DevOps UAT / Security Scanner /

▌AUTOMATED SECURITY TESTING & COMPLIANCE SYSTEM

Enterprise-grade security scanning and compliance automation tools

DevOps Universal Scanner: Streamlining Security Validation

A practical solution to eliminate repetitive security scanning workflows

Let me be completely honest with you. I didn't build the DevOps Universal Scanner because of some grand vision for DevOps security or years of enterprise experience. I built it because I was genuinely frustrated with running multiple commands to scan a single file.

Picture this: You have one Terraform file. Just one. To properly scan it, you need to run:

terraform validate
tflint .
tfsec .
checkov -f main.tf

Then you want to scan a CloudFormation template:

cfn-lint template.yaml
checkov -f template.yaml

Different syntax. Different outputs. Different installation processes. And if you want to scan a Docker image too? More commands with completely different formats.

This is incredibly inefficient.

So I did what any rational developer does when faced with repetitive tasks: I automated it away.

The Problem That Needed Solving

I was working on infrastructure files one evening when I had to run security scans on multiple file types. Same tedious process:

Remember which tool scans which file type
Remember the syntax for each tool
Run each command individually
Try to make sense of different output formats
Repeat for every single file

The mental overhead was unnecessary. I wanted to streamline this validation process, not engage in complex decision-making every time I needed to check if my Terraform file would accidentally make an S3 bucket public.

That's when I thought: "What if I could just run one command and let the system figure out what tools to use?"

Building the Unified Scanner

The concept was simple: One command structure for everything.

# Want to scan Terraform?
docker run [...] scan-terraform terraform/

# CloudFormation?
docker run [...] scan-cloudformation template.yaml

# Docker image?
docker run [...] scan-docker nginx:latest

Same pattern. Same output format. Zero mental overhead.

I packaged it in a Docker container because:

No need to install multiple tools locally
Docker makes it portable - works the same everywhere
Alpine Linux keeps it small - faster downloads and execution

Technical Decisions Driven by Efficiency

Why Alpine Linux?

Ubuntu images are unnecessarily large. Alpine is compact and has everything needed. Plus, smaller images mean faster pulls in CI/CD environments.

Performance comparison (measured and validated):

Metric	Ubuntu	Alpine	Practical Benefit
Image Size	~2.1GB	~1.63GB	Faster downloads on slower connections
Start Time	~15-20 seconds	~8-12 seconds	Reduced wait time
Memory Usage	~800MB	~400MB	Better local performance

Why One Command Structure?

Remembering different syntaxes creates unnecessary mental overhead. I designed a unified interface for all scan types.

# Everything follows the same pattern
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-[TYPE] [PATH]

# Terraform
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-terraform terraform/

# CloudFormation
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-cloudformation template.yaml

# Azure ARM
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-arm template.json

Muscle memory develops quickly with consistent patterns.

Integrated Tools and Coverage

The scanner runs industry-standard tools automatically:

File Type	Tools	Selection Rationale
Terraform	TFLint, TFSec, Checkov	Industry standard, complementary coverage
CloudFormation	CFN-Lint, Checkov	AWS's native linter plus security scanning
Azure ARM/Bicep	ARM-TTK, Bicep CLI, Checkov	Microsoft's official tools plus security checks
Docker Images	Trivy	Comprehensive vulnerability and misconfiguration detection
GCP	Checkov, GCloud validation	Best available tools for GCP templates

Each scan generates two outputs:

Detailed log - Complete tool output
Summary - Actionable insights

Cross-Platform Compatibility

The tool works across macOS, Linux, and Windows environments:

macOS/Linux:

docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-terraform terraform/

Windows PowerShell:

docker run -it --rm -v "${PWD}:/work" spd109/devops-uat:latest scan-terraform terraform/

Windows Command Prompt:

docker run -it --rm -v "%cd%:/work" spd109/devops-uat:latest scan-terraform terraform/

Same functionality, platform-appropriate syntax.

CI/CD Integration

While built primarily for local development, the tool integrates seamlessly into automated pipelines. GitLab CI example:

infrastructure-security:
  stage: security-scan
  image: docker:latest
  services:
    - docker:dind
  before_script:
    - docker pull spd109/devops-uat:latest
  script:
    - docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-terraform terraform/
    - docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-cloudformation cloudformation/
  artifacts:
    paths:
      - "*-scan-report.log"
      - "*-summary.txt"

Compatible with GitHub Actions, Azure DevOps, Jenkins, and other CI/CD platforms.

Test Files and Validation

The repository includes intentionally vulnerable test files for:

Verifying scanner functionality
Understanding common vulnerability patterns
Testing with realistic examples

Test files demonstrate common security issues:

Hardcoded credentials
Public S3 buckets
Overly permissive security groups
Unencrypted storage
Missing monitoring configurations

⚠️ Note: These files are designed for testing only and should never be deployed to production environments.

I built this tool to solve a personal workflow inefficiency. After realizing it significantly improved my security validation process, I made it publicly available in case others face similar challenges.

Technical Capabilities and Limitations

This tool consolidates existing security scanners into a unified interface. The value proposition is reducing cognitive overhead rather than introducing novel scanning capabilities.

Strengths:

Consistent command structure across all scan types
Cross-platform compatibility
Efficient performance (Alpine-based)
Comprehensive tool coverage
Seamless CI/CD integration

Limitations:

Does not replace security expertise
Cannot catch every possible vulnerability
Effectiveness depends on underlying scanner capabilities

Getting Started

To try the scanner:

# Pull the image
docker pull spd109/devops-uat:latest

# Test with a public image
docker run -it --rm spd109/devops-uat:latest scan-docker nginx:latest

# Scan your infrastructure
docker run -it --rm -v "$(pwd):/work" spd109/devops-uat:latest scan-terraform terraform/

Summary

The DevOps Universal Scanner eliminates the need to remember and execute multiple security scanning commands. It provides a unified interface for infrastructure security validation, reducing workflow friction and allowing focus on actual security issues rather than tool management.

Resources

Docker Hub: spd109/devops-uat
GitHub: resolve109/devops-universal-scanner
Documentation: Complete usage examples and platform-specific commands

A practical solution to a common workflow problem, made available for broader use.