🛠 Checkov SAST for IAC
Salute,
Let's continue to look further towards instruments and today we will talk about Anton Pavel.. Checkov (doc):
It is an Infrastructure as Code (IaC) static analysis tool (SAST) that scans configurations for security and standards compliance errors before they are deployed. Open-source (Apache 2.0). Report formats: CLI, JSON, JUnit XML, GitHub Failed Only, GitLab SAST, SARIF, CSV, CycloneDX.
Chips
• Analyzes Terraform, CloudFormation, Kubernetes manifests, Dockerfile and other infrastructure files for configuration errors
• Suitable for automated Docker/IaC validation in pipelines to avoid missing unsafe settings in images and infrastructure
• Can be used to quickly check configurations before committing to eliminate basic misconfigurations
• SARIF → GitHub Security, GitLab SAST
• JSON → DefectDojo, Jira
• Support for both attribute (in Python) and graph (in YAML) policies for analyzing resource relationships
Teams
pip install checkov
# Scan directory
checkov -d /path/to/terraform/code
# Run only specific checks (by ID or severity)
checkov -d . --check CKV_AWS_20,CKV_AWS_57
checkov -d . --check HIGH
# Skip certain checks
checkov -d . --skip-check CKV_AWS_20
# Output in JUnit XML format (for CI/CD)
checkov -d . -o junitxml > checkov.xml
# Scanning and loading external Terraform modules
checkov -d . --download-external-modules true
# Suppress a specific check in the code (inline comment) checkov:skip=CKV_AWS_20
resource "aws_s3_bucket" "example" {
bucket = "my-bucket"
acl="private"
}
Embedding
stage('Checkov') {
steps {
script {
docker.image('bridgecrew/checkov:latest').inside("--entrypoint=''") {
unstash 'terragoat'
try {
sh '''
checkov -d . --use-enforcement-rules -o cli -o junitxml \
--output-file-path console,results.xml \
--repo-id example/terragoat --branch master
'''
junit skipPublishingChecks: true, testResults: 'results.xml'
} catch (err) {
junit skipPublishingChecks: true, testResults: 'results.xml'
throw err
}
}
}
}
options {
preserveStashes()
timestamps()
}
}
Example policies
enforcement_rules:
- name: "prod-enforcement"
description: "Strict policies for product branches: we block Critical/High, we warn about Medium."
is_default: true
criteria:
provider: "terraform" # which scans to apply to
filter:
# example - apply to terragoat repo in master/main branch
repo_id: "example/terragoat"
branches:
- "master"
- "main"
rules:
- rule_id: "CKV_AWS_*" # all AWS policies
soft_fail_threshold: "MEDIUM"
hard_fail_threshold: "HIGH"
- rule_id: "CKV_K8S_*" # all Kubernetes policies
soft_fail_threshold: "MEDIUM"
hard_fail_threshold: "HIGH"
- rule_id: "CKV_SECRET_*" # search for secrets
soft_fail_threshold: "LOW"
hard_fail_threshold: "MEDIUM"
- name: "dev-relaxed"
description: "More lenient policies for dev/feature branches."
is_default: false
criteria:
provider: "terraform"
filter:
branches:
- "develop"
- "feature/*"
rules:
- rule_id: "CKV_AWS_*"
soft_fail_threshold: "HIGH" # Medium as info only
hard_fail_threshold: "CRITICAL"
- rule_id: "CKV_K8S_*"
soft_fail_threshold: "HIGH"
hard_fail_threshold: "CRITICAL"
- rule_id: "CKV_SECRET_*"
soft_fail_threshold: "MEDIUM"
hard_fail_threshold: "HIGH"
Total: in order for you to plunge into it yourself, it will be cool to poke this lab, there you will immediately poke into Semgrep, which was described here and SCA Dependency Check.
#toolchain #sast #appsec #course #sca #sbom #containersecurity #reco #techsolution