The Bridgecrew CLI can execute as a job in your CI / CD pipeline to scan infrastructure-as-code (IaC) files. This includes IaC files that are generated on the fly in your build pipeline, such as CloudFormation templates generated using the AWS Cloud Development Kit (CDK). You can even report violations at build time straight to the Bridgecrew platform to be visible in the application.
A typical pipeline using the AWS CDK will use the
cdk synth command to generate a template file, and the
cdk deploy command to deploy the CloudFormation stack.
By inserting the Bridgecrew CLI in between these commands, you can report on and / or block the deployment of resources with violations. Optionally, you can also report violations to the Bridgecrew platform to view in the app.
- Follow the steps for setting up the Bridgecrew CLI here. Use the API token to report violations to the platform.
- Use the following command in your pipeline (or locally in your workspace) to scan the CloudFormation template generated by the
bridgecrew -f cdk.out/<project-name>.template.json --bc-api-key <key> --repo-id <repo_id> --branch <branch>
If you do not want to report results to the Bridgecrew platform, you can omit
This command assumes you are in a standard AWS CDK project structure. If you are unsure of the file to use for the
-f argument, try running the command
cdk synth locally and look for newly-generated files.
The command will return a non-zero exit code if any violations are found, which will block subsequent steps in the pipeline. You can "soft-fail" to report violations but not block deployment using the
mkdir my-cdk-project && cd my-cdk-project cdk init app --language python source .env/bin/activate pip install bridgecrew # install any other AWS CDK modules as well, like aws-cdk.aws-s3 # now, modify the generated files to create some resources # generate the CloudFormation template cdk synth # scan the generated template with Bridgecrew and report the results to the platform bridgecrew -f cdk.out/my-cdk-project.template.json --bc-api-key <BC_API_KEY> --repo-id <repo/name> --branch <branch> # cdk deploy # this actually creates the infrastructure, so it should be configured to only run if the previous command succeeds.
Updated 2 months ago