KaiMonkey provides vulnerable infrastructure as code (IaC) to help explore and understand common cloud security threats exposed via IaC.
KaiMonkey is an effort to provide a playground of vulnerable infrastructure as code to help analyze & strategize the approach to be taken to secure from code to cloud.
The project can help you get familiar with IaC security issues and verify that your IaC scanner is working. The project is maintained and enhanced over time to increase the types of problems represented and to add support for additional IaC and Cloud providers. Contributions are welcome.
To learn more about the security risks in KaiMonkey, you can leverage Terrascan, our open-source tool to detect compliance and security violations before provisioning the infrastructure. You can also use the Tenable.cs platform for an experience that extends beyond the command line with a SaaS console and pre-built integrations into your source code repositories, ticketing systems, CI/CD pipelines, etc.
- To learn more about Terrascan's features and capabilities, see the documentation portal: https://runterrascan.io
- Terraform 0.12
- aws cli
- azure cli
- Optional - Terrascan open source tool to scan KaiMonkey
git clone https://github.com/tenable/KaiMonkey.git
cd KaiMonkey/terraform/aws/
terraform init
terraform plan
⟵ optionalterraform apply
Docker is typically the easiest way to get started because you don't need to install Terrascan on your system. Terrascan builds are also available from the releases page.
git clone https://github.com/tenable/KaiMonkey.git
cd KaiMonkey/terraform/aws
docker run --rm -v "$(pwd):/iac" -w /iac tenable/terrascan scan -t aws
- Download the appropriate binary from the releases page.
git clone https://github.com/tenable/KaiMonkey.git
cd KaiMonkey/terraform/aws
path/to/terrascan scan -t aws