빌드에 포함된 코드형 인프라(IaC) 검증을 Cloud Build에 지시하는 빌드 구성을 작성할 수 있습니다. IaC 검증을 통해 Terraform 리소스 정의가 Google Cloud 리소스에 적용된 기존 조직 정책 및 Security Health Analytics 감지기를 위반하는지 여부를 확인할 수 있습니다.
In the Principal column, find all rows that identify you or a group that
you're included in. To learn which groups you're included in, contact your
administrator.
For all rows that specify or include you, check the Role column to see whether
the list of roles includes the required roles.
SCAN_RESULT_FILE_BUCKET을 결과 파일을 업로드할 Cloud Storage 버킷으로 바꿉니다.
SARIF 형식으로 결과를 보려면 다음을 완료합니다.
파일을 변환합니다.
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json--outputFilePath=IaCScanReport_$BUILD_ID.sarif.jsondir:FOLDERid:Convert to SARIF formatentrypoint:/bin/bash
결과를 검증합니다. SARIF 형식으로 변환하지 않은 결과 JSON 파일에서 이 단계를 완료합니다.
-name:golangargs:-'-c'-|go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \--inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=FAILURE_CRITERIAdir:FOLDERid:Validate resultsentrypoint:/bin/bash
FAILURE_CRITERIA을 빌드 실패 시기를 결정하는 실패 임곗값 기준으로 바꿉니다. 임곗값 기준은 IaC 검증 스캔에서 발생하는 매우 심각한 문제, 심각도가 높은 문제, 심각도가 중간인 문제, 심각도가 낮은 문제 수를 기반으로 합니다. FAILURE_CRITERIA는 허용되는 각 심각도의 문제 수를 지정하고 문제가 합산되는 방식(AND 또는 OR)도 지정합니다. 예를 들어 심각한 문제 하나 또는 심각도가 높은 문제 하나가 발생할 경우 빌드가 실패하도록 하려면 FAILURE_CRITERIA를 Critical:1,High:1,Operator:OR로 설정합니다. 기본값은 Critical:1,High:1,Medium:1,Low:1,Operator:OR입니다. 즉, IaC 검증 스캔에서 심각도 위반이 발생하면 빌드가 실패해야 합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-06-17(UTC)"],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers) (requires [organization-level activation](/security-command-center/docs/activate-scc-overview#overview_of_organization-level_activation))\n\nYou can write a [build config](/build/docs/build-config-file-schema) that\ninstructs Cloud Build to validate the infrastructure as code (IaC)\nthat is part of your build. Validating IaC lets you determine whether your\nTerraform resource definitions violate the existing organization policies and\nSecurity Health Analytics detectors that are applied to your Google Cloud resources.\n\nFor more information about IaC validation, see\n[Validate your IaC against your Google Cloud organization's policies](/security-command-center/docs/validate-iac).\n\nBefore you begin\n\nComplete these tasks to get started with IaC validation using\nCloud Build.\n\nActivate the Security Command Center Premium tier or Enterprise tier\n\nVerify that the\n[Security Command Center Premium tier or Enterprise tier](/security-command-center/docs/activate-scc-overview)\nis activated at the organization level.\n\nActivating Security Command Center enables the `securityposture.googleapis.com` and\n`securitycentermanagement.googleapis.com` APIs.\n\nSet up permissions\n\n1.\n\n Make sure that you have the following role or roles on the organization:\n\n\n - Security Posture Shift-Left Validator\n - Log Writer\n - Storage Writer\n - Storage Reader\n\n \u003cbr /\u003e\n\n Check for the roles\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3.\n In the **Principal** column, find all rows that identify you or a group that\n you're included in. To learn which groups you're included in, contact your\n administrator.\n\n 4. For all rows that specify or include you, check the **Role** column to see whether the list of roles includes the required roles.\n\n Grant the roles\n 1.\n In the Google Cloud console, go to the **IAM** page.\n\n [Go to IAM](https://console.cloud.google.com/projectselector/iam-admin/iam?supportedpurview=organizationId)\n 2. Select the organization.\n 3. Click person_add **Grant access**.\n 4.\n In the **New principals** field, enter your user identifier.\n\n This is typically the email address for a Google Account.\n\n 5. In the **Select a role** list, select a role.\n 6. To grant additional roles, click add **Add\n another role** and add each additional role.\n 7. Click **Save**.\n\n\u003cbr /\u003e\n\nFor more information about IaC validation permissions, see\n[IAM for organization-level activations](/security-command-center/docs/access-control-org).\n\nEnable the Cloud Build API\n\n1.\n\n\n Enable the Cloud Build API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=cloudbuild.googleapis.com)\n\n\u003cbr /\u003e\n\nDefine your policies\n\nDefine your\n[organization policies](/resource-manager/docs/organization-policy/creating-managing-policies)\nand\n[Security Health Analytics detectors](/security-command-center/docs/concepts-security-health-analytics).\nTo define these policies using a security posture, complete the tasks in\n[Create and deploy a posture](/security-command-center/docs/how-to-use-security-posture#create_and_deploy_a_posture).\n\nCreate your Terraform code\n\nFor instructions, see\n[Create your Terraform code](/security-command-center/docs/validate-iac#create_your_terraform_code).