Skip to main content

Configure iacbot

IaC Security uses a bot called iacbot that integrates directly with GitHub and GitLab. You can configure iacbot by editing the .lacework/config.yml file in your repository’s root directory.

The values in this yaml file override the defaults, so you need not specify all values in each repository. You can just add the values that you want to override.

# Not all values need to be explicitly set.  

# Should iacbot update your PR Status Check
pr_status_enabled: true

# Maxium allowable findings, above which
# PR status check will fail
pr_status_thresholds:
critical: 0
high: 0
medium: 999
low: 999

# Force the status check to pass. Checks will still be run.
# Effectively the same as raising thresholds to high values.
pr_status_force_pass_enabled: false

# Set to true if you want iacbot to add PR comments
pr_comments_enabled: true


# If set to true, a PR comment will be added, even if
# the status check passes.
pr_comments_on_passed_check_enabled: false

Other configuration options available are:

Ignore Files

The ignore directive takes a list of strings, which are interpreted using gitignore syntax.

Example:

ignore:
- "test/**"
- "some-other-file"
note

Currently this directive only applies to assessments uploaded to IaC Security. The ignore directive will not be applied to local CLI output.

Suppress Findings

The suppress directive takes a list of strings that are matched against the sid for a particular finding.

Example:

suppress:
- "sid-1"
- "sid-2"
note

Currently this directive only applies to assessments uploaded to IaC Security. The suppress directive will not be applied to local CLI output.

Prevent Submodule Scans

If you are not interested in scanning a repository, you can add the following flag in repository’s .lacework/config.yaml file:

scan_git_submodules_enabled: false

This prevents IaC Security from scanning the submodules.

Manual Trigger

Lacework IaC Security users can also do adhoc triggering of Iacbot on any of their repositories using the trigger option available on the repository.

Trigger iacbot
Trigger iacbot