1. Go to Administration > Version Control & CI/CD Systems.
2. On the IaC Integrations page, click Add IaC Integration.

See image.

3. Under General Information:

• For IaC Scanner Type, select Code Repository.
• For Platform, select GitHub.

See image.

4. Click Install GitHub App. You are directed to the GitHub portal.
5. Complete the installation and authorization on GitHub.
   1. Sign in to your GitHub account.
   2. On the Install & Authorize Zscaler IaC Scan page, select the account where you want to install the IaC Scan app.

   Only an organization administrator can install and authorize the IaC Scan app to scan all the repositories or specific repositories. Zscaler recommends that you select All repositories so subsequent repositories are automatically added to the list of repositories displayed in the ZPC Admin Portal. However, you still need to choose specific repositories that must be included for scanning.

   3. Click Install & Authorize.

   See image.

   

   Close

   After completing the installation, you are redirected back to the Configuration page in the ZPC Admin Portal.

   Close
6. Under Choose GitHub Repositories, select the checkbox for the repositories that must be enabled for scanning.

The date and time format is displayed as per the user's location.

See image.

7. Click Next.
8. (Optional) Under Advanced Settings:
   • Scan on Push: Click the toggle to scan the IaC files in the default (main/master) branch. Alerts that are triggered for any policy violations are displayed in the ZPC Admin Portal. To learn more, see About Alerts.
   • Include Paths: Click the Edit icon to include the file path of specific files or folders that must be scanned. For example, if you define an include path for a single file, then only that file is scanned and all other files and folders within the repository are ignored. You can also use regular expressions (regex) to search for and include multiple files or folders that must be scanned:
     • See regex patterns with examples

       Regex Pattern	Description	Example
       /**/	Match zero or more directories	If you type charts/**, then the following files are included: charts/docker.yml charts/stub charts/stub/config.yml charts/server/conf/app1/app.yml
       **/	Match any directory/directories, start of pattern only	If you type **/internal/test/**, then the following files are included: root/internal/test/stub.txt internal/test/stub.txt /internal/test/server root/internal/test
       /**	Match any directory/directories, end of pattern only	If you type monorepo/**/terraform/**, then the following files are included: monorepo/terraform/doc.tf monorepo/app1/terraform monorepo/app1/terraform/stub.yml monorepo/app1/app2/terraform
       *	Match any non-separator character	If you type *repo/**/terraform/**, then the following files are included: monorepo/terraform/doc.tf monorepo/app1/terraform publicrepo/app1/terraform/stub.yml newrepo/app1/app2/terraform
       !	Excludes all matches from the result set, start of pattern only	If you type !**/internal/test/**, then the following files are excluded: root/internal/test/stub.txt internal/test/stub.txt /internal/test/server root/internal/test

       Close

See image.

• Fail Check Criteria: Fail check criteria is applicable to only pull requests based on policy severity. Select the security threshold (Critical, High, Medium, or Low) for the policy from the drop-down list. Scan results are posted on GitHub for all the selected options.

You can apply a security threshold to each repository. For example, you can fail a pull request that introduces Critical or High issues from a repository that is used to deploy to a production environment. If the same pull request has a Low threshold and the code must be merged to a repository that is used to deploy in a development environment, then you can pass the request. However, the alert notification is generated in both scenarios.

See image.

9. Click Finish.
10. On GitHub, go to Settings > GitHub apps and verify that the Zscaler IaC Scan app is installed.

Enabling Branch Protection

You can add a branch protection rule on GitHub to enforce a workflow, such as review and approval before code commit, etc. To learn more, see the GitHub Docs.

To create a branch protection rule:

1. On the GitHub portal, navigate to the main page of the repository.
2. Click the Settings tab.
3. Under Code and automation, click Branches, then Add branch protection rule.

See image.

4. For Branch name pattern, enter the branch name or pattern you want to protect.
5. Under Protect matching branches, select the required option.
6. Click Create.

See image.

Viewing the IaC Scan Results

The IaC scan results are displayed within the code, so you can easily evaluate and resolve the issues.

1. On the GitHub portal, navigate to the repository, then select Pull requests.
2. Click Details.

See image.

You can view the following:

• The line of code that has violations along with the policy title and ID, severity, and resource details.

See image.

• The total policies evaluated along with passed and failed findings are displayed. This information indicates if the code is violation-free for the policies evaluated or if none of the policies were evaluated for this resource.

See image.

• Remediation steps for resolving the issue.

See image.

The ZPC service generates alerts for IaC policy violations. You can view these alerts in the ZPC Admin Portal. You can also configure alert notifications for ZPC to send email notifications to recipients or send the alert data to third-party tools. To learn more, see About Alerts.