Testing infrastructure configurations with Checkov

Testing infrastructure configurations with Checkov

Writing infrastructure as code helps DevOps engineers manage their ever-changing infrastructure, but how do you ensure best and safe practices?

ยท

3 min read

Checkov as a configuration testing tool

As an aspiring DevOps engineer, I understand the importance and flexibility of writing your infrastructure configuration as code; however, while building CI/CD pipelines, I always asked myself if there was any other way to test my Terraform configuration aside from running terraform validate.

Recently, I worked on a project where I had to setup a production level server with my friend, Adefemi and he introduced me to Checkov, an open-source tool that scans your infrastructure configuration (Teraform, CloudFormation, Kubernetes, etc.) for misconfigurations and also offers you a solution to fix the identified vulnerability.

Should you introduce Checkov into your build process?

Yes.

Checkov mitigates security risks by analyzing infrastructure as code (IaC) for security vulnerabilities, such as misconfigurations and compliance violations, and provides automated tests and repair recommendations.

By identifying misconfigurations and potential problems early in the development cycle, Checkov can save time and minimize the cost of fixing problems later in the development cycle.

Checkov may be incorporated into your CI/CD pipeline or used with pre-commit hooks to automate the scanning process, allowing developers to find errors without human code reviews.

How to use Checkov

There are various ways of running the Checkov tool against your configurations.

Checkov in Github Actions

....... 
jobs:
     - name: Test with Checkov
              id: checkov
              uses: bridgecrewio/checkov-action@master
              with:
                  framework: terraform
                  directory: .

Checkov in Terraform

  • You can run Checkov on a directory, module, or single file with the following commands respectively:
$ checkov -d /path/to/directory
$ checkov -m /path/to/module
$ checkov -f /path/to/file

Checkov in action

Let's run Checkov against a Terraform configuration to create a private S3 bucket.

resource "aws_s3_bucket" "b" {
  bucket = "my-tf-test-bucket"

  tags = {
    Name        = "My bucket"
    Environment = "Dev"
  }
}

resource "aws_s3_bucket_acl" "example" {
  bucket = aws_s3_bucket.b.id
  acl    = "private"
}

Running checkov -f /filename gives,

Passed checks: 4, Failed checks: 3, Skipped checks: 0

Check: CKV_AWS_93: "Ensure S3 bucket policy does not lockout all but root user. (Prevent lockouts needing root account fixes)"
        PASSED for resource: aws_s3_bucket.b
....................
Check: CKV2_AWS_43: "Ensure S3 Bucket does not allow access to all Authenticated users"
 PASSED for resource: aws_s3_bucket_acl.example
....................
Check: CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
PASSED for resource: aws_s3_bucket.b
............................
Check: CKV_AWS_57: "S3 Bucket has an ACL defined which allows public WRITE access."
        PASSED for resource: aws_s3_bucket.b
 .........................
Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
        FAILED for resource: aws_s3_bucket.b
        File: /test.tf:1-8

                1 | resource "aws_s3_bucket" "b" {
                2 |   bucket = "my-tf-test-bucket"
                3 | 
                4 |   tags = {
                5 |     Name        = "My bucket"
                6 |     Environment = "Dev"
                7 |   }
                8 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
        FAILED for resource: aws_s3_bucket.b
        File: /test.tf:1-8
        Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning

                1 | resource "aws_s3_bucket" "b" {
                2 |   bucket = "my-tf-test-bucket"
                3 | 
                4 |   tags = {
                5 |     Name        = "My bucket"
                6 |     Environment = "Dev"
                7 |   }
                8 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
        FAILED for resource: aws_s3_bucket.b
        File: /test.tf:1-8
        Guide: https://docs.bridgecrew.io/docs/ensure-that-s3-bucket-has-cross-region-replication-enabled

                1 | resource "aws_s3_bucket" "b" {
                2 |   bucket = "my-tf-test-bucket"
                3 | 
                4 |   tags = {
                5 |     Name        = "My bucket"
                6 |     Environment = "Dev"
                7 |   }
                8 | }

With this output, we see that Checkov gives us remediations to vulnerabilities. Personally, after viewing Checkov's suggestion, I head over to Terraform's official documentation to read up on how to implement the suggested fix.

Checkov provides a lot of flexibility and can be customized to fit your specific needs.

Cheers to building more secure infrastructure ๐ŸŽ‰