Today we are introducing Shisho Cloud, a SaaS solution that supports an entire process of improving your infrastructure-as-code security with intelligent autofixes of security issues.
Securing Infrastructure is Too Hard for Developers
It is 2021. More developers are now involved in security roles. More teams now think that security must be a practice of every member of them. They are open to security technology, and they want to build a good relationship with security teams.
On the other hand, most security tools are not developer-friendly, much less developer-first. One of the most severe issues is that they do report security issues indeed, but they don't help developers fix the issues. In my career as a security engineer, I've heard this kind of frustration from many dev teams so far. Just reporting is not enough, at least for non-security pros.
This situation is especially true in the area of cloud security. As cloud workloads are evolving rapidly and becoming complex, many security considerations for them are emerging and becoming complicated as well. However, most security products for them are just reporting issues, as always. Only a few developers can understand the report, and even fewer can take action for them. In short, keeping a secure cloud infrastructure is too hard for developers.
Introducing Shisho Cloud
We built Shisho Cloud to help developers secure their infrastructure-as-code (IaC). It supports you in the entire process of improving your IaC security; it detects issues, suggests reasonable ways to fix them, and lets you take actual actions.
Detect Security Issues in Your Code
All you need to start automatic reviews for your code by Shisho is to link your GitHub repository. Shisho Cloud has now 100+ policies that can detect issues in your Terraform code with AWS provider and Google Cloud Platform provider.
Fix Them just with a Click
Each detected issue has one or more suggestions to fix it. All you need to resolve it is to click. This feature provides you with a fantastic experience on fixing issues without googling hard to understand the problem.
By clicking the Create Pull Request button, you can create a pull request for your GitHub repository.
Enough Said -- Let's Get Started!
Shisho Cloud is now in beta, and full features are open to the world for free. Let's get started from here! Even if you don't have any Terraform code, you can try it with our vulnerable-by-design terraform repository (flatt-security/tfgoat-aws).
With Shisho, you'll have:
- Awesome experience of detecting and fixing issues: As mentioned above, Shisho Cloud supports the entire process of IaC security, from detecting your code issues to creating pull requests to fix them. The auto-fix feature is one of the significant differences from similar tools such as checkov and tfsec.
- Quick deployment of continuous security reviews: Since Shisho is a SaaS solution, you can use Shisho in minutes without a complicated setup.
In our journey towards building a great developer experience, we're expanding the support of cloud providers and IaC technologies such as CloudFormation, Pulumi, and so on. In particular, we're going to support the Azure provider of Terraform soon.