As organizations move more of their operations to the cloud, the need for secure and compliant infrastructure becomes increasingly important. With the rapid pace of cloud adoption, it’s crucial to have a tool that can help you ensure that your cloud infrastructure is configured securely and in compliance with best practices. So in today’s blog, we will be talking about a solution for all these problems which is Checkov.
What is Checkov?
Checkov is a tool that helps developers and operations teams ensure that their infrastructure is secure and compliant with best practices. It does this by automatically scanning infrastructure as code (IaC) and runtime environments for issues that could potentially lead to security vulnerabilities or compliance failures. Checkov works by scanning code written in various IaC languages (such as Terraform, CloudFormation, and ARM templates) and looking for patterns that could indicate security or compliance risks. It can also be integrated into a continuous integration/continuous deployment (CI/CD) pipeline, allowing it to scan code automatically as it is being developed and deployed.
Why Checkov?
Checkov is a powerful open-source tool that offers a number of benefits when it comes to securing your infrastructure as code (IAC). Some of the reasons why you should choose Checkov include:-
- Automated security checks: Checkov can automatically scan your IAC files for potential security issues and provide detailed descriptions of the problems and suggested remedies. This makes it much easier to identify and mitigate security risks in your IAC files.
- Compliance: Checkov can help you achieve compliance with security standards such as the CIS AWS Foundations Benchmark and the Center for Internet Security (CIS) Kubernetes Benchmark. This can be especially important if your organization needs to comply with regulatory requirements or industry standards.
- Integration with popular CI/CD tools: Checkov can be integrated with popular CI/CD tools like Jenkins, CircleCI, and TravisCI for automated security checks. This can help ensure that any security issues are caught and fixed before they can become a problem.
- Support for popular IAC frameworks: Checkov supports popular IAC frameworks such as Terraform, CloudFormation, and Kubernetes, which makes it versatile to use in different environments.
- Report Generation: Ability to generate reports and output in various formats, including JSON and HTML.
Getting Started with Checkov
To use Checkov, you’ll first need to install it on your local machine. The installation process is straightforward and can be done using pip you just need to pass this command “pip3 install checkov” and the best thing is that the only dependency of checkov is python. Once Checkov is installed, you can run it on your IAC files by navigating to the directory where your IAC files are located and it will start scanning your code.
Important Flags in Checkov:-
- -f:- By using this flag you are telling checkov that checkov should only scan the file of code you are providing and skip all the other files.
- -d:- Suppose you have multiple files of code for your infrastructure then it would be difficult and time-consuming tasks to scan these files one by one using checkov and that’s where the -d flags come into the picture by using -d flag you can scan all the code files in the directory with just one command.
Checks performed by Checkov
Checkov comes with a set of built-in checks that cover a wide range of AWS resources and configurations. These checks are grouped into categories such as security, networking, and compliance.
Here is a list of some commonly used checks that Checkov performs on AWS resources:-
- Ensure all security groups have rules defined
- Ensure all IAM policies have a description
- Ensure all IAM users have MFA enabled
- Ensure all S3 buckets have versioning enabled
- Ensure all EC2 instances have protection against accidental termination
- Ensure all EBS volumes are encrypted
- Ensure all AMIs are encrypted
- Ensure all RDS instances are encrypted
- Ensure all IAM policies have a password policy
Full Checklist that checkov follow(click here)
Checkov Commands
- Checkov -f /path/of/your/file
- Checkov -d /path/of/directory/having/code/files
- checkov –output=json(you can select any output type like json, Html) -d /path/of your terraform code
And you will get output something like this:-
In the Above Image, you can see checkov through an error that the code is having vulnerabilities and the best part is that it also provides you the link to resources available which can help you in solving this error and make your code complaint.
Skipping Test in Checkov
Yes, Checkov provides you the flexibility to skip tests if you want to so in this part we will see how to do so you can see in the image that checkov through an error “VPC logging flow is not enabled in all VPCs” and it’s not a recommended practice according to checkov, But suppose I don’t want to enable logging so what should I do now, So for skipping the test I need to do some changes in this main.tf and For skipping the test we need to add this:-
#checkov:skip=<check_id>:<suppression_comment> in our main.tf, as you see below CKV2_AWS_11, is our test number you can easily find that in the error message and then your custom message and your test is skipped it’s that simple.
CI integration of Checkov
Checkov can be integrated with popular CI/CD tools like Jenkins, CircleCI, and TravisCI for automated security checks. This can help ensure that any security issues are caught and fixed before they can become a problem. You can simply add checkov as a stage in CI In my case I am using Jenkins as a CI tool and I have created a separate stage in my CI for Checkov you can see the console output below:-
Conclusion
Overall, Checkov is a valuable tool for any organization that is looking to improve the security of their IAC files. It can help you identify and mitigate security risks, achieve compliance with security standards, and integrate security checks into your CI/CD pipeline.
Blog Pundits: Mehul Sharma and Sandeep Rawat
Opstree is an End to End DevOps solution provider.
Connect with Us