Checkov is a static code analysis tool for infrastructure-as-code.
It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts, Kustomize, Dockerfile, Serverless, Bicep or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.
Checkov also powers Bridgecrew, the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files.
Scan results in CLI
Scheduled scan result in Jenkins
pip3 install checkov
Installation on Alpine:
pip3 install –upgrade pip && pip3 install –upgrade setuptools
pip3 install checkov
Installation on Ubuntu 18.04 LTS:
Ubuntu 18.04 ships with Python 3.6. Install python 3.7 (from ppa repository)
sudo apt update
sudo apt install software-properties-common
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt install python3.7
sudo apt install python3-pip
sudo python3.7 -m pip install -U checkov #to install or upgrade checkov)
or using homebrew (MacOS only)
brew install checkov
or
brew upgrade checkov
Enabling bash autocomplete
source <(register-python-argcomplete checkov)
if you installed checkov with pip3
pip3 install -U checkov
pip3 install -U checkov
Configure an input folder or file
checkov –directory /user/path/to/iac/code
Or a specific file or files
checkov –file /user/tf/example.tf
Or
checkov -f /user/cloudformation/example1.yml -f /user/cloudformation/example2.yml
Or a terraform plan file in json format
terraform init
terraform plan -out tf.plan
terraform show -json tf.plan > tf.json
checkov -f tf.json
Note: terraform show
output file tf.json
will be a single line. For that reason all findings will be reported line number 0 by checkov
check: CKV_AWS_21: “Ensure all data stored in the S3 bucket have versioning enabled”
FAILED for resource: aws_s3_bucket.customer
File: /tf/tf.json:0-0
Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning
If you have installed jq
you can convert json file into multiple lines with the following command:
terraform show -json tf.plan | jq ‘.’ > tf.json
Scan result would be much user friendly.
checkov -f tf.json
Check: CKV_AWS_21: “Ensure all data stored in the S3 bucket have versioning enabled”
FAILED for resource: aws_s3_bucket.customer
File: /tf/tf1.json:224-268
Guide: https://docs.bridgecrew.io/docs/s3_16-enable-versioning
225 “values”: {
226 “acceleration_status”: “”,
227 “acl”: “private”,
228 | “arn”: “arn:aws:s3:::mybucket”,
Alternatively, specify the repo root of the hcl files used to generate the plan file, using the --repo-root-for-plan-enrichment
flag, to enrich the output with the appropriate file path, line numbers, and codeblock of the resource(s). An added benefit is that check suppressions will be handled accordingly.
checkov -f tf.json –repo-root-for-plan-enrichment /user/path/to/iac/code
Scan result sample (CLI)
Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: “Ensure all data stored in the S3 bucket is securely encrypted at rest”
/main.tf:
Passed for resource: aws_s3_bucket.template_bucket
Check: “Ensure all data stored in the S3 bucket is securely encrypted at rest”
/../regionStack/main.tf:
Failed for resource: aws_s3_bucket.sls_deployment_bucket_name
Using Docker
docker pull bridgecrew/checkov
docker run –tty –rm –volume /user/tf:/tf –workdir /tf bridgecrew/checkov –directory /tf
Note: if you are using Python 3.6(Default version in Ubuntu 18.04) checkov will not work and it will fail with ModuleNotFoundError: No module named 'dataclasses'
error message. In this case, you can use the docker version instead.
Note that there are certain cases where redirecting docker run --tty
output to a file – for example, if you want to save the Checkov JUnit output to a file – will cause extra control characters to be printed. This can break file parsing. If you encounter this, remove the --tty
flag.
The --workdir /tf
flag is optional to change the working directory to the mounted volume. If you are using the SARIF output -o sarif
this will output the results. sarif file to the mounted volume (/user/tf
in the example above). If you do not include that flag, the working directory will be “/”.
Using command line flags you can specify to run only named checks (allow list) or run all checks except those listed (deny list). If you are using the platform integration via API key, you can also specify a severity threshold to skip and / or include. See the docs for more detailed information on how these flags work together.
Allow only the two specified checks to run:
checkov –directory . –check CKV_AWS_20,CKV_AWS_57
Run all checks except the one specified:
checkov -d . –skip-check CKV_AWS_20
Run all checks except checks with specified patterns:
checkov -d . –skip-check CKV_AWS*
Run all checks that are MEDIUM severity or higher (requires API key):
checkov -d . –check MEDIUM –bc-api-key …
Run all checks that are MEDIUM severity or higher, as well as check CKV_123 (assume this is a LOW severity check):
checkov -d . –check MEDIUM,CKV_123 –bc-api-key …
Skip all checks that are MEDIUM severity or lower:
checkov -d . –skip-check MEDIUM –bc-api-key …
Skip all checks that are MEDIUM severity or lower, as well as check CKV_789 (assume this is a high severity check):
checkov -d . –skip-check MEDIUM,CKV_789 –bc-api-key …
Run all checks that are MEDIUM severity or higher, but skip check CKV_123 (assume this is a medium or higher severity check):
checkov -d . –check MEDIUM –skip-check CKV_123 –bc-api-key …
Like any static-analysis tool it is limited by its analysis scope. For example, if a resource is managed manually, or using subsequent configuration management tooling, suppression can be inserted as a simple code annotation.
