Checkov is a static code analysis tool for infrastructure as code (IaC) and also a software composition analysis (SCA) tool for images and open source packages. This is easy way to perform composition analysis any kind of cloud infrastructure. It supports AWS, Azure, GCP including Terraform, Terraform plan, AWS Cloudformation, Kubernetes, Helm charts, Dockerfile, Bicep, OpenAPI or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.
Checkov allows scanning open source packages and docker images for known Common Vulnerabilities and Exposures (CVEs). The tools also powers Bridgecrew, the cloud base platform that codifies and streamlines cloud security throughout the development lifecycle (SDLC). Bridgecrew exposes results throw cloud interface that make incredibly easy to share and track project security posture.
The tool might simply be installed using python or just run inside a docker container. Checkov CLI allows to communicate and easy integrates with any command shell or well known SCM tools like Jenkins, GitHub, Bitbucket, Azure DevOps:
This is pretty straightforward to output scan result right into popular format like JSON, jUnit XML, SVC, SARIF or just dump it inside CLI.
Simple CLI analysis with CICD Goat
To show you have perform simple composite analysis with Checkov tools, I will leverage a very nice CFT project called CI/CD Goat containing vulnerable CI/CD written in Jenkins. To lear more about how to installl and configurate goat please refers to my previous article.
After download and running docker environment should looks like:
Now, it is time to install Checkov using pip:
$ pip install checkovThe next step is getting repository contains vulnerable code from localhost. Be sure if gitea is up and running on port 3000:
$ git clone http://localhost:3000/dodoand run Checkov under current directory (-d .), dump result right into shell with –output cli (-o):
Scrolling down, we would find a few potential misconfiguration issues found in main.tf terraform scripts against to AWS components configuration:
More information about how using Checkov CLI might be found in official documentation here. As you can see, Checkov is very straightforward doing static composition analysis of any code right on code repositorium.
Checkov integration with Jenkins
Now, I would be to present a simple SCM integration of Checkov tool. I am going to use existed vulnerable repository of wonderland/whire-rabbit. So, let’s pull it down and edit Jenkinsfile to support Checkov scan. I added installation step and new ‘Checkov’ stage running component analysis. The pull request looks like:
It must be noticed, the output will appears directly in log as well as written down in result.xml for later analysis. After PR submitted, a new build triggered in Jenkins console in a minute:
We can find a new stage running and failed. Let’s have a look inside a log:
There are checks which are not passed throw CVE check list. So, and it works as expected there, great!
Visualizing output with Bridgecrew
In addition to the various formats for seeing scan results (for example, CLI), you can also visualize Checkov results with a quick integration with a free Bridgecrew account. Read more about visualizing scan results in the Bridgecrew platform.
Bridgecrew is a awesome cloud base GUI based console, it provides possibility to deep in all of potential thread found, provide in-place analysis and report.
Checkov is a wonderful tools which brings us possibility to conduct static vulnerability analyses of any IaC component, provides component and dependency chain analysis against malicious external libraries. It easy integrates with a lot of wide known SCM and code base platforms. The tools might be provisioned rapidly and with no significant costs using docker platform and allows to analyze a very complected environments like cloud infrastructure portioning in Azure, AWS, GCP; supports Terraform plan analysis and Kubernetes cluster scan out of the box.
Be an ethical, save your privacy!