Skip to main content
ubx scan runs a static security analysis of .xcl files using built-in rules. No OPA, no external tools required. It checks for common security misconfigurations before deployment.

Usage

ubx scan [path] [flags]

Flags

FlagDescription
--severity <level>Minimum severity to report: LOW, MEDIUM, HIGH, CRITICAL
--fixAuto-fix issues in place (rewrites .xcl source)

Examples

ubx scan                          # scan all .xcl in current directory
ubx scan ./networking             # scan a specific directory
ubx scan --severity HIGH          # show only HIGH and CRITICAL
ubx scan --fix                    # auto-fix fixable issues

Output

  MEDIUM  networking/stack.xcl:12  S3 bucket has public read access
  HIGH    networking/stack.xcl:24  Security group allows 0.0.0.0/0 on port 22
  LOW     platform/stack.xcl:8     RDS deletion protection is disabled

  3 issues found: 0 CRITICAL, 1 HIGH, 1 MEDIUM, 1 LOW

Auto-fix

--fix rewrites .xcl source in place for fixable issues. Not all issues are auto-fixable — advisory issues require manual review. After --fix, run:
ubx validate   # ensure fixes are valid
ubx fmt        # reformat the fixed files

Disabling scan

Disable scan in workspace.xcl:
workspace {
  scan {
    enabled = false
  }
}
With scan.enabled = false, ubx scan prints a notice and exits 0.

Built-in rules

ubx scan checks for common issues including:
  • S3 buckets with public access
  • Security groups with open ingress/egress (0.0.0.0/0)
  • RDS instances without deletion protection
  • Unencrypted storage volumes
  • IAM policies with overly broad permissions (*:*)
  • Load balancers without HTTPS listeners
  • Missing resource tags

Exit codes

CodeMeaning
0No issues at or above severity threshold
1One or more issues found at or above severity threshold