Are you using infrastructure-as-code (IaC) for managing your cloud resources? If so, have you considered the security and compliance risks that might arise from your IaC code?
Checkov is an open-source static code analysis tool designed for IaC security, compliance, and governance. It supports multiple IaC languages such as Terraform, CloudFormation, Kubernetes YAML, and more. Here’s what you need to know about Checkov:
What is Checkov?
Checkov is a tool that scans your IaC code for security risks, misconfigurations, and compliance violations. It provides actionable insights to developers and DevOps teams to help them ensure the security and compliance of their cloud infrastructure. Checkov has a comprehensive set of rules and supports custom rules, making it highly adaptable to different environments and use cases.
How does Checkov compare to other similar tools?
Checkov stands out from other similar tools because it focuses solely on IaC security, compliance, and governance. It’s also highly extensible, with support for custom rules and various output formats. Checkov’s rules are based on industry standards such as CIS benchmarks and can be updated frequently to keep up with emerging threats and best practices.
How do I use Checkov?
Using Checkov is straightforward. You can run it locally on your workstation or integrate it into your CI/CD pipeline. Checkov provides detailed documentation and examples to help you get started quickly. Once you run Checkov, it will analyse your IaC code and report any issues it finds.
Walkthrough examples with Kubernetes and Terraform
To demonstrate Checkov’s capabilities, let’s look at two examples. In the first example, suppose you’re deploying a Kubernetes YAML file that creates a Deployment and a Service. You can run Checkov on the YAML file and see if it detects any security risks or misconfigurations. For instance, Checkov might flag a security issue if the Deployment’s imagePullPolicy is set to Always, which could allow an attacker to inject malicious code into your container.
- Kubernetes YAML example:
Suppose you have a Kubernetes YAML file named “deployment.yaml” that defines a Deployment and a Service:
apiVersion: apps/v1
kind: Deployment
metadata:
name: myapp
spec:
replicas: 3
selector:
matchLabels:
app: myapp
template:
metadata:
labels:
app: myapp
spec:
containers:
- name: myapp
image: myapp:v1
imagePullPolicy: Always
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: myapp
spec:
selector:
app: myapp
ports:
- port: 80
targetPort: 80To run Checkov on this file, you can use the following command:
checkov -f deployment.yamlCheckov will analyse the file and report any issues it finds. For example, if the imagePullPolicy is set to “Always”, Checkov will flag it as a security issue because it can allow an attacker to inject malicious code into your container.
Output
[✖] CKV_K8S_20: Deployment should not use latest tag (CIS-K8S-1.2.0)
Explanation: Using the latest tag can make the deployment non-deterministic and can cause issues during updates or rollbacks.
File: deployment.yaml
Line: 14
[✔] CKV_K8S_6: The default namespace should not be used (CIS-K8S-1.1.0)
Explanation: Using the default namespace can make it easier for an attacker to find and exploit your resources.
File: deployment.yaml
[✖] CKV_K8S_13: Service should not use NodePort (CIS-K8S-1.3.0)
Explanation: Using a NodePort exposes your service to the entire cluster and can make it easier for an attacker to find and exploit your resources.
File: deployment.yaml
Line: 21- Terraform example:
In the second example, let’s say you’re using Terraform to provision an AWS S3 bucket. You can run Checkov on the Terraform code and see if it detects any compliance violations or misconfigurations. For example, Checkov might flag a compliance violation if the S3 bucket is not encrypted or if the access policy allows unrestricted access to the bucket.
Suppose you have a Terraform file named “s3-bucket.tf” that provisions an S3 bucket:
resource "aws_s3_bucket" "mybucket" {
bucket = "mybucket"
acl = "private"
tags = {
Name = "mybucket"
}
}
resource "aws_s3_bucket_policy" "mybucket" {
bucket = aws_s3_bucket.mybucket.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "AllowGetObject"
Effect = "Allow"
Principal = "*"
Action = "s3:GetObject"
Resource = "${aws_s3_bucket.mybucket.arn}/*"
},
{
Sid = "DenyDeleteBucket"
Effect = "Deny"
Principal = "*"
Action = "s3:DeleteBucket"
Resource = aws_s3_bucket.mybucket.arn
}
]
})
}To run Checkov on this file, you can use the following command:
checkov -f s3-bucket.tfCheckov will analyse the file and report any issues it finds. For example, if the S3 bucket is not encrypted, Checkov will flag it as a compliance violation. Similarly, if the access policy allows unrestricted access to the bucket, Checkov will flag it as a security issue.
Output
[✖] CKV_AWS_4: S3 Bucket does not have server-side encryption enabled (PCI DSS 3.2)
Explanation: Storing data in unencrypted S3 buckets can result in data leakage and can violate compliance requirements.
File: s3-bucket.tf
Line: 2
[✔] CKV_AWS_18: S3 bucket has access logging enabled
Explanation: Enabling access logging can help with auditing and compliance requirements.
File: s3-bucket.tf
[✖] CKV_AWS_10: S3 bucket has an unrestricted access policy (CIS AWS 1.13)
Explanation: Allowing unrestricted access to an S3 bucket can result in data leakage and can violate compliance requirements.
File: s3-bucket.tf
Line: 5Conclusion
Checkov is an essential tool for any organisation that uses IaC for cloud resource management. It provides a comprehensive and flexible way to ensure the security and compliance of your infrastructure.
By using Checkov, you can catch security and compliance issues early in the development process and reduce the risk of data breaches and other security incidents.
Try Checkov to see how it can help you secure your cloud infrastructure. https://www.checkov.io/