Exploring the Use of 'Checkov' for Infrastructure as Code (with examples)
Checkov is a static code analysis tool specifically designed for Infrastructure as Code (IaC). It is popular among developers and DevOps teams because it helps ensure that IaC scripts, such as those used with Terraform, CloudFormation, ARM, and more, are secure, compliant, and devoid of common vulnerabilities. Additionally, Checkov acts as a software composition analysis tool for images and open-source packages. By scanning code before deployment, Checkov provides peace of mind that your infrastructure meets best practice guidelines and security requirements.
Use Case 1: Scanning a Directory Containing IaC
Code:
checkov --directory path/to/directory
Motivation: In a development or production environment, infrastructure as code is often written and stored in multiple files within a directory. Each file defines different components and configurations required for deployment. Scanning the entire directory using Checkov helps identify misconfigurations, security issues, or policy violations across all files in the directory. This holistic approach ensures you don’t miss critical errors that could otherwise lead to security breaches or non-compliance.
Explanation:
checkov
: This is the command invoking Checkov, the tool responsible for scanning code for vulnerabilities and compliance.--directory
: This argument specifies that the target to be scanned is a directory. It tells Checkov to include all files within the given directory in its analysis, looking for any IaC misconfigurations.path/to/directory
: This should be replaced by the actual path to your directory containing the IaC files. It is the location where Checkov will conduct its scan.
Example Output:
Passed checks: 150, Failed checks: 20, Skipped checks: 5
Detected issues in the following files:
- main.tf: 3 issues found
- variables.tf: 1 issue found
- network.yml: 2 issues found
Use Case 2: Scanning an IaC File, Omitting Code Blocks in the Output
Code:
checkov --compact --file path/to/file
Motivation: When evaluating a specific IaC file, especially one containing complex configurations, it can be challenging to sift through the verbose output that includes full code blocks. By omitting code blocks, you can focus on the summary of issues identified, allowing for quicker assessment and remediation. This use case is particularly beneficial when dealing with large files or when you are already familiar with the configurations.
Explanation:
checkov
: This is the command to initiate the Checkov tool, which will analyze the specified IaC file.--compact
: The use of this argument tells Checkov to produce a more concise output, omitting detailed code blocks. Instead, it presents summary information which helps in quickly identifying the types of issues present.--file
: This argument indicates that a single file, rather than a directory, will be scanned. It specifies the target of the scanning process.path/to/file
: Replace this with the actual filepath of the specific IaC file you wish to examine.
Example Output:
Passed checks: 10, Failed checks: 3
1. CKV_AWS_20: Missing security group for resource 'my_instance'
2. CKV_AWS_45: S3 bucket 'my_bucket' allows public access
3. CKV_AWS_13: IAM role 'admin-role' has wildcard permissions
Use Case 3: Listing All Checks for All IaC Types
Code:
checkov --list
Motivation: Before initiating a scan, it’s crucial to understand the kinds of checks that Checkov performs. Listing all checks gives you an overview of the standards and policies Checkov verifies, such as best practices in security, compliance, and operational efficiency. Knowing these checks helps in setting expectations and preparing remediation strategies for potential issues ahead of time.
Explanation:
checkov
: This is the core command to access Checkov’s capabilities.--list
: The argument directs Checkov to list all the checks it can perform across various IaC types. This includes checks specific to platforms like AWS, Azure, GCP, and others.
Example Output:
1. CKV_AWS_1: Ensures IAM policies are attached only to groups or roles
2. CKV_AWS_2: Checks for public Access Control List in S3 buckets
3. CKV_AZURE_1: Makes sure Azure Function App uses HTTPS Only
...
Conclusion
Checkov is a robust tool for teams using Infrastructure as Code, offering advanced static code analysis capabilities that catch vulnerabilities and compliance issues early in the development cycle. By scanning directories and files, or listing available checks, users can ensure their infrastructure is secure, compliant, and optimally configured. As evidenced by the use cases, Checkov’s functionality aids in maintaining high standards across diverse IaC environments.