Note: Infrastructure Scanning with Checkov
Overview
Checkov (https://www.checkov.io/) is a tool for scanning IaC resources defined in Terraform, Cloudformation, ARM. etc. It generates a report listing vulnerabilities and possible misconfigurations from a security standpoint.
The output from a Checkov run shows the vulneribility and a link to remediations. This is similar to other tools available in Azure, AWS and GCP. However, checkov scans the code not the actual resources. This is useful in test/validation stage before code is pushed to production. If you want to scan the actual resources, use one of the tools provided by the cloud provider.
Setup
To run the example, clone the repo at https://github.com/kwanlowe/checkov-test.git.
git clone https://github.com/kwanlowe/checkov-test.git
Change to the checkov-test directory and run the setup:
make setup
This will install checkov and terraform.
Running Scan
To run the scan, pass the directory to your IaC code to checkov.
checkov -d tf/gcp
The scan shows the failures and links to explanations and remediations.
TODO: Integration with Bridgecrew visualization via API key.