In part 1 of this series, we looked into how we can use Terratest for testing our Infrastructure as a code setup. While Terratest can be used as part of our integration testing pipeline to check if the infrastructure stack gets created as we expected it to, we can use checkov for checking if our code is following the compliance and is free from known security issues.
From their docs:
Checkov is a static code analysis tool for infrastructure-as-code.
It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile, Serverless or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.
It is one of the most popular tools for running static analysis in Terraform as of publishing this article. The tool has been downloaded more than a million times and has more than 2.5k stars on its Github page. It is backed by Bridgecrew which was recently acquired by Palo Alto Networks. So rest assured, this tool is going to stay in the field for a while.
They have more than 1000 inbuilt policies to perform compliance checks on AWS, Azure and Google cloud. We can check for misconfigured credentials in the code, check for security vulnerabilities like having an IAM resource opened wide or having a security group with wide-open permissions, we can get insights on the absence of encryption and a lot more is available with the code and the policies updated almost every single day.
The prerequisites for installing it are
Python ≥ 3.7
Terraform ≥ 0.12
Setting it up is pretty straightforward. Follow the steps to install Checkov on a Linux machine. Use a virtual environment for python installation if you do not have the required python version in your machine.
pip3 install checkov
On Mac, we can also install it via brew
brew install checkov
If its already installed, we can upgrade it using
pip3 install -U checkov
brew upgrade checkov
Installation is as simple as that. Once it’s installed we can run it against a single file or against directories.
For running against a directory
checkov -d <directory_containing_tf_files>
For running against a single file
checkov -f /location/test.tf
The output of the checkov scan would look like this. It would show the result of passed checks and if there are failures, it’ll show them with valid reasons
We can integrate this as part of our pre-commit hook or in our merge criteria for pull requests or as part of the CI pipeline in launching our Infrastructure using Terraform. We can also write custom checks for implementation in our setup.
There could be scenarios where we might think that it needs to skip certain checks to avoid failing the pipeline. In that case, we can add skip to that part of the compliance check.
For example, in my code for launching RDS, I got a compliance issue for not enabling Multi-AZ. This check can be skipped by adding the skip comment in the following manner.
The format for the skip comment is :
We can get the CKV code while running the check or from the GitHub docs location.
A specific check can be skipped from the command line as well.
checkov -d . — skip-check CKV_AWS_157
The output of a skipped check would look like this
We can also integrate it with our IDE. If you are using VSCode, checkov can be installed as a plugin. By adding it to the IDE, we can run tests as we are typing and fix issues in the development phase itself. However, the plugin is not up to date with the Checkov releases and we might miss a few checks if we just rely on the plugin. So, it’s recommended to use Chekov from the plugin and also from the CLI set-up.
Happy coding folks :)
Testing terraform code series: