Using a Scanning Tool in Spacelift (TFLint, TFScan, Checkov)

Overview

Integrating security and compliance tools, such as TFLint, TFScan, or Checkov, within a Spacelift plan policy can help ensure infrastructure quality and adherence to best practices before deployment. This article explains how to incorporate custom tool outputs in a plan policy, enabling you to flag potential issues early in your pipeline.

Setting Up a Scanning Tool in Plan Policies

You can configure your Spacelift plan policy to incorporate custom tool outputs by passing the results from TFLint, TFScan, Checkov, or similar tools directly into the policy evaluation.

Integration Steps:

1. Install the Security Tool: Install the tool on the runner image or through a before_init hook.

2. Run and Output Results: Run the tool, outputting results in JSON format and saving them as <key>.custom.spacelift.json.

3. Plan Policy Access: Access the tool's results in the plan policy using input.third_party_metadata.custom.<key> and create policies that enforce security rules based on the findings.

   • Refer to the Spacelift documentation for an example of passing custom tool output to a plan policy.

4. Define Compliance and Quality Rules in Your Policy
   Based on the scanning tool’s output, configure your plan policy to flag, approve, or deny plans that do not meet your quality or security standards.

Additional Resources

• Blog Post: For a more in-depth example of integrating security tools with Spacelift, see our blog post on security tool integration.