kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

Terraform plan scan - execute only relevant queries

Open roi-orca opened this issue 1 year ago • 4 comments

When running a scan on a 9MB terraform plan file from a post-plan event, the scan takes more than 20 minutes due to the large number of queries that are executed, which results in run-task failure due to terraform cloud timeout.

In order to improve the scan time, we would like to limit the number of queries that are executed. An option is to run only the relevant queries for the terraform provider/vendor (aws, gcp, etc..) and the common queries that should always run on terraform plan scan.

roi-orca avatar May 01 '23 06:05 roi-orca

@cxMiguelSilva what do you think of the optimization above?

lior-orca avatar May 11 '23 18:05 lior-orca

Hi @lior-orca & @roi-orca, Are you suggesting the addition of scan parameters to behave like the scan flag --cloud-provider?

cxMiguelSilva avatar May 12 '23 08:05 cxMiguelSilva

@cxMiguelSilva not really.

We suggest giving terraform plans "special attention" by identifying the cloud provider, and by then executing only the relevant queries (common + cloud provider specific queries, e.g. aws) By that, we expect to have large performance improvement.

lior-orca avatar May 12 '23 09:05 lior-orca

Ok, we will take a look at that and come back to you once we have added this feature.

cxMiguelSilva avatar May 12 '23 10:05 cxMiguelSilva