Hey We are MyGurukulam

Welcome to MyGurukulam thought & Blogs

Checkov a Must Tool for Infra CI

As organizations move more of their operations to the cloud, the need for secure and compliant infrastructure becomes increasingly important. With the rapid pace of cloud adoption, it’s crucial to have a tool that can help you ensure that your cloud infrastructure is configured securely and in compliance with best practices. So in today’s blog, we will be talking about a solution for all these problems which is Checkov.

 What is Checkov?

Checkov a must tool for infra CI

Checkov is a tool that helps developers and operations teams ensure that their infrastructure is secure and compliant with best practices. It does this by automatically scanning infrastructure as code (IaC) and runtime environments for issues that could potentially lead to security vulnerabilities or compliance failures. Checkov works by scanning code written in various IaC languages (such as Terraform, CloudFormation, and ARM templates) and looking for patterns that could indicate security or compliance risks. It can also be integrated into a continuous integration/continuous deployment (CI/CD) pipeline, allowing it to scan code automatically as it is being developed and deployed.

Why Checkov? 

Checkov is a powerful open-source tool that offers a number of benefits when it comes to securing your infrastructure as code (IAC). Some of the reasons why you should choose Checkov include:-

  • Automated security checks: Checkov can automatically scan your IAC files for potential security issues and provide detailed descriptions of the problems and suggested remedies. This makes it much easier to identify and mitigate security risks in your IAC files.
  • Compliance: Checkov can help you achieve compliance with security standards such as the CIS AWS Foundations Benchmark and the Center for Internet Security (CIS) Kubernetes Benchmark. This can be especially important if your organization needs to comply with regulatory requirements or industry standards.
  • Integration with popular CI/CD tools: Checkov can be integrated with popular CI/CD tools like Jenkins, CircleCI, and TravisCI for automated security checks. This can help ensure that any security issues are caught and fixed before they can become a problem.
  • Support for popular IAC frameworks: Checkov supports popular IAC frameworks such as Terraform, CloudFormation, and Kubernetes, which makes it versatile to use in different environments. 
  • Report Generation: Ability to generate reports and output in various formats, including JSON and HTML.

Getting Started with Checkov

To use Checkov, you’ll first need to install it on your local machine. The installation process is straightforward and can be done using pip you just need to pass this command “pip3 install checkov” and the best thing is that the only dependency of checkov is python. Once Checkov is installed, you can run it on your IAC files by navigating to the directory where your IAC files are located and it will start scanning your code.

Important Flags in Checkov:-

  1. -f:- By using this flag you are telling checkov that checkov should only scan the file of code you are providing and skip all the other files.
  2. -d:- Suppose you have multiple files of code for your infrastructure then it would be difficult and time-consuming tasks to scan these files one by one using checkov and that’s where the -d flags come into the picture by using -d flag you can scan all the code files in the directory with just one command.

Checks performed  by Checkov

Checkov comes with a set of built-in checks that cover a wide range of AWS resources and configurations. These checks are grouped into categories such as security, networking, and compliance.

Here is a list of some commonly used checks that Checkov performs on AWS resources:-

  • Ensure all security groups have rules defined
  • Ensure all IAM policies have a description
  • Ensure all IAM users have MFA enabled
  • Ensure all S3 buckets have versioning enabled
  • Ensure all EC2 instances have protection against accidental termination
  • Ensure all EBS volumes are encrypted
  • Ensure all AMIs are encrypted
  • Ensure all RDS instances are encrypted
  • Ensure all IAM policies have a password policy

Full Checklist that checkov follow(click here)

Checkov Commands

  1. Checkov -f /path/of/your/file
  2. Checkov -d /path/of/directory/having/code/files
  3. checkov –output=json(you can select any output type like json, Html) -d /path/of your terraform code

And you will get output something like this:-

In the Above Image, you can see checkov through an error that the code is having vulnerabilities and the best part is that it also provides you the link to resources available which can help you in solving this error and make your code complaint.

Skipping Test in Checkov

Yes, Checkov provides you the flexibility to skip tests if you want to so in this part we will see how to do so you can see in the image that checkov through an error “VPC logging flow is not enabled in all VPCs” and it’s not a recommended practice according to checkov, But suppose I don’t want to enable logging so what should I do now, So for skipping the test I need to do some changes in this main.tf and For skipping the test we need to add this:-

#checkov:skip=<check_id>:<suppression_comment> in our main.tf, as you see below CKV2_AWS_11, is our test number you can easily find that in the error message and then your custom message and your test is skipped it’s that simple.

CI integration of Checkov

Checkov can be integrated with popular CI/CD tools like Jenkins, CircleCI, and TravisCI for automated security checks. This can help ensure that any security issues are caught and fixed before they can become a problem. You can simply add checkov as a stage in CI In my case I am using Jenkins as a CI tool and I have created a separate stage in my CI for Checkov you can see the console output below:-

Conclusion

Overall, Checkov is a valuable tool for any organization that is looking to improve the security of their IAC files. It can help you identify and mitigate security risks, achieve compliance with security standards, and integrate security checks into your CI/CD pipeline.

Facebook
Twitter
LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

Download Ebook
Fill in the details to download the brochure
SNATAK

The Snatak period consists of industrial training where you are supposed to work on a specific project using various tools along with your teammates. This phase gives you a real life touch and feel of how projects can be in real life. The candidates are given planned and ad hoc tasks that need to be executed.

DISCUSSION ROUND (2)

This round of discussion is a part of final evaluation after the DevOps Ninja program. There is a discussion round and technical round where the 3 month knowledge is tested, final CTC and offer is made to you to join full time as a DevOps Engineer and be work ready from Day 1.

VIDHYARTHI PROGRAM (TRAIN)

This program is designed specifically for people in the advanced stage of their career who want to brush up their skill set and learn new skills and tools. This program enables you to learn DevOps in depth and continue without taking up a job with us. The price point for this program is slightly different from that of the Train-hire program.

VIDHYARTHI PROGRAM (TRAIN - HIRE)

This program is specifically designed for the candidates who want to continue with us i.e take up a job with us, designed for people in early stages of their career. In this case you will be signing a service agreement with us where you commit to stay with us throughout the course and thereafter continue working with us for a minimum of 2 years. We have in depth discussions around appraisal and CTC before one chooses to get into the phase. There will be specific cost implications if one chooses to leave anytime before the predefined period in the service agreement.

DISCUSSION ROUND

After the commencement of our 2 weeks program, where we shortlist a number of candidates on the basis of attitude, aptitude and dedication there is a detailed discussion around the candidature of these candidates.

  • We discuss the involvement required for the next 3 months.
  • We also discuss the CTC that we will be able to provide after the course concludes.
  • We discuss the total time and resources commitment required from your side and what we offer from our side.
ABHYARTHI PHASE

What is the ABHYARTHI PHASE

This is the first phase of the DevOps Ninja program. The entry fee for the program is Rs 2000/-. At this phase candidates get a taste of what the course is. This gives a chance to the people for the candidates to assess the quality of our training or involvement and our teaching methodology. This phase pays special attention to AWS and everything around it.See this as the first step to building a career in DevOps.

Download Brochure
Fill in the details to download the brochure
Fill in the details to enroll now
ninja
Please fill in following details.

Register now and we will contact you with more details when its time to complete your registration.