This episode might be quite surprising, at least for those of us who know IaC and did quality and security scans of IaC templates.
Well, yes, Checkov is a quality scanner, but from some time already it is more than that! Let's see on the frameworks which can be scanned by Checkov:
--framework {bitbucket_pipelines,circleci_pipelines,argo_workflows,arm,azure_pipelines,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} [{bitbucket_pipelines,circleci_pipelines,argo_workflows,arm,azure_pipelines,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} ...]
Quite a number, don't you think?
But... What about SBOMs? Can Checkov generate SBOM?
No. Well, not really.
But the report generated by Checkov can be exported in CDX format, what means, it can be consumed in the process!
Let's take a look. I install Checkov and download random repos from GitHub:
- Terraform
- CloudFormation
- Dockerfile
- Serverless
- Kubernetes
- Helm
$ pip install checkov
So, installation is not that hard, isn't it? ;P
$ git clone https://github.com/dwmkerr/terraform-consul-cluster.git
$ git clone https://github.com/splunk/splunk-aws-cloudformation.git
$ git clone https://github.com/webdevops/Dockerfile.git
$ git clone https://github.com/softprops/serverless-aws-rust-http.git
$ git clone https://github.com/kubernetes/examples.git
$ git clone https://github.com/prometheus-community/helm-charts.git
Ok. I'll generate a report for each repo with CycloneDX output. Also, I will not specify the framework, so it is a huge possibility, that some of these repos contain not only the "main" framework, but others as well. Will see.
checkov -d terraform-consul-cluster/ -o cyclonedx > tf.xml
For some reason, Checkov didn't save the report to the specified file, but created a folder. But it is not an issue, I used simple redirection and didn't spent time on it :)
Report is not very readable for human, but it doesn't matter, it should be (and it is) readable for machine. Checkov uses the newest version for CycloneDX - 1.4.
Let's take a look on details. In the "standard report" I found this issue:
Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
FAILED for resource: module.consul-cluster.aws_vpc.consul-cluster
File: /modules/consul/01-vpc.tf:2-10
Guide: https://docs.bridgecrew.io/docs/networking_4
2 | resource "aws_vpc" "consul-cluster" {
3 | cidr_block = "${var.vpc_cidr}" // i.e. 10.0.0.0 to 10.0.255.255
4 | enable_dns_hostnames = true
5 |
6 | tags {
7 | Name = "Consul Cluster VPC"
8 | Project = "consul-cluster"
9 | }
10 | }
What we have in generated SBOM?
<vulnerability bom-ref="070be6ca-0732-4cf3-b0c7-a423fc0f45be">
<id>CKV2_AWS_12</id>
<source>
<name>checkov</name>
</source>
<ratings>
<rating>
<severity>unknown</severity>
</rating>
</ratings>
<description>Resource: module.consul-cluster.aws_vpc.consul-cluster. Ensure the default security group of every VPC restricts all traffic</description>
<advisories>
<advisory>
<url>https://docs.bridgecrew.io/docs/networking_4</url>
</advisory>
</advisories>
<affects>
<target>
<ref>pkg:terraform/cli_repo/terraform-consul-cluster/modules/consul/01-vpc.tf/module.consul-cluster.aws_vpc.consul-cluster@sha1:26077595ad94ad61098ccc203af70aaf518a847b</ref>
</target>
</affects>
</vulnerability>
Looks quite nice.
I generated SBOM reports from all repos I cloned. And I am really satisfied with results. Well done Bridgecrew!:)
Summary
I really like Checkov, and I say if for a few years now. It is more and more complex tool, even in the version available for free. I am really happy to see the SBOM option, as it becomes very important part of the process.
The great news is that SBOMs can cover also infrastructure as Code. Imagine, you buy a car. And you receive report where you see that every single component in this car passed verification and validation. Every single one, except the wheels. What can go wrong? These wheels here - it is IaC.
Why I said no on the beginning, when I asked myself if Checkov is a SBOM tool? Well, the point is that SBOM should contain all dependencies. Checkov's focus is on templates. Don't get me wrong, that is OK, there are other tools which should take care about code's dependencies. I said that to emphasize, Checkov cannot be only tool used in SBOM generation process.
So, to be correct, Checkov is not SCA tool but can generate SBOM report for its part.
Top comments (0)