Checkov Security Scan
3 minute read
Checkov is an open-source static code analysis tool for infrastructure-as-code (IaC). It scans cloud infrastructure provisioned using Terraform, CloudFormation, Kubernetes, Serverless, or ARM Templates and detects security and compliance misconfigurations.
Written on Windows 11
Getting started
To install checkov on a Windows system you can run:
python -m pip install checkov
Check your install worked and that you have the latest release:
checkov --version
To perform a basic scan against a specific file
checkov --file ./main.tf
Scan Terraform plan results
Checkov can scan terraform plan files which means you get a more enhanced scan result as it covers an actual deployment. To do this you require Terraform root module configured with input variables capable of at least simulating a deployment. You also need to convert the plan.tf file to JSON format which is what Checkov will read. To enhance the results you can convert the JSON file into multiple lines using jq.
Install JQ
chocolatey install jq
Create the Plan and scan it Run this from the Terraform folder that contains a configured deployment.
terraform init
terraform plan -out tf.plan
terraform show -json tf.plan | jq '.' > tf.json
checkov -f tf.json
Create a config file to store checkov parameter values
This will create a config file that has all the paramters value you want Checkov to use. This is useful for running Checkov in a CI pipeline such as GitHub Actions as you can more easily see what Checkov is configured to do at a file level instead of within the GitHub Action YAML file. It also allows you to version the configuration file and share it more easily.
Create the configuration file To create the configuration file you run Checkov with your desired parameters and specify an output fule
checkov --directory ./ --output cli --output-file-path './checkov-security-scan/' --framework terraform --create-config './checkov-security-scan/checkov-config-tf-module'
To use the configuration file you simply call it
checkov --config-file ./checkov-security-scan/checkov-config-tf-module
Checkov can scan Terrafrom plan files as well which is an enhanced
Infrastructure as Code (IaC) Scanning: Checkov focuses on IaC, which means it can scan configuration files before they are applied to the actual infrastructure. This proactive approach helps in catching security issues during the development phase.
Built-in Policies: Checkov comes with a large set of built-in policies that cover common security best practices for various cloud providers like AWS, Azure, and Google Cloud.
Custom Policies: In addition to the built-in policies, users can define custom policies using a YAML configuration. When Checkov’s maintainers add new policies or update existing ones, they do so in the Checkov codebase. Therefore, to get the latest policies, you would typically update your Checkov installation.
Graph-based Scanning: Checkov can build a graph of the resources defined in Terraform files and use this graph to evaluate more complex policies that involve multiple resources.
Integration: Checkov can be integrated into CI/CD pipelines, ensuring that infrastructure changes are scanned for security issues before they are applied.
Reports: After scanning, Checkov provides detailed reports that highlight misconfigurations, offer remediation steps, and classify issues based on their severity.
Open Source: Checkov is open source and maintained by Bridgecrew, a company that specializes in cloud security. The community around Checkov is active, and the tool is regularly updated with new features and policies.