ubx scan runs a static security analysis of .xcl files using built-in rules. No OPA, no external tools required. It checks for common security misconfigurations before deployment.
Usage
Flags
| Flag | Description |
|---|---|
--severity <level> | Minimum severity to report: LOW, MEDIUM, HIGH, CRITICAL |
--fix | Auto-fix issues in place (rewrites .xcl source) |
Examples
Output
Auto-fix
--fix rewrites .xcl source in place for fixable issues. Not all issues are auto-fixable — advisory issues require manual review.
After --fix, run:
Disabling scan
Disable scan inworkspace.xcl:
scan.enabled = false, ubx scan prints a notice and exits 0.
Built-in rules
ubx scan checks for common issues including:- S3 buckets with public access
- Security groups with open ingress/egress (0.0.0.0/0)
- RDS instances without deletion protection
- Unencrypted storage volumes
- IAM policies with overly broad permissions (
*:*) - Load balancers without HTTPS listeners
- Missing resource tags
Exit codes
| Code | Meaning |
|---|---|
0 | No issues at or above severity threshold |
1 | One or more issues found at or above severity threshold |

