Primary Use Case

This tool is used by DevOps and security teams to integrate automated security scanning of Terraform, CloudFormation, and Kubernetes IaC files directly into CircleCI workflows. It helps identify and remediate infrastructure configuration errors early in the CI/CD pipeline, ensuring compliance and reducing security risks.

Key Features

Automated static analysis of Terraform, CloudFormation, and Kubernetes IaC files

Integration as a CircleCI Orb for seamless CI/CD pipeline security scanning

Support for scanning entire directories or specific IaC files

Soft-fail option to allow builds to continue despite detected issues

Support for Bridgecrew API key and Prisma Cloud API integration

Multiple output formats including CLI, JSON, and JUnit XML

Free Bridgecrew Community plan with unlimited scans and user access

Customizable scan parameters via orb configuration

Insights & Recommendations

Ensure the Bridgecrew API key or Prisma Cloud access key is securely stored as an environment variable. Use the soft-fail option to prevent pipeline failures during scanning while still reporting issues. For Prisma Cloud integration, the API key must be in the format <access_key_id>::<secret_key> and the appropriate API URL set. Leverage the free Bridgecrew Community plan for unlimited scans and user access without additional cost.

Installation

Enable usage of CircleCI Orbs in your project workflow following the Orb Quick Start Guide at https://circleci.com/orbs/registry/orb/bridgecrew/bridgecrew#quick-start
Set up an environment variable with your Bridgecrew API key from your Bridgecrew account at https://www.bridgecrew.cloud/integrations
Optionally, set Prisma Cloud API URL environment variable if using Prisma integration

Usage

bridgecrew/scan: directory: '.' soft-fail: true api-key-variable: BC_API_KEY prisma-api-url: PRISMA_API_URL

Scans the entire IaC directory for security issues, allowing the build to continue even if vulnerabilities are found.

bridgecrew/scan: file: './terraform/db-app.tf' api-key-variable: BC_API_KEY prisma-api-url: PRISMA_API_URL

Scans a specific Terraform file for security and compliance issues.

bridgecrew/scan: directory: './terragoat' soft-fail: true api-key-variable: BC_API_KEY prisma-api-url: PRISMA_API_URL

Advanced example scanning a specified directory with soft-fail enabled and Prisma Cloud API integration.

Smart Usage Notes

Integrate Bridgecrew Orb early in CI/CD pipelines to catch IaC misconfigurations before deployment, reducing attack surface.Combine with runtime security tools to create a full shift-left security posture covering build and production environments.Use soft-fail mode to balance security enforcement with developer velocity, gradually increasing enforcement as maturity grows.Leverage Bridgecrew dashboards and reports for compliance auditing and continuous governance visibility across teams.Augment with custom policies and API integrations to tailor IaC scanning to organizational risk profiles and compliance mandates.

OpenSec Atlas

bridgecrew-orb

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like