Checkov – static code analysis

Checkov is a static code analysis tool for infrastructure-as-code.

It scans cloud infrastructure provisioned using Terraform, Cloudformation, Kubernetes, Serverless or ARM Templates and detects security and compliance misconfigurations.

Checkov also powers Bridgecrew, the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files.

Table of contents

• Features
• Screenshots
• Getting Started
• Disclaimer
• Support

Features

• Over 400 built-in policies cover security and compliance best practices for AWS, Azure and Google Cloud.
• Scans Terraform, CloudFormation and Kubernetes, Serverless framework and ARM template files.
• Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
• Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
• Policies support evaluation of variables to their optional default value.
• Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
• Output currently available as CLI, JSON or JUnit XML and link to remediation guides.

Screenshots

Scan results in CLI

Scheduled scan result in Jenkins

Getting started

Installation

pip install checkov

Installation on Alpine:

pip3 install --upgrade pip && pip3 install --upgrade setuptools
pip3 install checkov

or using homebrew (MacOS only)

brew tap bridgecrewio/checkov https://github.com/bridgecrewio/checkov
brew update
brew install checkov

Configure an input folder

checkov -d /user/path/to/iac/code

Or a specific file

checkov -f /user/tf/example.tf

or

checkov -f /user/cloudformation/example.yml

Scan result sample (CLI)

Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/main.tf:
	 Passed for resource: aws_s3_bucket.template_bucket 
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
/../regionStack/main.tf:
	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name       

Start using Checkov by reading the Getting Started page.

Using Docker

docker pull bridgecrew/checkov
docker run -t -v /user/tf:/tf bridgecrew/checkov -d /tf

Running or skipping checks

Using command line flags you can specify to run only named checks (allow list) or run all checks except those listed (deny list).

List available checks:

checkov -l 

Allow only 2 checks to run:

checkov -d . --check CKV_AWS_20,CKV_AWS_57

Run all checks except 1 specified:

checkov -d . --skip-check CKV_AWS_52

For Kubernetes workloads, you can also use allow/deny namespaces. For example, do not report any results for the kube-system namespace:

checkov -d . --skip-check kube-system

Suppressing/Ignoring a check

Like any static-analysis tool it is limited by its analysis scope. For example, if a resource is managed manually, or using subsequent configuration management tooling, a suppression can be inserted as a simple code annotation.

Suppression comment format

To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it’s scope:

checkov:skip=<check_id>:<suppression_comment>

• <check_id> is one of the available check scanners
• <suppression_comment> is an optional suppression reason to be included in the output

Example

The following comment skip the CKV_AWS_20 check on the resource identified by foo-bucket, where the scan checks if an AWS S3 bucket is private. In the example, the bucket is configured with a public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #checkov:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}

The output would now contain a SKIPPED check result entry:

...
...
Check: "S3 Bucket has an ACL defined which allows public access."
	SKIPPED for resource: aws_s3_bucket.foo-bucket
	Suppress comment: The bucket is a public static content host
	File: /example_skip_acl.tf:1-25
	
...

To suppress checks in Kubernetes manifests, annotations are used with the following format: checkov.io/skip#: <check_id>=<suppression_comment>

For example:

apiVersion: v1
kind: Pod
metadata:
  name: mypod
  annotations:
    checkov.io/skip1: CKV_K8S_20=I don't care about Privilege Escalation :-O
    checkov.io/skip2: CKV_K8S_14
    checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
  containers:
...

Logging

For detailed logging to stdout setup the environment variable LOG_LEVEL to DEBUG.

Default is LOG_LEVEL=WARNING.

Skipping directories

To skip a whole directory, use the environment variable CKV_IGNORED_DIRECTORIES. Default is CKV_IGNORED_DIRECTORIES=node_modules,.terraform,.serverless

Download