Devops tricks and tips

Validate your IaC code

Mumu's photo
Mumu
·

4 min read

Table of contents

I have found many tools designed to scan IaC code, but today I want to share Checkov with you.

What is Checkov?

Checkov is an open-source infrastructure-as-code (IaC) security tool developed by Bridgecrew. It helps developers and security professionals identify misconfigurations and security issues in their cloud infrastructure by scanning Terraform, CloudFormation, Kubernetes manifests, ARM templates, and more.

In this blog, we will explore how to install, configure, and use Checkov to perform various types of scans on your IaC files.

Installing Checkov

Using pip (Python Package Installer)

The easiest way to install Checkov is through pip, the Python package manager.

pip install checkov

You can verify the installation by running:

checkov --version

Other Installation Methods

  • Homebrew (macOS):

      brew install checkov

  • Docker:

      docker pull bridgecrew/checkov

Configuring Checkov

Checkov can be customized through configuration files or environment variables. You can create a configuration file named .checkov.yml to set default scanning parameters.

Sample .checkov.yml Configuration File

skip_checks:
  - CKV_AWS_1
  - CKV_GCP_2
soft_fail: true
quiet: false

Explanation of Configuration Options:

  • skip_checks: This parameter allows you to skip specific checks during a scan. Each skipped check is identified by its unique ID. For example, CKV_AWS_1 could represent a check for insecure S3 bucket policies, and CKV_GCP_2 could be a check for insecure Google Cloud configurations. Skipping checks can be useful if certain checks are not relevant to your environment or if you want to temporarily ignore known issues.

  • soft_fail: When set to true, this option ensures that Checkov does not cause your CI/CD pipeline to fail even if issues are found. Instead, it will report the findings without blocking the pipeline. This is useful for gradually introducing Checkov into an existing workflow without disrupting deployments.

  • quiet: When set to false, Checkov will display detailed output during the scan process. If set to true, it will suppress most of the output, showing only essential information. This can be useful in automated scripts where you want to reduce noise in the logs.

Environment Variables

You can also configure Checkov using environment variables:

export CHECKOV_SKIP_CHECKS=CKV_AWS_1,CKV_AWS_2
export CHECKOV_SOFT_FAIL=true

Command-Line Options

Checkov also allows you to pass configuration options directly through the command line. For example:

checkov -d . --skip-check CKV_AWS_1 --soft-fail

Scanning Options in Checkov

Checkov offers various scanning options to help you tailor the scan according to your needs.

Scanning a Directory

To scan an entire directory:

checkov -d /path/to/your/code

Scanning a Specific File

To scan a specific file:

checkov -f /path/to/your/file.tf

Skipping Specific Checks

You can skip specific checks by using the --skip-check option:

checkov -d . --skip-check CKV_AWS_1,CKV_GCP_2

Running a Soft-Fail Scan

The --soft-fail option allows Checkov to report issues without failing the CI/CD pipeline:

checkov -d . --soft-fail

Using the Output Formats

Checkov supports various output formats, including JSON, JUnit XML, and SARIF:

checkov -d . --output json
checkov -d . --output junitxml
checkov -d . --output sarif

Using Checkov with Docker

If you prefer to run Checkov in a containerized environment, you can use the Docker image:

docker run --rm -v $(pwd):/app bridgecrew/checkov -d /app

Scanning GitHub Repositories

Checkov can directly scan public and private GitHub repositories:

checkov -d https://github.com/username/repository

Integrating Checkov in CI/CD Pipelines

Checkov can be integrated into various CI/CD platforms to automate security checks. Here are some popular integrations:

  • GitHub Actions:

      ---
  name: Checkov
  on:
    push:
      branches:
        - master
  jobs:
    build:

      runs-on: ubuntu-latest
      steps:
        - uses: actions/checkout@v2
        - name: Set up Python 3.8
          uses: actions/setup-python@v4
          with:
            python-version: 3.8
        - name: Test with Checkov
          id: checkov
          uses: bridgecrewio/checkov-action@master
          with:
            directory: example/examplea
            framework: terraform

  • GitLab CI/CD:

      checkov_scan:
    stage: test
    image:
      name: bridgecrew/checkov
    script:
      - checkov -d .

  • Azure pipeline:

      trigger:
  - main

  pool:
    vmImage: 'ubuntu-latest'

  steps:
  - task: UsePythonVersion@0
    inputs:
      versionSpec: '3.x'

  - script: |
      pip install checkov
      checkov -d . --soft-fail
    displayName: 'Run Checkov Scan'

Conclusion

Checkov is a powerful tool for securing your infrastructure-as-code by identifying misconfigurations and potential vulnerabilities before they reach production. By following this guide, you can easily set up Checkov, customize its configuration, and leverage its scanning capabilities to enhance your cloud security posture.

Make sure to integrate Checkov into your CI/CD pipeline for continuous security checks and stay proactive in preventing misconfigurations.

Devops#IaCValidation