Qlty for Infrastructure
For software infrastructure projects, Qlty offers a comprehensive set of static analysis tools in a single tool with industry-leading workflow integration.
Use Cases
Linting and defect detection
Modern infrastructure projects are inherently polyglot, with components written in HashiCorp Configuration Language (HCL), Dockerfiles, shell scripts, and Helm charts.
Often the developers who are working in these languages are less familiar with the technologies as well as best practices for security, reliability, and maintainability, making static analysis especially important.
With Qlty, teams can easily run best-in-class static analysis across all of their code and configuration files and receive the outputs directly in their GitHub pull request.
- TFLint – Extensible linter for Terraform
- Hadolint – Dockerfile linter
- Shellcheck – Shell script linter
- KubeLinter – Linter for Kubernetes and Helm charts
- Actionlint – Identify flaws and in CI / CD workflows
Security Scanning (IaC, SAST, SCA, etc.)
Moving to Infrastructure as Code with an emphasis on storing artifacts in version control offers an opportunity to shift left on security and detect issues before they are deployed into testing or production runtime environments.
- Checkov – Policy-as-code for Terraform and Kubernetes
- Trivy – Security scanner covering Terraform and Kubernetes
- Trufflehog – Finds secrets or credentials checked into version control
- Semgrep – Static analysis scanning of application code for vulnerabilities (SAST) that works across many programming languages and frameworks
- OSV Scanner – Identifies vulnerable dependencies across ecosystems like JavaScript, Java, Python, etc. based on the Open Source Vulnerability (OSV) database
Conventions
In addition to the static analysis tools above, Semgrep Rules for Terraform provides a simple pattern syntax, which teams can adopt out-of-the-box or fully custom conventions:
- Example rule: The AWS security group rule is missing a description
Auto-formatting
HashiCorp recommends the terraform fmt subcommand to format HashiCorp Configuration Language (HCL) files for consistency and readable diffs. With Qlty, you can block improperly formatted pull requests from being merged.