Posture Control (ZPC)

Configuring IaC Scan for Visual Studio Code

The Zscaler Infrastructure-as-Code (IaC) Scan extension for the Visual Studio Integrated Development Environment (VS IDE) enables you to scan the IaC Terraform, Kubernetes, Helm, and CloudFormation templates in VS Code and identify security misconfigurations. The Zscaler IaC Scan extension supports scanning individual IaC files and directories in the workspace. Scanning the IaC files in the build environment enables you to fix the configuration errors before committing the code for deployment, and make sure the code is secure and compliant with standard security policies. To install the Zscaler IaC Scan Extension, see the Visual Studio Marketplace.

Key Features

The Zscaler IaC Scan extension for VS has the following capabilities:

Scans IaC Terraform, Helm, Kubernetes, Azure Resource Manager (ARM) and CloudFormation templates with built-in policies for Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) resources.
Supports creating exemptions for policies within a template.
Highlights policy violations with severity for failed resources.

Configuring the Zscaler IaC Scan Extension for Visual Studio

To configure the Zscaler IaC Scan extension for VS:

Go to Administration > Workstations & IDEs.
Under General Information, click the Visual Studio icon.

See image.

You are directed to the Visual Studio Marketplace to install the IaC Scan extension.

After successful installation of the IaC Scan extension, a Zscaler icon appears in the VS IDE’s left navigation menu. Click the Zscaler icon.

See image.

Click Sign In.

See image.

Access the Zscaler IaC Scan’s login command by pressing CMD/CTRL+SHIFT+P and search for "Zscaler IaC Scan: Login".

Select the required region (EU, US, or Custom) where your tenant resides.

See image.

After selecting the region, you are redirected to the Zscaler login page within a browser. Log in using your ZPC admin credentials.

See image.

If your account is configured to use single sign-on (SSO), then you are redirected to your IdP's login page.

After successful login, you are redirected back to the Visual Studio IDE where you must complete the login flow setup:

In the dialog window that appears, click Open Visual Studio Code.

See image.

In the dialog window that appears, click Open.

See image.

The logged in user's email address appears at the bottom of the window after the extension opens the URI.

See image.

Using the Zscaler IaC Scan Commands

The Zscaler IaC Scan extension provides a set of commands. Press CTRL+SHIFT+P on Windows, or CMD+SHIFT+P on macOS, then enter Zscaler IaC Scan to search for and use the commands.

Use the required Zscaler IaC commands

Scan File: Scans the currently opened file in the VS IDE editor. Scan File is also triggered automatically when you save the file.
Scan Workspace: Scans all IaC files in the current Visual Studio workspace.
Open Settings: Opens the Settings page.
Clear Scan Results: Clears all problems and warnings generated for the IaC resources.
Install/Update: Installs or updates the Zscaler IaC binary, which is used by the extension to run the IaC scans.
Sign Out: Log out from VS Code. When you log out, another browser opens and displays the logout message. See image.

Close

Viewing Policy Violations

After running the scan on the IaC templates, policy violations are displayed on the Problems tab of the VS IDE window.

View the policy violations

Viewing Remediation Steps

After an IaC template is scanned, you can view the policy violations and remediation steps for these violations within the VS IDE window. You can follow the remediation guidelines and resolve the misconfiguration.

To view the remediation: