DEV Community

George Rolston for AWS Community Builders

Posted on

A Simple GitHub Action for securing CloudFormation


If you've ever wanted to get started with continuous integration (CI) with CloudFormation, it can sometimes appear rather daunting or time consuming. Many solutions are so overly complex you end up not even using them correctly...or sometimes not at all for your projects. You are faced with deploying some solution that you have to maintain or that it is so specific you can only use it in one or two projects, and good luck having your teammates adopt it.

This all-too-common scenario drove me to create a very simple GitHub Action called cfn-security, which uses some standard security analysis/linting tools for AWS CloudFormation. The purpose of the project was to encourage people to implement better security practices in their CloudFormation through CI and get started with GitHub Actions.

The cfn-security GitHub Action does not require an AWS Account, user credentials, or dedicated deployed agents. I am hoping to lower the dependencies/prerequisites to encourage adoption of using such tools to promote cloud security. Additionally, to be kind to the GitHub user, cfn-security action does not conduct a full docker build at launch, which really reduces the minutes burned up for your GitHub Actions.

GitHub Actions is free for a specified amount of minutes a month. Reference About billing for GitHub Actions. Due to this, make sure your actions are as efficient as possible.

Currently cfn-security includes scans leveraging cfn-nag and checkov. The scans run against a specified directory where your CloudFormation templates are stored. There are only two prerequisites:

  1. You need to be developing CloudFormation
  2. You need your templates stored in one directory within your project

...that is it. The stars do not need to align nor do you need to provision a Jenkins server.

The action is published on the GitHub Marketplace and can be found here: with further details/instructions.

Getting Started

To get started simply add a workflow .yml file (name it whatever you would like) to your .github/workflows/ folder/directory in your root directory of your project. Reference the docs on GitHub Workflow YAML syntax here. Make sure to update the cloudformation_directory variable as this is the location where the scan will look for .yml or .json files to test.

Note: a good practice is to store all your CloudFormation templates in a single directory such as ./cloudformation at the root of your project.

For more examples of cfn-security workflow files check out the project's example workflow templates. If you still do not know where to start, just cut and paste the all-security-scans.yml template which will create two security scan jobs. Just make sure to update the template input variables as necessary.

name: cfn-security Scan

on: [push]

  ## cfn-nag security scan
    runs-on: ubuntu-latest
    - uses: actions/checkout@v2
    - uses: grolston/cfn-security@master
        cloudformation_directory: "./cloudformation/" # be sure to update as necessary!
        scanner: "cfn-nag"

  ## checkov security scan
    runs-on: ubuntu-latest
    - uses: actions/checkout@v2
    - uses: grolston/cfn-security@master
        cloudformation_directory: "./cloudformation/" # be sure to update as necessary!
        scanner: "checkov"
Enter fullscreen mode Exit fullscreen mode

The goal of this is to be as dead simple as possible to encourage adoption and understanding of static code analysis tools for CloudFormation. Security should be built into your DevOps practices at every stage and I hope this helps people get started. There are a lot of other great tools to secure your CloudFormation templates and some awesome IDE extensions that can do this locally.

Top comments (0)