To skip a check on a given Terraform definition block or CloudFormation resource, apply the following comment pattern inside it’s scope:
checkov:skip=<check_id>:<suppression_comment>
<check_id>
is one of the [available check scanners](docs/5.Policy Index/all.md)<suppression_comment>
is an optional suppression reason to be included in the outputThe following comment skips the CKV_AWS_20
check on the resource identified by foo-bucket
, where the scan checks if an AWS S3 bucket is private. In the example, the bucket is configured with public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.
resource “aws_s3_bucket” “foo-bucket” {
region = var.region
#checkov:skip=CKV_AWS_20:The bucket is a public static content host
bucket = local.bucket_name
force_destroy = true
acl = “public-read”
}
The output would now contain a SKIPPED
check result entry:
…
…
Check: “S3 Bucket has an ACL defined which allows public access.”
SKIPPED for resource: aws_s3_bucket.foo-bucket
Suppress comment: The bucket is a public static content host
File: /example_skip_acl.tf:1-25
To suppress checks in Kubernetes manifests, annotations are used with the following format: checkov.io/skip#: <check_id>=<suppression_comment>
For example:
apiVersion: v1
kind: Pod
metadata:
name: mypod
annotations:
checkov.io/skip1: CKV_K8S_20=I don’t care about Privilege Escalation :-O
checkov.io/skip2: CKV_K8S_14
checkov.io/skip3: CKV_K8S_11=I have not set CPU limits as I want BestEffort QoS
spec:
containers:
…
For detailed logging to stdout set up the environment variable LOG_LEVEL
to DEBUG
.
Default is LOG_LEVEL=WARNING
.
To skip files or directories, use the argument --skip-path
, which can be specified multiple times. This argument accepts regular expressions for paths relative to the current working directory. You can use it to skip entire directories and / or specific files.
By default, all directories named node_modules
, .terraform
, and .serverless
will be skipped, in addition to any files or directories beginning with .
. To cancel skipping directories beginning with .
override IGNORE_HIDDEN_DIRECTORY_ENV
environment variable export IGNORE_HIDDEN_DIRECTORY_ENV=false
You can override the default set of directories to skip by setting the environment variable CKV_IGNORED_DIRECTORIES
. Note that if you want to preserve this list and add to it, you must include these values. For example, CKV_IGNORED_DIRECTORIES=mynewdir
will skip only that directory, but not the others mentioned above. This variable is legacy functionality; we recommend using the --skip-file
flag.
If you want to use checkov’s within vscode, give a try to the vscode extension available at vscode
Checkov can be configured using a YAML configuration file. By default, checkov looks for a .checkov.yaml
or .checkov.yml
file in the following places in order of precedence:
--directory
)Attention: it is a best practice for checkov configuration file to be loaded from a trusted source composed by a verified identity, so that scanned files, check ids and loaded custom checks are as desired.
Users can also pass in the path to a config file via the command line. In this case, the other config files will be ignored. For example:
checkov –config-file path/to/config.yaml
Users can also create a config file using the --create-config
command, which takes the current command line args and writes them out to a given path. For example:
checkov –compact –directory test-dir –docker-image sample-image –dockerfile-path Dockerfile –download-external-modules True –external-checks-dir sample-dir –no-guide –quiet –repo-id bridgecrew/sample-repo –skip-check CKV_DOCKER_3,CKV_DOCKER_2 –skip-fixes –skip-framework dockerfile secrets –skip-suppressions –soft-fail –branch develop –check CKV_DOCKER_1 –create-config /Users/sample/config.yml
Will create a config.yaml
file which looks like this:
branch: develop
check:
Users can also use the --show-config
flag to view all the args and settings and where they came from i.e. commandline, config file, environment variable or default. For example:
checkov –show-config
Will display:
Command Line Args: –show-config
Environment Variables:
BC_API_KEY: your-api-key
Config File (/Users/sample/.checkov.yml):
soft-fail: False
branch: master
skip-check: [‘CKV_DOCKER_3’, ‘CKV_DOCKER_2’]
Defaults:
–output: cli
–framework: [‘all’]
–download-external-modules:False
–external-modules-download-path:.external_modules
–evaluate-variables:True
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…