Checkov — Code Review tool for Infrastructure as a Code
Checkov is a static code analysis tool for infrastructure-as-a-code. It scans cloud infrastructure managed in Terraform, Cloudformation, Kubernetes, Arm templates or Serverless Framework and detects misconfigurations.
Integration of Checkov with Gitlab CI
Below provided stage fails push/commit/merge in case of any vulnerability found in terraform code. Artificat is upload to gitlab and can be downloaded for assessment. Also, output is available on terminal as well.
A sample gitlab CI config file can be found on below link:
Demo terraform code for testing can be found on below link:
I’d recommend error driven approach where first commit/push/merge would populate the list of vulnerabilities in the code which can be fixed as per below described approach.
This means, on execution of pipeline, stage fails with error message of failure.
We now have 2 ways to resolve this issue and get a successful pipeline. We can either fix these issues arising out of error or we can skip checkov checks as shown below:
Sample error is shown below:
Check: CKV_AWS_20: “S3 Bucket has an ACL defined which allows public READ access.”
Sample code to skip above error is shown below:
checkov:skip=CKV_AWS_20:Skip Test for checking
Sample of Managing Checkov for production grade pipeline with exceptions to vulnerabilities:
Checkov comes with support for multiple other integrations like Jenkins, Github and more.
References: http://checkov.io