KubernetesScannerSecurity

Checkov – static code analysis

0

Checkov is a static code analysis tool for infrastructure-as-code.

It scans cloud infrastructure provisioned using TerraformCloudformationKubernetesServerless or ARM Templates and detects security and compliance misconfigurations.

Checkov also powers Bridgecrew, the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files.

Table of contents

Features

  • Over 400 built-in policies cover security and compliance best practices for AWS, Azure and Google Cloud.
  • Scans Terraform, CloudFormation and Kubernetes, Serverless framework and ARM template files.
  • Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
  • Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
  • Policies support evaluation of variables to their optional default value.
  • Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
  • Output currently available as CLI, JSON or JUnit XML and link to remediation guides.

Screenshots

Scan results in CLI

scan-screenshot

Scheduled scan result in Jenkins

jenikins-screenshot

Getting started

Installation

pip install checkov

Installation on Alpine:

pip3 install --upgrade pip && pip3 install --upgrade setuptools
pip3 install checkov

or using homebrew (MacOS only)

brew tap bridgecrewio/checkov https://github.com/bridgecrewio/checkov
brew update
brew install checkov

Configure an input folder

checkov -d /user/path/to/iac/code

Or a specific file

checkov -f /user/tf/example.tf

or

checkov -f /user/cloudformation/example.yml

Scan result sample (CLI)

Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/main.tf:
	 Passed for resource: aws_s3_bucket.template_bucket 
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/../regionStack/main.tf:
	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name       

Start using Checkov by reading the Getting Started page.

Using Docker

docker pull bridgecrew/checkov
docker run -t -v /user/tf:/tf bridgecrew/checkov -d /tf

Running or skipping checks

Using command line flags you can specify to run only named checks (allow list) or run all checks except those listed (deny list).

List available checks:

checkov -l 

Allow only 2 checks to run:

checkov -d . --check CKV_AWS_20,CKV_AWS_57

Run all checks except 1 specified:

checkov -d . --skip-check CKV_AWS_52

For Kubernetes workloads, you can also use allow/deny namespaces. For example, do not report any results for the kube-system namespace:

checkov -d . --skip-check kube-system

Suppressing/Ignoring a check

Like any static-analysis tool it is limited by its analysis scope. For example, if a resource is managed manually, or using subsequent configuration management tooling, a suppression can be inserted as a simple code annotation.

Suppression comment format

To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it’s scope:

checkov:skip=<check_id>:<suppression_comment>

  • <check_id> is one of the available check scanners
  • <suppression_comment> is an optional suppression reason to be included in the output

Example

The following comment skip the CKV_AWS_20 check on the resource identified by foo-bucket, where the scan checks if an AWS S3 bucket is private. In the example, the bucket is configured with a public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #checkov:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}

The output would now contain a SKIPPED check result entry:

...
...
Check: "S3 Bucket has an ACL defined which allows public access."
	SKIPPED for resource: aws_s3_bucket.foo-bucket
	Suppress comment: The bucket is a public static content host
	File: /example_skip_acl.tf:1-25
	
...

To suppress checks in Kubernetes manifests, annotations are used with the following format: checkov.io/skip#: <check_id>=<suppression_comment>

For example:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  annotations:
    checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
    checkov.io/skip2: CKV_K8S_14
    checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
  containers:
...

Logging

For detailed logging to stdout setup the environment variable LOG_LEVEL to DEBUG.

Default is LOG_LEVEL=WARNING.

Skipping directories

To skip a whole directory, use the environment variable CKV_IGNORED_DIRECTORIES. Default is CKV_IGNORED_DIRECTORIES=node_modules,.terraform,.serverless

Download

IoT-Implant-Toolkit: A Framework For Implantation Attack Of IoT Devices

Previous article

Dmap – Domain Mapper

Next article

You may also like

Comments

Leave a reply

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

More in Kubernetes