My IBM Log in

May 24, 2021 By Steven Weaver 2 min read

The expansion of Code Risk Analyzer extends scanning capabilities.

In November 2020, IBM introduced the Code Risk Analyzer to IBM Cloud Continuous Delivery to help “shift left” security. Code Risk Analyzer identifies multiple classes of security risks by scanning source files. Misconfiguration of infrastructure and cloud service dependencies can put enterprise applications and data at risk. Now, Code Risk Analyzer will look for these issues by scanning Terraform Infrastructure as Code (IaC) files. 

Code Risk Analyzer helps developers find and remediate security and legal vulnerabilities that are potentially introduced into their source code and provides feedback directly in their Git artifacts (for example, pull/merge requests). Code Risk Analyzer is provided as a set of Tekton tasks, which can be easily incorporated into delivery pipelines.

DevSecOps for Infrastructure

IBM Cloud Schematics provides powerful tools to automate your cloud infrastructure provisioning and management process and the configuration and operation of your cloud resources and the deployment of your app workloads. To do so, Schematics leverages open source projects, such as Terraform. Terraform allows infrastructure to be expressed as code in a simple, human-readable language. It reads configuration files and provides an execution plan of changes that can be reviewed for safety and then applied and provisioned.

Infrastructure as Code (IaC) provides development teams with the opportunity to manage infrastructure definitions in Git repos and deploy with DevOps  pipelines, just like any other code. IaC modules can be reused between workloads and across multi-regions and accounts.

With this new expansion of Code Risk Analyzer, we can extend our scanning capabilities to help prevent misconfiguration of cloud accounts and compliance with regulations through scanning of IaC before it is deployed. The new IaC capability in Code Risk Analyzer scans ibm-terraform files and helps you ensure that they meet National Institute of Standards and Technology (NIST) frameworks. Today, it supports 57 compliance goals, covering 18 NIST checks, and the list is growing. 

With this new capability, you can now scan the compliance of your Infrastructure as Code and make sure that any planned changes to your account are compliant with NIST regulations. You can control this process from IBM Cloud Continuous Delivery toolchains and consume the output both in your Git repository and in your IBM Cloud Continuous Delivery PipelineRun dashboard. You can create gates that block the deployment of the IaC when misconfigurations are found and remediate misconfigurations as soon as they are created:

You can create gates that block the deployment of the IaC when misconfigurations are found and remediate misconfigurations as soon as they are created:

More information

For more details on the new capability within Code Risk Analyzer, please see the following resources:

In addition, you can get help directly from the IBM Cloud development teams by joining us on Slack.

More from Announcements

Success and recognition of IBM offerings in G2 Summer Reports  

2 min read - IBM offerings were featured in over 1,365 unique G2 reports, earning over 230 Leader badges across various categories.   This recognition is important to showcase our leading products and also to provide the unbiased validation our buyers seek. According to the 2024 G2 Software Buyer Behavior Report, “When researching software, buyers are most likely to trust information from people with similar roles and challenges, and they value transparency above other factors.”  With over 90 million visitors each year and hosting more than 2.6…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

Reflecting on IBM’s legacy of environmental innovation and leadership

4 min read - Upholding a legacy of more than 50 years of environmental responsibility through our company’s actions and commitments, IBM continues to be a leader in driving sustainability for our business, our communities and our clients—including a 34-year history of annual, public environmental reporting, which we continue today. As a hybrid cloud and artificial intelligence (AI) company, we believe that leveraging technology is key to unlocking impact, and it will play a substantial role in how society addresses, adapts to, and overcomes…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters
Overview Annual report Corporate social responsibility Diversity & inclusion Financing Investor Newsroom Security, privacy & trust Senior leadership Careers with IBM Website Blog Publications Automotive Banking Consumer Good Energy Government Healthcare Insurance Life Sciences Manufacturing Retail Telecommunications Travel Our strategic partners Find a partner Become a partner - Partner Plus Partner Plus log in IBM TechXChange Community LinkedIn X Instagram YouTube Subscription Center Participate in user experience research Podcasts United States — English Contact IBM Privacy Terms of use Accessibility