🛠 Checkov SAST profile

I started rebuilding custom profiles, and I wanted to share with you an example for checkov that we reviewed. The example profile is for Docker and Helm infrastructure.

Goal: minimize the attack surface of containers, eliminate storing secrets in images and manifests, and provide secure defaults for production environments.

What are we doing?

• Analyze Dockerfile and Helm charts as the main packaging layer

• Filter warnings by enforce/ skip, quiet: false

• A trigger in the enforce section will be considered a pipeline error

• For dev branches, we redefine the error flag in CI as soft-fail: true/ false

• We prohibit automatic downloading of modules and make fewer network dependencies - download_external_modules: false

• We create a “white list” of security policies - run_all_checks: false

Politics

enforce:

docker:

- CKV_DOCKER_2 # The container should not be run as root

- CKV_DOCKER_3 # Minimize unnecessary packages and layers

- CKV_DOCKER_5 # Avoid images tagged with latest unless necessary

- CKV_DOCKER_7 # Don't use ADD instead of COPY

- CKV_DOCKER_8 # Explicitly set the non-root user

- CKV_DOCKER_9 # Delete temporary files, caches, package manager metadata

- CKV_DOCKER_10 # Mandatory healthcheck for orchestrators (k8s, swarm) and SLA

- CKV_DOCKER_12 # Don't store secrets in ENV/ARG/image labels

- CKV_DOCKER_13 # Prohibition of running a container in privileged mode

- CKV_DOCKER_14 # Limit Linux capabilities: drop ALL

- CKV_DOCKER_16 # read-only root filesystem

helm:

- CKV_K8S_11 # networkPolicy for controlled traffic between pods

- CKV_K8S_20 # spec.securityContext.privileged: false

- CKV_K8S_37 # runAsNonRoot: true, runAsUser != 0

- CKV_K8S_40 # Do not store sensitive data explicitly in values/ ConfigMap

- CKV_K8S_14 # hostNetwork/hostPID/hostIPC must be false

- CKV_K8S_38 # securityContext.capabilities: drop ALL, SYS_ADMIN and similar are prohibited

- CKV_K8S_22 # readOnlyRootFilesystem: true

- CKV_K8S_8 # Require requests/limits for CPU and memory

directory:

# Analysis directory

- .

file:

- vulnerable-app/Dockerfile

- docker-compose.yml

# Helm charts:

- helm/service/values.yaml

- helm/service/templates/deployment.yaml

#skip_check:

# - CKV_DOCKER_5 # The test environment image is strictly tied to latest (exmpl)

An example of a high-level general policy

policy:

docker:

require_non_root_user: true # USER != root

require_healthcheck: true #HEALTHCHECK

require_explicit_user: true # USER specification

forbid_secrets_in_env: true # ENV/ARG != pswrd/ token

forbid_default_credentials: true # Prohibit admin/admin etc.

drop_all_capabilities_by_default: true # CAP_* by minimum

forbid_privileged: true # privileged: false

forbid_host_network: true # hostNetwork: false

prefer_read_only_rootfs: true # rootfs read-only

helm:

require_pod_security_context: true #securityContext

require_network_policies: true # networkPolicy

forbid_host_path_mounts: true # hostPath is mounted by approve-list

require_resource_limits: true # requests/limits set

forbid_plaintext_secrets: true # secrets are not stored in values.yaml/ConfigMap

#toolchain #sast #appsec #course #reco #techsolution