DevOps UAT / Security Scanner /

▌AUTOMATED SECURITY TESTING & COMPLIANCE SYSTEM

Enterprise-grade security scanning and compliance automation tools

I Got Bored and Built a DevOps Scanner (Because Running 5 Commands for 1 File is Stupid)

The true story of how pure annoyance led to a tool I built for myself and decided to share

Let me be completely honest with you. I didn't build the DevOps Universal Scanner because of some grand vision for DevOps security or years of enterprise experience. I built it because I was bored as fuck and got tired of running multiple commands to scan a single goddamn file.

Picture this: You have one Terraform file. Just one. To properly scan it, you need to run:

terraform validate
tflint .
tfsec .
checkov -f main.tf

Then you want to scan a CloudFormation template:

cfn-lint template.yaml
checkov -f template.yaml

Different syntax. Different outputs. Different installation processes. And if you want to scan a Docker image too? More commands with completely different formats.

This is fucking annoying.

So I did what any rational developer does when faced with repetitive bullshit: I automated it away.

The "Fuck This, I'm Building a Tool" Moment

I was sitting there one evening, probably procrastinating on actual work, when I had to run security scans on a bunch of infrastructure files. Same tedious process:

Remember which tool scans which file type
Remember the syntax for each tool
Run each command individually
Try to make sense of different output formats
Repeat for every single file

My brain was melting from the mindless repetition. I wanted to turn my brain off during this stupid validation process, not engage in some complex mental gymnastics every time I needed to check if my Terraform file would accidentally make an S3 bucket public.

That's when I thought: "What if I could just run one command and let the computer figure out what tools to use?"

Building the "Brain-Off" Scanner

The concept was simple: One command structure for everything.

# Want to scan Terraform? 
docker run [...] scan-terraform terraform/

# CloudFormation?
docker run [...] scan-cloudformation template.yaml

# Docker image?
docker run [...] scan-docker nginx:latest

Same pattern. Same output format. Zero mental overhead.

I threw it in a Docker container because:

I didn't want to install 47 different tools on my Mac
Docker makes it portable - works the same everywhere
Alpine Linux keeps it small - nobody wants to pull a 5GB container for a security scan

The Real Technical Decisions (Made Out of Laziness)

Why Alpine Linux?

Ubuntu images are bloated as hell. Alpine is tiny and has everything I need. Plus, smaller images mean faster pulls when I'm running this thing in CI/CD.

Performance comparison (because I actually measured this stuff):

Metric	Ubuntu	Alpine	Why I Care
Image Size	~2.1GB	~1.63GB	Faster downloads when I'm on shitty wifi
Start Time	~15-20 seconds	~8-12 seconds	Less waiting around
Memory Usage	~800MB	~400MB	Runs better on my local machine

Why One Command Structure?

Because remembering different syntaxes is mental overhead I don't want to deal with. I want to scan a file, not memorize documentation.

# Everything follows the same pattern
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-[TYPE] [PATH]

# Terraform
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-terraform terraform/

# CloudFormation  
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-cloudformation template.yaml

# Azure ARM
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-arm template.json

Muscle memory kicks in after the first few uses.

What's Actually Inside

The scanner runs these tools so I don't have to:

File Type	Tools	Why These Tools
Terraform	TFLint, TFSec, Checkov	Industry standard, catch different types of issues
CloudFormation	CFN-Lint, Checkov	AWS's own linter plus security scanning
Azure ARM/Bicep	ARM-TTK, Bicep CLI, Checkov	Microsoft's tools plus security checks
Docker Images	Trivy	Finds vulnerabilities, secrets, misconfigurations
GCP	Checkov, GCloud validation	Best tools available for GCP templates

Each scan spits out two files:

Detailed log - Everything the tools output
Summary - Just the important stuff

Cross-Platform Support (Because I Use Multiple Computers)

I work on macOS, deploy on Linux, and sometimes help teammates on Windows. The commands work everywhere:

macOS/Linux:

docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-terraform terraform/

Windows PowerShell:

docker run -it --rm -v "${PWD}:/work" spd109/devops-uat:latest scan-terraform terraform/

Windows Command Prompt:

docker run -it --rm -v "%cd%:/work" spd109/devops-uat:latest scan-terraform terraform/

Same result, different path syntax. Problem solved.

CI/CD Integration (Because Manual Steps Suck)

I built this primarily for local use, but it works great in CI/CD pipelines too. Here's how I use it in GitLab CI:

infrastructure-security:
  stage: security-scan
  image: docker:latest
  services:
    - docker:dind
  before_script:
    - docker pull spd109/devops-uat:latest
  script:
    - docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-terraform terraform/
    - docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-cloudformation cloudformation/
  artifacts:
    paths:
      - "*-scan-report.log"
      - "*-summary.txt"

Works in GitHub Actions, Azure DevOps, Jenkins, whatever. It's just Docker.

Test Files (Learning What Breaks)

I included a bunch of intentionally vulnerable test files because:

I wanted to verify the scanner actually works
It's useful to see what vulnerabilities look like
Testing with real examples beats testing with hello-world

The test files cover common security mistakes:

Hardcoded credentials
Public S3 buckets
Overly permissive security groups
Unencrypted storage
Missing monitoring

⚠️ Obviously don't deploy these in production - they're designed to fail security scans.

I built this tool for myself because I was annoyed and bored. It solved my problem of wanting to turn my brain off during security validation.

Then I figured: maybe other people have the same annoying problem. So I stuck it on Docker Hub and GitHub. If it's useful to you, cool. If not, no worries - I'll keep using it either way.

The Technical Reality

This isn't some revolutionary tool. It's just a bunch of existing security scanners wrapped in a consistent interface. The "innovation" is eliminating the mental overhead of remembering which tool does what.

What it does well:

Consistent command structure
Cross-platform compatibility
Decent performance (thanks Alpine)
Comprehensive tool coverage
Works in CI/CD without hassle

What it doesn't do:

Replace deep security expertise
Catch every possible vulnerability
Work magic - it's just automation

Getting Started

If you want to try it:

# Pull the image
docker pull spd109/devops-uat:latest

# Test it out
docker run -it --rm spd109/devops-uat:latest scan-docker nginx:latest

# Scan your own stuff
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-terraform terraform/

The Bottom Line

I got tired of running multiple commands to scan infrastructure files. So I built a tool that lets me run one command instead.

It's not changing the world, but it saves me from mindless repetition and lets me focus on actual problems instead of tool syntax. If that sounds useful to you, feel free to use it.

Resources

Docker Hub: spd109/devops-uat
GitHub: resolve109/devops-universal-scanner
Usage Examples: Complete documentation and platform-specific commands

Built this for myself, sharing it in case it's useful to others. No grand vision, just solving an annoying problem.