Infrastructure as code static analysis
Project description
Table of contents
Description
Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Cloudformation or kubernetes and detects security and compliance misconfigurations.
Checkov is written in Python and provides a simple method to write and manage policies. It follows the CIS Foundations benchmarks where applicable.
Features
- 100+ built-in policies cover security and compliance best practices for AWS, Azure & Google Cloud.
- Scans Terraform and AWS CloudFormation configurations.
- Scans for AWS credentials in EC2 Userdata, Lambda environment variables and Terrafrom providers
- Policies support evaluation of variables to their optional default value.
- Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
- Output currently available as CLI, JSON or JUnit XML.
Screenshots
Scan results in CLI
Scheduled scan result in Jenkins
Getting started
Installation
pip install checkov
or using homebrew (MacOS only)
brew tap bridgecrewio/checkov https://github.com/bridgecrewio/checkov
brew update
brew install checkov
Configure an input folder
checkov -d /user/path/to/iac/code
Or a specific file
checkov -f /user/tf/example.tf
or
checkov -f /user/cloudformation/example.yml
Scan result sample (CLI)
Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/main.tf:
Passed for resource: aws_s3_bucket.template_bucket
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/../regionStack/main.tf:
Failed for resource: aws_s3_bucket.sls_deployment_bucket_name
Start using Checkov by reading the Getting Started page.
Using Docker
docker pull bridgecrew/checkov
docker run -t -v /user/tf:/tf bridgecrew/checkov -d /tf
Suppressing/Ignoring a check
Like any static-analysis tool it is limited by its analysis scope. For example, if a resource is managed manually, or using subsequent configuration management tooling, a suppression can be inserted as a simple code annotation.
Suppression comment format
To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it's scope:
checkov:skip=<check_id>:<suppression_comment>
<check_id>is one of the available check scanners<suppression_comment>is an optional suppression reason to be included in the output
Example
The following comment skip the CKV_AWS_20 check on the resource identified by foo-bucket, where the scan checks if an AWS S3 bucket is private.
In the example, the bucket is configured with a public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.
resource "aws_s3_bucket" "foo-bucket" {
region = var.region
#checkov:skip=CKV_AWS_20:The bucket is a public static content host
bucket = local.bucket_name
force_destroy = true
acl = "public-read"
}
The output would now contain a SKIPPED check result entry:
...
...
Check: "S3 Bucket has an ACL defined which allows public access."
SKIPPED for resource: aws_s3_bucket.foo-bucket
Suppress comment: The bucket is a public static content host
File: /example_skip_acl.tf:1-25
...
To suppress checks in Kubernetes manifests, annotations are used with the following format:
checkov.io/skip#: <check_id>=<suppression_comment>
For example:
apiVersion: v1
kind: Pod
metadata:
name: mypod
annotations:
checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
checkov.io/skip2: CKV_K8S_14
checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
containers:
...
Logging
For detailed logging to stdout setup the environment variable LOG_LEVEL to DEBUG.
Default LOG_LEVEL value is WARNING.
Alternatives
For Terraform compliance scanners check out tfsec, Terrascan and Terraform AWS Secure Baseline.
For CloudFormation scanning check out cfripper and cfn_nag.
For Kubernetes scanning check out kube-scan and Polaris
Contributing
Contribution is welcomed!
Start by reviewing the contribution guidelines. After that, take a look at a good first issue.
Looking to contribute new checks? Learn how to write a new check (AKA policy) here
Support
Bridgecrew builds and maintains Checkov to make policy-as-code simple and accessible.
Start with our Documentation for quick tutorials and examples.
If you need direct support you can contact us at info@bridgecrew.io
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file checkov-1.0.375.tar.gz.
File metadata
- Download URL: checkov-1.0.375.tar.gz
- Upload date:
- Size: 78.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/47.1.1 requests-toolbelt/0.9.1 tqdm/4.46.1 CPython/3.8.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
704b9416f6ba58d7d82911485dd60abd841d73efa915cc02715628839369b758
|
|
| MD5 |
84e9323e9adefcac4e9f7b8ff6987c79
|
|
| BLAKE2b-256 |
4f11e397a9854a925c3528c2cf224f564f3a291a00efde19a1990dae46b9ce08
|
File details
Details for the file checkov-1.0.375-py3-none-any.whl.
File metadata
- Download URL: checkov-1.0.375-py3-none-any.whl
- Upload date:
- Size: 238.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.23.0 setuptools/47.1.1 requests-toolbelt/0.9.1 tqdm/4.46.1 CPython/3.8.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6ba9c474cce907a5ee0faba3cdcfc045fdc00617ce838335ef9653443cf8b253
|
|
| MD5 |
f5f02f75c2bb80cf5995693c20359af2
|
|
| BLAKE2b-256 |
24b4098f8c721a1d88bbb2943a08300c9e7141f671358a173d87884fee530fc0
|
