Testing infrastructure configurations with Checkov

mbaoma

Mbaoma

Posted on March 19, 2023

Testing infrastructure configurations with Checkov

Checkov as a configuration testing tool

As an aspiring DevOps engineer, I understand the importance and flexibility of writing your infrastructure configuration as code; however, while building CI/CD pipelines, I always asked myself if there was any other way to test my Terraform configuration aside from running terraform validate.

Recently, I worked on a project where I had to setup a production level server with my friend, Adefemi and he introduced me to Checkov, an open-source tool that scans your infrastructure configuration (Teraform, CloudFormation, Kubernetes, etc.) for misconfigurations and also offers you a solution to fix the identified vulnerability.

Should you introduce Checkov into your build process?

Yes.

Checkov mitigates security risks by analyzing infrastructure as code (IaC) for security vulnerabilities, such as misconfigurations and compliance violations, and provides automated tests and repair recommendations.

By identifying misconfigurations and potential problems early in the development cycle, Checkov can save time and minimize the cost of fixing problems later in the development cycle.

Checkov may be incorporated into your CI/CD pipeline or used with pre-commit hooks to automate the scanning process, allowing developers to find errors without human code reviews.

How to use Checkov

There are various ways of running the Checkov tool against your configurations.

Checkov in Github Actions

....... 
jobs:
     - name: Test with Checkov
              id: checkov
              uses: bridgecrewio/checkov-action@master
              with:
                  framework: terraform
                  directory: .
Enter fullscreen mode Exit fullscreen mode

Checkov in Terraform

  • You can run Checkov on a directory, module, or single file with the following commands respectively:
$ checkov -d /path/to/directory
$ checkov -m /path/to/module
$ checkov -f /path/to/file
Enter fullscreen mode Exit fullscreen mode

Checkov in action

Let's run Checkov against a Terraform configuration to create a private S3 bucket.

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

resource "aws_s3_bucket_acl" "example" {
  bucket = aws_s3_bucket.b.id
  acl    = "private"
}
Enter fullscreen mode Exit fullscreen mode

Running checkov -f /filename gives,

Passed checks: 4, Failed checks: 3, Skipped checks: 0

Check: CKV_AWS_93: "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)"
        PASSED for resource: aws_s3_bucket.b
....................
Check: CKV2_AWS_43: "Ensure S3 Bucket does not allow access to all Authenticated users"
 PASSED for resource: aws_s3_bucket_acl.example
....................
Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
PASSED for resource: aws_s3_bucket.b
............................
Check: CKV_AWS_57: "S3 Bucket has an ACL defined which allows public WRITE access."
        PASSED for resource: aws_s3_bucket.b
 .........................
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
        FAILED for resource: aws_s3_bucket.b
        File: /test.tf:1-8

                1 | resource "aws_s3_bucket" "b" {
                2 |   bucket = "my-tf-test-bucket"
                3 | 
                4 |   tags = {
                5 |     Name        = "My bucket"
                6 |     Environment = "Dev"
                7 |   }
                8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
        FAILED for resource: aws_s3_bucket.b
        File: /test.tf:1-8
        Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning

                1 | resource "aws_s3_bucket" "b" {
                2 |   bucket = "my-tf-test-bucket"
                3 | 
                4 |   tags = {
                5 |     Name        = "My bucket"
                6 |     Environment = "Dev"
                7 |   }
                8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
        FAILED for resource: aws_s3_bucket.b
        File: /test.tf:1-8
        Guide: https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled

                1 | resource "aws_s3_bucket" "b" {
                2 |   bucket = "my-tf-test-bucket"
                3 | 
                4 |   tags = {
                5 |     Name        = "My bucket"
                6 |     Environment = "Dev"
                7 |   }
                8 | }
Enter fullscreen mode Exit fullscreen mode

With this output, we see that Checkov gives us remediations to vulnerabilities. Personally, after viewing Checkov's suggestion, I head over to Terraform's official documentation to read up on how to implement the suggested fix.

Checkov provides a lot of flexibility and can be customized to fit your specific needs.

Cheers to building more secure infrastructure πŸŽ‰

πŸ’– πŸ’ͺ πŸ™… 🚩
mbaoma
Mbaoma

Posted on March 19, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related