DEV Community

Cover image for SBOM with Checkov
Paweł Piwosz
Paweł Piwosz

Posted on

SBOM with Checkov

This episode might be quite surprising, at least for those of us who know IaC and did quality and security scans of IaC templates.

Well, yes, Checkov is a quality scanner, but from some time already it is more than that! Let's see on the frameworks which can be scanned by Checkov:

--framework {bitbucket_pipelines,circleci_pipelines,argo_workflows,arm,azure_pipelines,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} [{bitbucket_pipelines,circleci_pipelines,argo_workflows,arm,azure_pipelines,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} ...]
Enter fullscreen mode Exit fullscreen mode

Quite a number, don't you think?

But... What about SBOMs? Can Checkov generate SBOM?

No. Well, not really.

But the report generated by Checkov can be exported in CDX format, what means, it can be consumed in the process!

Let's take a look. I install Checkov and download random repos from GitHub:

  • Terraform
  • CloudFormation
  • Dockerfile
  • Serverless
  • Kubernetes
  • Helm
$ pip install checkov
Enter fullscreen mode Exit fullscreen mode

So, installation is not that hard, isn't it? ;P

$ git clone https://github.com/dwmkerr/terraform-consul-cluster.git
$ git clone https://github.com/splunk/splunk-aws-cloudformation.git
$ git clone https://github.com/webdevops/Dockerfile.git
$ git clone https://github.com/softprops/serverless-aws-rust-http.git
$ git clone https://github.com/kubernetes/examples.git
$ git clone https://github.com/prometheus-community/helm-charts.git
Enter fullscreen mode Exit fullscreen mode

Ok. I'll generate a report for each repo with CycloneDX output. Also, I will not specify the framework, so it is a huge possibility, that some of these repos contain not only the "main" framework, but others as well. Will see.

checkov -d terraform-consul-cluster/ -o cyclonedx > tf.xml
Enter fullscreen mode Exit fullscreen mode

For some reason, Checkov didn't save the report to the specified file, but created a folder. But it is not an issue, I used simple redirection and didn't spent time on it :)

Report is not very readable for human, but it doesn't matter, it should be (and it is) readable for machine. Checkov uses the newest version for CycloneDX - 1.4.

Let's take a look on details. In the "standard report" I found this issue:

Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
        FAILED for resource: module.consul-cluster.aws_vpc.consul-cluster
        File: /modules/consul/01-vpc.tf:2-10
        Guide: https://docs.bridgecrew.io/docs/networking_4

                2  | resource "aws_vpc" "consul-cluster" {
                3  |   cidr_block           = "${var.vpc_cidr}" // i.e. 10.0.0.0 to 10.0.255.255
                4  |   enable_dns_hostnames = true
                5  |
                6  |   tags {
                7  |     Name    = "Consul Cluster VPC"
                8  |     Project = "consul-cluster"
                9  |   }
                10 | }
Enter fullscreen mode Exit fullscreen mode

What we have in generated SBOM?

<vulnerability bom-ref="070be6ca-0732-4cf3-b0c7-a423fc0f45be">
    <id>CKV2_AWS_12</id>
    <source>
        <name>checkov</name>
    </source>
    <ratings>
        <rating>
            <severity>unknown</severity>
        </rating>
    </ratings>
    <description>Resource: module.consul-cluster.aws_vpc.consul-cluster. Ensure the default security group of every VPC restricts all traffic</description>
    <advisories>
        <advisory>
            <url>https://docs.bridgecrew.io/docs/networking_4</url>
        </advisory>
    </advisories>
    <affects>
        <target>
            <ref>pkg:terraform/cli_repo/terraform-consul-cluster/modules/consul/01-vpc.tf/module.consul-cluster.aws_vpc.consul-cluster@sha1:26077595ad94ad61098ccc203af70aaf518a847b</ref>
        </target>
    </affects>
    </vulnerability>
Enter fullscreen mode Exit fullscreen mode

Looks quite nice.

I generated SBOM reports from all repos I cloned. And I am really satisfied with results. Well done Bridgecrew!:)

Summary

I really like Checkov, and I say if for a few years now. It is more and more complex tool, even in the version available for free. I am really happy to see the SBOM option, as it becomes very important part of the process.

The great news is that SBOMs can cover also infrastructure as Code. Imagine, you buy a car. And you receive report where you see that every single component in this car passed verification and validation. Every single one, except the wheels. What can go wrong? These wheels here - it is IaC.

Why I said no on the beginning, when I asked myself if Checkov is a SBOM tool? Well, the point is that SBOM should contain all dependencies. Checkov's focus is on templates. Don't get me wrong, that is OK, there are other tools which should take care about code's dependencies. I said that to emphasize, Checkov cannot be only tool used in SBOM generation process.

So, to be correct, Checkov is not SCA tool but can generate SBOM report for its part.


Cover image by Suzy from Pixabay

Top comments (0)