Checkov as a configuration testing tool
As an aspiring DevOps engineer, I understand the importance and flexibility of writing your infrastructure configuration as code; however, while building CI/CD pipelines, I always asked myself if there was any other way to test my Terraform configuration aside from running terraform validate
.
Recently, I worked on a project where I had to setup a production level server with my friend, Adefemi and he introduced me to Checkov, an open-source tool that scans your infrastructure configuration (Teraform, CloudFormation, Kubernetes, etc.) for misconfigurations and also offers you a solution to fix the identified vulnerability.
Should you introduce Checkov into your build process?
Yes.
Checkov mitigates security risks by analyzing infrastructure as code (IaC) for security vulnerabilities, such as misconfigurations and compliance violations, and provides automated tests and repair recommendations.
By identifying misconfigurations and potential problems early in the development cycle, Checkov can save time and minimize the cost of fixing problems later in the development cycle.
Checkov may be incorporated into your CI/CD pipeline or used with pre-commit hooks to automate the scanning process, allowing developers to find errors without human code reviews.
How to use Checkov
There are various ways of running the Checkov tool against your configurations.
Checkov in Github Actions
.......
jobs:
- name: Test with Checkov
id: checkov
uses: bridgecrewio/checkov-action@master
with:
framework: terraform
directory: .
Checkov in Terraform
- You can run Checkov on a directory, module, or single file with the following commands respectively:
$ checkov -d /path/to/directory
$ checkov -m /path/to/module
$ checkov -f /path/to/file
Checkov in action
Let's run Checkov against a Terraform configuration to create a private S3 bucket.
resource "aws_s3_bucket" "b" {
bucket = "my-tf-test-bucket"
tags = {
Name = "My bucket"
Environment = "Dev"
}
}
resource "aws_s3_bucket_acl" "example" {
bucket = aws_s3_bucket.b.id
acl = "private"
}
Running checkov -f /filename
gives,
Passed checks: 4, Failed checks: 3, Skipped checks: 0
Check: CKV_AWS_93: "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)"
PASSED for resource: aws_s3_bucket.b
....................
Check: CKV2_AWS_43: "Ensure S3 Bucket does not allow access to all Authenticated users"
PASSED for resource: aws_s3_bucket_acl.example
....................
Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
PASSED for resource: aws_s3_bucket.b
............................
Check: CKV_AWS_57: "S3 Bucket has an ACL defined which allows public WRITE access."
PASSED for resource: aws_s3_bucket.b
.........................
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
FAILED for resource: aws_s3_bucket.b
File: /test.tf:1-8
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "my-tf-test-bucket"
3 |
4 | tags = {
5 | Name = "My bucket"
6 | Environment = "Dev"
7 | }
8 | }
Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
FAILED for resource: aws_s3_bucket.b
File: /test.tf:1-8
Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "my-tf-test-bucket"
3 |
4 | tags = {
5 | Name = "My bucket"
6 | Environment = "Dev"
7 | }
8 | }
Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
FAILED for resource: aws_s3_bucket.b
File: /test.tf:1-8
Guide: https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "my-tf-test-bucket"
3 |
4 | tags = {
5 | Name = "My bucket"
6 | Environment = "Dev"
7 | }
8 | }
With this output, we see that Checkov gives us remediations to vulnerabilities. Personally, after viewing Checkov's suggestion, I head over to Terraform's official documentation to read up on how to implement the suggested fix.
Checkov provides a lot of flexibility and can be customized to fit your specific needs.
Cheers to building more secure infrastructure 🎉
Top comments (0)