Terraform Modules (AWS) ☁️
NightVision can also be used to scan web apps and APIs inside your private networks. This is particularly useful for:
- Security Engineering Teams who can influence the cloud environment inside their company, but can’t influence the CI/CD pipeline.
- Development Teams who believe the most accurate scans are within their deployed environment, not within a CI/CD pipeline.
- Security Compliance Teams who want to increase security scanning coverage of APIs that are subject to PCI compliance and other regulations.
Prerequisites
Section titled “Prerequisites”- Sign up for NightVision: https://app.nightvision.net/
- Install the NightVision CLI and log in with:
nightvision login - Install Terraform and be authenticated via the AWS CLI
You will also need to know the subnet ID of the target you want to scan and the ID of a security group that has access to the target.
Tutorial
Section titled “Tutorial”Create a scheduled scan to run inside your VPC
Section titled “Create a scheduled scan to run inside your VPC”In your terminal, create a file called variables.tf:
variable "nightvision_token" { description = "The NightVision token to use for authentication" sensitive = true}
locals { project = "terraform-example" security_group_id = "sg-0839aeaccdda71f96" subnet_id = "subnet-07a080852c0769a32"}Now generate a NightVision token and store it in nightvision.auto.tfvars so you can work with the NightVision API:
export NIGHTVISION_TOKEN=$(nightvision token create)echo 'nightvision_token = "'$NIGHTVISION_TOKEN'"' > nightvision.auto.tfvarsSpecify your targets in targets.tf:
locals { web_targets = [ { target_name = "testphp" project = local.project url = "http://testphp.vulnweb.com/" }, { target_name = "javaspringvulny-web" project = local.project url = "https://javaspringvulny.nvtest.io:9000/" }, // Add more targets as needed ]
public_api_targets = [ { target_name = "javaspringvulny-api" project = local.project url = "https://javaspringvulny.nvtest.io:9000/" openapi_public_url = "https://raw.githubusercontent.com/vulnerable-apps/javaspringvulny/main/openapi.yaml" } ]}Define your weekly scans in weekly_scans.tf:
locals { # Define weekly scans scan_configs = [ { schedule_name = "scan-testphp" target = "testphp" project = local.project security_group_id = local.security_group_id subnet_id = local.subnet_id }, { schedule_name = "scan-javaspringvulny-web" target = "javaspringvulny-web" auth = "javaspringvulny-web" project = local.project security_group_id = local.security_group_id subnet_id = local.subnet_id }, // Add more schedules as needed ]}And finally, call the module to create the scheduled scans in main.tf:
# This will schedule scans for every 7 daysmodule "private_dast_scans" { source = "github.com/nvsecurity/terraform-appsec-scanning" nightvision_token = var.nightvision_token scan_configs = local.scan_configs create_project_name = local.project web_targets = local.web_targets public_api_targets = local.public_api_targets create_scanner_infra = true}Examples
Section titled “Examples”Create a NightVision project
Section titled “Create a NightVision project”This will just create a NightVision project.
module "nightvision_project" { source = "github.com/nvsecurity/terraform-appsec-scanning" create_project_name = "terraform-example" nightvision_token = var.nightvision_token create_scanner_infra = false}Create scan automation infrastructure
Section titled “Create scan automation infrastructure”This will create a Lambda function to launch ephemeral EC2 instances with scoped privileges and scan targets.
module "scan_infrastructure" { source = "github.com/nvsecurity/terraform-appsec-scanning" nightvision_token = var.nightvision_token create_scanner_infra = true region = "us-east-1"}Create scheduled scans only
Section titled “Create scheduled scans only”If you don’t want to create targets or infrastructure and you just want to schedule scans, this is a good example.
locals { project = "terraform-example" security_group_id = "sg-0839aeaccdda71f96" subnet_id = "subnet-07a080852c0769a32"}
module "weekly_scans" { source = "github.com/nvsecurity/terraform-appsec-scanning" nightvision_token = var.nightvision_token scan_configs = local.scan_configs create_scanner_infra = false}
locals { scan_configs = [ { schedule_name = "scan-testphp" target = "testphp" project = local.project security_group_id = local.security_group_id subnet_id = local.subnet_id }, ]}Scan APIs by analyzing code
Section titled “Scan APIs by analyzing code”NightVision can scan APIs that don’t have existing OpenAPI specifications, by scanning code. If your code is locally accessible, you can generate the OpenAPI specs with NightVision:
locals { project = "terraform-example" security_group_id = "sg-0839aeaccdda71f96" subnet_id = "subnet-07a080852c0769a32"}
module "weekly_scans" { source = "github.com/nvsecurity/terraform-appsec-scanning" nightvision_token = var.nightvision_token scan_configs = local.scan_configs openapi_code_targets = local.openapi_code_targets create_scanner_infra = false}
locals { openapi_code_targets = [ { target_name = "broken-flask-extracted" project = local.project url = "https://flask.brokenlol.com" language = "python" code_path = "${abspath(path.module)}/flask_app" }, ] # Define weekly scans scan_configs = [ { schedule_name = "scan-broken-flask" target = "broken-flask-extracted" project = local.project security_group_id = local.security_group_id subnet_id = local.subnet_id }, ]}Scan APIs with an OpenAPI URL
Section titled “Scan APIs with an OpenAPI URL”NightVision can scan APIs that have publicly accessible OpenAPI specifications. You can provide the URL to the OpenAPI spec to NightVision:
locals { project = "terraform-example" security_group_id = "sg-0839aeaccdda71f96" subnet_id = "subnet-07a080852c0769a32"}
module "api_scans" { source = "github.com/nvsecurity/terraform-appsec-scanning" nightvision_token = var.nightvision_token scan_configs = local.scan_configs openapi_url_targets = local.openapi_url_targets create_scanner_infra = false}
locals { openapi_url_targets = [ { target_name = "jsv-api-from-url" project = local.project url = "https://javaspringvulny.nvtest.io:9000/" openapi_public_url = "https://raw.githubusercontent.com/vulnerable-apps/javaspringvulny/main/openapi.yaml" } ] # Define weekly scans scan_configs = [ { schedule_name = "scan-jsv-api-from-url" target = "jsv-api-from-url" project = local.project security_group_id = local.security_group_id subnet_id = local.subnet_id }, ]}Scan APIs with a local OpenAPI file
Section titled “Scan APIs with a local OpenAPI file”NightVision can scan APIs that have OpenAPI specifications stored locally. You can provide the path to the OpenAPI spec to NightVision:
locals { project = "terraform-example" security_group_id = "sg-0839aeaccdda71f96" subnet_id = "subnet-07a080852c0769a32"}
module "weekly_scans" { source = "github.com/nvsecurity/terraform-appsec-scanning" nightvision_token = var.nightvision_token scan_configs = local.scan_configs openapi_file_targets = local.openapi_file_targets create_scanner_infra = false}
locals { openapi_file_targets = [ { url = "https://flask.brokenlol.com" project = local.project target_name = "broken-flask-from-file" openapi_file_path = "${abspath(path.module)}/broken-flask-openapi.yml" }, ] # Define weekly scans scan_configs = [ { schedule_name = "scan-broken-flask-from-file" target = "broken-flask-from-file" project = local.project security_group_id = local.security_group_id subnet_id = local.subnet_id }, ]}