ubx scan time without cloud credentials, without Checkov, without a separate security scanner. Each rule checks a specific pattern in your .iac resource attributes — the same attributes you already declared for provisioning. This tutorial shows a stack deliberately written to pass all 8 rules, with inline comments explaining what each rule checks and why the attribute values shown satisfy it. Use it as a reference when your own ubx scan surfaces violations.
What you’ll learn
- The 8 built-in security rules and what each checks
- How to write
.iacresources that satisfy each rule - How
ubx scandiffers fromubx validate— and when to run each
Why this matters
ubx scan runs at validate time — no cloud credentials, no network, no apply. Every security rule violation is caught before CI even gets to plan. A stack that doesn’t pass ubx scan is a stack with known security misconfigurations, not a hypothetical risk.The source code
The 8 built-in security rules
| Rule ID | Resource | What it checks | Failing condition |
|---|---|---|---|
S3_PUBLIC_BUCKET | aws_s3_bucket_v2 | ACL is not public | acl = "public-read" or "public-read-write" |
S3_VERSIONING_DISABLED | aws_s3_bucket_v2 | Versioning is enabled | versioning.enabled != true |
RDS_ENCRYPTION_DISABLED | aws_rds_instance | Storage is encrypted | storage_encrypted != true |
RDS_BACKUP_RETENTION | aws_rds_instance | Backup retention ≥ 7 days | backup_retention_period < 7 |
RDS_PUBLICLY_ACCESSIBLE | aws_rds_instance | Not publicly accessible | publicly_accessible = true |
IAM_WILDCARD_ACTION | aws_iam_policy | No wildcard * action | Action = "*" in policy JSON |
SG_OPEN_INGRESS | aws_ec2_security_group | No open SSH/RDP ingress | Port 22 or 3389 open to 0.0.0.0/0 |
EKS_PUBLIC_ENDPOINT | aws_eks_cluster | Private endpoint enabled | endpoint_public_access = true AND endpoint_private_access = false |
How it works
ubx scan evaluates rules against resolved attribute values
Each rule is evaluated against the
.iac attribute map — the same values used for type-checking. Rules check literal values only; Pending<T> attributes (resource outputs) are excluded from scan evaluation since their values aren’t known at compile time.Severity filtering controls which violations are shown
severity = "high" in the scan { } config means only high-severity rules are checked. The 8 built-in rules are all high severity. Lower-severity rules (informational, best-practice) are checked when severity = "medium" or "low".Common mistakes
Run it
What you learned
ubx ships with 8 built-in security rules covering S3, RDS, IAM, security groups, and EKS
ubx scan runs at validate time — no cloud credentials, no network access requiredA clean scan outputs
✓ scan OK — zero violations means zero known misconfigurationsNext steps
Shared apply history
Track every apply across your team with ubx history
policy as code
Write custom security rules beyond the 8 built-ins
Full runnable example: github.com/ubiquex/ubx-examples/50-security-scan-clean-project

