DigitalHermit - Infrastructure Scanning with Checkov

Note: Infrastructure Scanning with Checkov

Overview

Checkov (https://www.checkov.io/) is a tool for scanning IaC resources defined in Terraform, Cloudformation, ARM. etc. It generates a report listing vulnerabilities and possible misconfigurations from a security standpoint.

The output from a Checkov run shows the vulneribility and a link to remediations. This is similar to other tools available in Azure, AWS and GCP. However, checkov scans the code not the actual resources. This is useful in test/validation stage before code is pushed to production. If you want to scan the actual resources, use one of the tools provided by the cloud provider.

Setup

To run the example, clone the repo at https://github.com/kwanlowe/checkov-test.git.

git clone https://github.com/kwanlowe/checkov-test.git

Change to the checkov-test directory and run the setup:

make setup

This will install checkov and terraform.

Running Scan

To run the scan, pass the directory to your IaC code to checkov.

checkov -d tf/gcp

The scan shows the failures and links to explanations and remediations.

TODO: Integration with Bridgecrew visualization via API key.