Checkov

In

Definition

  • static code analysis tool for infrastructure as code (IaC)
  • scans files looking for misconfigurations that may lead to security (CIS) or compliance problems
  • user custom policies in python or yaml
  • supports
    • Terraform (for AWS, GCP, Azure and OCI)
    • AWS CloudFormation (including AWS SAM)
    • Azure Resource Manager (ARM)
    • Serverless framework
    • Helm charts
    • Kubernetes
    • Docker

How to install

Install

  • Python package

    1
    pip install checkov

  • VSCode extension requires usign in Bridgecrew

Config file

Where to find it?

  • looks for a .checkov.yaml or .checkov.yml file in the following places in order of precedence:
    • Directory against which checkov is run. (-d).
    • Current working directory where checkov is called.
    • User’s home directory.

Attention: it is a best practice for checkov configuration file to be loaded from a trusted source composed by a verified identity, so that scanned files, check ids and loaded custom checks are as desired.

  • You can pass in the path to a config file via the command line. In this case, the other config files will be ignored.
    1
    checkov --config-file path/to/config.yaml

How to write it?

  • Use the --create-config command

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    # create
    checkov --compact --directory test-dir --docker-image sample-image \
    --dockerfile-path Dockerfile --download-external-modules True \
    --external-checks-dir sample-dir --no-guide --quiet \
    --repo-id bridgecrew/sample-repo --skip-check CKV_DOCKER_3,CKV_DOCKER_2 \
    --skip-fixes --skip-framework dockerfile secrets --skip-suppressions \
    --soft-fail --branch develop --check CKV_DOCKER_1 \
    --create-config /Users/sample/config.yml
    # check
    checkov --show-config

  • The output file will look like this:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    branch: develop
    check:
      - CKV_DOCKER_1
    compact: true
    directory:
      - test-dir
    docker-image: sample-image
    dockerfile-path: Dockerfile
    download-external-modules: true 
    evaluate-variables: true 
    external-checks-dir: 
      - sample-dir 
    external-modules-download-path: .external_modules 
    framework:
      - all 
    no-guide: true 
    output: cli 
    quiet: true 
    repo-id: bridgecrew/sample-repo 
    skip-check: 
      - CKV_DOCKER_3 
      - CKV_DOCKER_2 
    skip-fixes: true 
    skip-framework:
      - dockerfile
      - secrets
    skip-suppressions: true 
    soft-fail: true

Quickstart CLI reference

CLI

1
checkov -d /myFolder
Parameter Description
-h, –help Help
-v, –version Version
-d DIRECTORY, –directory DIRECTORY IaaC root directory to scan
-f FILE, –file FILE IaaC file to scan
–docker-image DOCKER_IMAGE Scan docker images by name or ID. Requires bridgecrew token
–dockerfile-path DOCKERFILE_PATH Path to the Dockerfile of the scanned docker image
-l, –list List checks
-ca CA_CERTIFICATE, –ca-certificate CA_CERTIFICATE Custom CA certificate (bundle) file [env var: BC_CA_BUNDLE]
–config-file CONFIG_FILE path to the Checkov configuration YAML file
–download-external-modules DOWNLOAD_EXTERNAL_MODULES download external terraform modules from public git repositories and terraform registry

Terraform

  • Terraform plan in json format

    1
    2
    3
    4
    terraform init
    terraform plan -out tf.plan
    terraform show -json tf.plan  > tf.json 
    checkov -f tf.json

  • Convert json file into multiple lines

    1
    terraform show -json tf.plan | jq '.' > tf.json

Custom rules

Structure

  • Metadata

    • Policy Name
    • Id: format CKV2_<provider>_<number>
    • Category (GENERAL_SECURITY, LOGGING, ENCRYPTION, NETWORKING, IAM, BACKUP_AND_RECOVERY, CONVENTION, SECRETS, KUBERNETES)

  • Definition

    • Definition Block(s) - Attribute Blocks, Connection State Blocks or both
      • Attribute Blocks: describes resources with a certain configuration.
      • Connection State Blocks - The policy describes resources in a particular Connection state.
    • Logical Operator(s) (optional)

Examples

Basic example

1
2
3
4
5
6
7
8
9
10
11
12
---
metadata:
  name: "Check that all resources are tagged with the key - env"
  id: "CKV2_AWS_1"
  category: "GENERAL_SECURITY"
scope:
  provider: aws
definition:
  cond_type: "attribute"
  resource_types: "all"
  attribute: "tags.env"
  operator: "exists"

Blocks example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
---
metadata:
  name: "Check that all encrypted RDS clusters are tagged with encrypted: true"
  id: "CKV2_AWS_1"
  category: "SECRETS"
definition:
  and:
      - cond_type: "attribute"
        resource_types:
        - "aws_rds_cluster"
        attribute: "tags.encrypted"
        operator: "equals"
        value: "true"
      - or:
          - cond_type: "attribute"
            resource_types:
            - "aws_rds_cluster"
            attribute: "kms_key_id"
            operator: "exists"
          - cond_type: "attribute"
            resource_types:
            - "aws_rds_cluster"
            attribute: "storage_encrypted"
            operator: "equals"
            value: "true"

Skipping checks

CLI

1
2
3
4
# 2 rules
checkov -d . --check CKV_AWS_20,CKV_AWS_57
# ules following a pattern
checkov -d . --skip-check CKV_AWS*

Terraform

1
checkov:skip=<check_id>:<suppression_comment>

Example:

1
2
#checkov:skip=CKV_AWS_20:The bucket is a public static content host
#checkov:skip=CKV_AWS_20:The bucket is a public static content host

Kubernetes

1
checkov.io/skip#: <check_id>=<suppression_comment>

Example:

1
2
3
4
5
6
7
8
9
10
11
apiVersion: v1
kind: Pod
metadata:
  name: mypod
  annotations:
    checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
    checkov.io/skip2: CKV_K8S_14
    checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
  containers:
...