cdk deploy # this actually creates the infrastructure, so it should be configured to only run if the previous command succeeds.

Updated 2 months ago


Scan AWS CDK CloudFormation templates


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.