Link Search Menu Expand Document

What is FortifyFox.

Infrastructure as code (IaC) provides a convenient way to automate the provisioning of IT infrastructure using coding language. The key advantage of IaC is it eliminates the need for developers to manually build, operate and maintain the various infrastructure elements of a system, thereby reducing complexity, risks and time to deployment.

As IaC increases in popularity, security around code configurations becomes ever more important. For example, is activity logging and encryption enabled in the configurations? Are critical services configured to allow for automated failover?

FortifyFox’s Template Scanner provides the ability to scan IaC configurations and identify vulnerabilities in accordance with established industry compliance standards. It gives developers a valuable opportunity to address identified risks prior to deployment, potentially saving much effort and costs in subsequent downtime and redeployments.

Get started now Login the FortifyFox

Getting started

How do I get started with FortifyFox?

Getting started is easy!

There are 2 login options:

  • Sign in with Google Single Sign-On (SSO)
  • Sign up for a FortifyFox account

If you already have a Google account, you may use it to sign in to FortifyFox. With this option, your Google credentials will be used to authenticate your identity. Simply click “Sign In With Google” on the login page to proceed.

Alternatively, you can sign up for a FortifyFox account. To do so, click “Sign up for free” at the bottom of the login page and follow the prompts to create an account. A verification code will be sent to your email to complete the account creation process. If you do not see the email within a few minutes of your sign-up, check your “junk mail” or “spam” folder.

How to use the FortifyFox Template Scanner?

Using the FortifyFox Template Scanner is simple. Just follow these steps:

  1. Log in to FortifyFox.
  2. Click “Template Scanner” on the left navigation menu.
  3. In the top left window, select the cloud provider of the IaC template you would like to scan.
  4. “Click to Upload” your IaC template. One template can be uploaded and scanned at a time. The template can be in either JSON or YAML format. Once uploaded, the Template Scanner will verify if the template is valid. Scanning is possible only for valid templates.
  5. Click the “Compliance” dropdown menu to select the standard that you would like your template to be benchmarked against. One compliance standard can be selected at a time.
  6. Click “Scan” to start scanning your IaC template.

How to scan Serverless Framework templates?

You can run the serverless package command to create the CloudFormation template for your service in the .serverless folder (it is named cloudformation-template-update-stack.json). Just upload the file to the FortifyFox template scanner per steps 4 to 6 in How to use the FortifyFox Template Scanner?

How to view FortifyFox Template Scanner results?

Once the scan is complete, results are displayed on the Template Scanner page, in both graphical and tabular formats.

The charts provide a visual summary of the compliance statistics. These include:

  1. The number of compliances and non-compliances, as well as the overall compliance percentage score.
  2. A breakdown of non-compliances arranged by severity, as specified by your selected compliance standard.

The table provides scan results against each relevant control in your selected compliance standard. Each row can be expanded to display full details. These include:

  1. Scanned resource name and type
  2. Scanned control / rule ID, brief description and severity
  3. Scan result, i.e., whether resource configuration is compliant or non-compliant with the control

The column display width can be adjusted by dragging the bottom right corner of each field header.

Results can be sorted in ascending or descending order by clicking the carets next to each field header.

You can also filter results by entering your desired search string in the text box just above the table.

Can scan results be exported?

The “Export” button just above the scan results table allows you to save the data in CSV format. Note this function exports full scan results without filtering.

What is Scanner History?

Scanner History provides a record of all scan results to date. It can be accessed by clicking “Scanner History” on the left navigation menu.

To display the full scan result history, simply click the “Query” button. Results are displayed underneath in graphical and tabular formats, just like the Template Scanner.

You can easily narrow down your results by adding search criteria in one or more of the following fields:

  1. Date Range – select from dropdown
  2. Description of Control – enter free text
  3. Scan Result – select from dropdown
  4. Cloud Provider – select from dropdown
  5. Compliance Standard – select from dropdown
  6. Resource Type – select from dropdown
  7. Compliance Severity – select from dropdown

Then click the “Query” button to display results.

The “Export” button allows you to save the query results in CSV format.

In addition to scan result history, users can get an overview of their recent scan activities. To do so, click “Home” on the left navigation menu. A graph displays the number of scans performed over the last 7 days. Users can adjust the period to last 14 or 30 days using the dropdown menu on the top right corner of the graph.

Please note FortifyFox does not store any of the templates you scan. As such, users will not be able to obtain copies of their past templates from FortifyFox.

How do I update my account details?

On the left navigation menu, click “Account”. Here you can update the following details:

  1. First Name
  2. Last Name
  3. Company
  4. Phone Number

Click the “Submit” button to apply the changes.

If your profile is a FortifyFox account, you can also update your password here.

Users who log in via Google SSO can manage their password settings in Google.