Terraform security scan by checkov

October 07, 2023

Checkov is an open-source static code analysis tool that helps you identify security and compliance issues in your infrastructure-as-code (IaC) files. It supports various IaC frameworks, including Terraform, AWS CloudFormation, Kubernetes YAML files, and more. Here are some common use cases for using Checkov:

Checkob Quickstart & Documentation

Checkov Documentation & Quickstart

Checkov support

Checkov support following Configuration Scanning :

  • Terraform
  • Kustomize
  • CloudFormation
  • Kubernetes
  • ARM Templates
  • Helm
  • Ansible
  • Argo Workflows
  • Azure ARM Templates
  • Azure Pipelines
  • Azure Bicep
  • Bitbucket
  • Cloudformation
  • Dockerfile
  • GitHub
  • Gitlab
  • OpenAPI
  • SCA Scanning
  • Serverless Framework
Security Scanning:

Terraform: Checkov scans your Terraform code to identify potential security vulnerabilities and misconfigurations. It can catch issues like open S3 buckets, security group rules that allow unrestricted access, and more. CloudFormation: It can analyze AWS CloudFormation templates to find security gaps or non-compliant configurations. Kubernetes YAML: Checkov can scan Kubernetes resource definitions to identify security vulnerabilities or misconfigurations.

Compliance Checks:

Checkov provides a wide range of built-in policies that cover various compliance standards such as CIS Benchmarks, GDPR, HIPAA, NIST, and more. It helps ensure that your infrastructure adheres to industry-standard compliance requirements. Prevent Misconfigurations:

By running Checkov as part of your CI/CD pipeline, you can catch misconfigurations early in the development process, preventing them from reaching production environments. CI/CD Integration:

Checkov can be integrated into your CI/CD pipeline to automate security and compliance checks. This ensures that code is checked for security and compliance issues before deployment. Container Security:

For containerized applications, Checkov can be used to analyze Dockerfiles and Kubernetes YAML files to identify security vulnerabilities in your container images and Kubernetes configurations. Custom Policies:

Checkov allows you to define custom policies to enforce specific security and compliance requirements that are unique to your organization or project. Reporting and Remediation:

Checkov generates reports in various formats (such as JSON, JUnit, etc.) that can be used for documentation or further processing. It provides clear information about the issues found, including their severity and location.

Collaboration and Code Reviews:

Checkov can be integrated into code review workflows to ensure that IaC code adheres to security and compliance standards before it's merged into the main branch. Continuous Monitoring:

You can use Checkov to periodically scan your IaC files to ensure that no new security vulnerabilities or compliance issues have been introduced.


brew install checkov

Installing with Pip Checkov Installation Quickstart

pip3 install checkov

How to perform a security scan of sample Terraform code (creating s3 bucket with ACLs) via checkov

Scanning directory

checkov --directory /user/path/to/iac/code

Scanning directory, shorter output(no code references in output)

checkov --directory /user/path/to/iac/code --compact

Checkov scan of current directory

checkov --directory  ./ --compact

Sample reference code checkov

git clone https://github.com/cloudtipss/Terraform-security-scan-by-checkov 
cd Terraform-security-scan-by-checkov 
checkov --file terraform/s3/main.tf

Example of output :

terraform scan results:

Passed checks: 18, Failed checks: 13, Skipped checks: 0

Check: CKV_AZURE_8: "Ensure Kubernetes Dashboard is disabled"
        PASSED for resource: module.aks.azurerm_kubernetes_cluster.aks
        File: /modules/aks/main.tf:13-64
        Calling File: /main.tf:82-159
        Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/azure-policies/azure-kubernetes-policies/bc-azr-kubernetes-5.html
Check: CKV_AZURE_143: "Ensure AKS cluster nodes do not have public IP addresses"
        PASSED for resource: module.aks.azurerm_kubernetes_cluster.aks
        File: /modules/aks/main.tf:13-64
        Calling File: /main.tf:82-159

Check: CKV_AZURE_171: "Ensure AKS cluster upgrade channel is chosen"
        FAILED for resource: module.aks.azurerm_kubernetes_cluster.aks
        File: /modules/aks/main.tf:13-64
        Calling File: /main.tf:82-159
Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
        FAILED for resource: module.aks.azurerm_kubernetes_cluster.aks
        File: /modules/aks/main.tf:13-64
        Calling File: /main.tf:82-159

Checkov : Display only FAILED only reports & skip the PASSED checks

checkov --directory ./ --quiet --compact

terraform scan results:

Passed checks: 4, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_56: "Ensure S3 bucket has 'restrict_public_bucket' enabled"
        FAILED for resource: aws_s3_bucket_public_access_block.example_block
        File: /main.tf:21-28
        Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/bc-aws-s3-22.html

How to filter checkov output results with JQ

Installing a "jq" tool, that allows to filter YAML or JSON results

brew install jq

Example scenario, lets get the JSON output of Checkov and count how many passed and failed checks we got

FAILED checks

checkov --directory  ./ -o json | jq '.results.failed_checks | length'

PASSED checks

checkov --directory  ./  -o json | jq '.results.passed_checks | length'

Checkov scan a HELM chart

Example helm chart, created with helm create test apps command

Sample reference code checkov ,under "helm-chart/test-app/" folder

checkov --directory  ./helm-chart/test-app/ --compact

Default helm chart configuration, shows 34 failed checks, and 141 checks passed

helm scan results:

Passed checks: 141, Failed checks: 34, Skipped checks: 0

Check: CKV_K8S_80: "Ensure that the admission control plugin AlwaysPullImages is set"
        PASSED for resource: Deployment.default.release-name-test-app
        File: /test-app/templates/deployment.yaml:3-47
        Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/pr

Skip checkov policies

Sometimes, there might be some low priority changes that will trigger the FAILED checks, or even false positives

Recommend to check following Checkov Github repo, in case some of the fixes still appear in the checkov scan outputs

How to skip some specific Policies checks

Lets say, one of the False positive policies is CKV_K8S_20, we need to add following flag and list all policies to be skipped --skip-check CKV_K8S_20

checkov --directory  ./helm-chart/test-app/ --compact --skip-check CKV_K8S_20

Use checkov configuration files

In some cases, especially when using CI/CD , we can't manually update the skip-check CLI flag every time we need to add new policy In this scenario, using checkov config file be recommended

How to create a checkov config file

You need to add a --create-config CLI flag in order to create & save your CLI options into the file located under ./helm-chart/test-app/checkov.dev.yml

checkov --directory  ./helm-chart/test-app/ --compact --skip-check CKV_K8S_20 --create-config ./helm-chart/test-app/checkov.dev.yml

Now, you can simply call Checkov CLI with a config-file argument pointing to your config file with saved CLI config

checkov --config-file ./helm-chart/test-app/checkov.dev.yml

This approach can be used to have different security requirments for different environments

You can have multiple config files, with more strict & more relaxed policies As well, you can specify different frameworks/engines/templating tools with different configurations