Security is a major component of all cloud architecture frameworks, such as  Amazon Web Services (AWS) or any of the cloud Well-Architected Framework.

The ideal solution is to create a system that uses well-crafted frameworks, agreed-upon security policies, and community guidelines to audit raw infrastructure as code configurations. This actively prevents security misconfigurations prior to deployment. solution of choice today is checkov an open-source infrastructure as a code static analysis tool published by Bridgecrew.

In this post, I’ll start by explaining the need for infrastructure as code security auditing by looking at the State of Open Source Terraform Security report from Bridgecrew. From there, I’ll share how Checkov audits my CloudFormation template by way of Bitbucket pipeline (CI) workflows.

Supported clouds and frameworks.

Bridgecrew builds and maintains Checkov to make policy-as-code simple and accessible.

Checkov supports developers using Terraform, Terraform plan, CloudFormation, Kubernetes, ARM Templates, Serverless, Helm, and AWS CDK.

Checkov and Continuous Integration

All of my cloud environments are created and maintained by infrastructure as code, such as CloudFormation or Terraform, using any of the CI engine GitHub, Gitlab, Bitbucket etc. in my case I’m using bitbucket.

My Bitbucket triggers a suite of security and linting tests as part of the “validate” stage when any changes are pushed to the branch. A snippet of the Bitbucket CI YAML configuration is shown below:

bitbucket-pipelines.yml

Here’s a breakdown of this job’s lifecycle:

• When Bitbucket triggers the checkov job, a container is deployed using the bridgecrew/checkov:latest container image.                      
  •  This image contains the latest release of Checkov.

• The checkov -d . the command executes Checkov and recursively looks for any CloudFormation files in the root directory.

I’m pasting a snippet of the Bitbucket repository. How it looks like.

I have all the CloudFormation template files in my root directory along with bitbucket-pipelines.yml which is responsible for triggering checkov security scanning.

Checkov Scan Results

Checkov -d .

We can see Checkov performed security scanning and failed the CI based on security rules with the description of why it failed and on which file it found the security rule mismatch. Now, all we have to do is we need to fix the issue, push a new commit, and try again.