\n\nValidate your IAC in Cloud Build **Note:** The samples in this section are YAML samples. IaC validation also supports JSON buildconfigs.\n\nAdd the following tasks to your `cloudbuild.yaml` file:\n\n1. Initialize Terraform:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform init \\\n -backend-config=\"bucket=\u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e\" \\\n -backend-config=\"prefix=\u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e\" \\\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Init\n entrypoint: sh\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSTATE_BUCKET\u003c/var\u003e with the name of the Cloud Storage bucket to [store the Terraform state](/docs/terraform/resource-management/store-state) in\n - \u003cvar translate=\"no\"\u003eREPOSITORY_NAME\u003c/var\u003e with the repository that hosts your Terraform code.\n - \u003cvar translate=\"no\"\u003eFOLDER\u003c/var\u003e with the name of the folder to save the Terraform artifacts to.\n2. Create a plan file:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform plan -out tf.plan\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Plan\n entrypoint: sh\n\n3. Convert the plan file to JSON format:\n\n - name: hashicorp/terraform\n args:\n - '-c'\n - |\n terraform show -json tf.plan \u003e plan.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Terraform Show\n entrypoint: sh\n\n4. Create the IaC validation report:\n\n - name: gcr.io/cloud-builders/gcloud\n args:\n - '-c'\n - |\n gcloud scc iac-validation-reports create \\\n organizations/\u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e/locations/global --tf-plan-file=plan.json \\\n --format=\"json(response.iacValidationReport)\" \u003e IaCScanReport_$BUILD_ID.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Run IaC scan\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eORGANIZATION_ID\u003c/var\u003e with your organization's ID.\n5. If you're using Cloud Storage, upload the JSON results file to\n Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n Replace \u003cvar translate=\"no\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/var\u003e with the\n Cloud Storage bucket to upload the results file to.\n6. To view the results in SARIF format, complete the following:\n\n 1. Convert the file:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/SARIFConverter@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json\n --outputFilePath=IaCScanReport_$BUILD_ID.sarif.json\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Convert to SARIF format\n entrypoint: /bin/bash\n\n 2. Optional: upload the file to Cloud Storage:\n\n - name: gcr.io/cloud-builders/gsutil\n args:\n - cp\n - IaCScanReport_$BUILD_ID.sarif.json\n - \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSCAN_RESULT_FILE_BUCKET\u003c/span\u003e\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Upload report file\n\n7. Validate the results. Complete this step on the\n results JSON file that you haven't converted to SARIF format:\n\n - name: golang\n args:\n - '-c'\n - |\n go run github.com/google/gcp-scc-iac-validation-utils/ReportValidator@latest \\\n --inputFilePath=IaCScanReport_$BUILD_ID.json --failure_expression=\u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n dir: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eFOLDER\u003c/span\u003e\u003c/var\u003e\n id: Validate results\n entrypoint: /bin/bash\n\n Replace \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e with the failure threshold\n criteria that determines when the build fails. The threshold criteria is\n based on the number of critical, high, medium, and low severity issues that\n the IaC validation scan encounters. \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e\n specifies how many issues of each severity are permitted, and also specifies\n how the issues are aggregated (either `AND` or `OR`). For example, if you\n want the build to fail if it encounters one critical issue *or* one high\n severity issue, set the \u003cvar translate=\"no\"\u003eFAILURE_CRITERIA\u003c/var\u003e to\n `Critical:1,High:1,Operator:OR`. The default is\n `Critical:1,High:1,Medium:1,Low:1,Operator:OR`, which means that if the IaC\n validation scan encounters a violation of any severity, the build must fail.\n8. If the build fails, resolve any violations within your Terraform code.\n\nWhat's next\n\n- View the [IaC validation report in Cloud Storage](/storage/docs/listing-objects#list-objects).\n- Review the [IaC validation scripts in GitHub](https://github.com/google/gcp-scc-iac-validation-utils).\n- Review the [`cloud.yaml` sample](https://github.com/google/devops-governance/blob/main/examples/guardrails/cloudbuild/folder-factory/.cloudbuild/workflows/cloudbuild.yaml)."]]
