Bridgecrew has announced the first 2.x version of Checkov. Checkov is an open-source scanner for infrastructure as code (IaC). The 2.0 release includes a re-architected backend that is now graph-based allowing for better processing of multi-resource queries. There has also been an increase in coverage with the addition of nearly 250 new policies.
With the adoption of a graph-based framework for the Terraform processing logic, it is now possible to take into account the context of the environment in assessments. This sample Terraform from Checkov's training repo TerraGoat creates a MySQL RDS database:
resource "aws_db_instance" "default" {
name = var.dbname
engine = "mysql"
option_group_name = aws_db_option_group.default.name
parameter_group_name = aws_db_parameter_group.default.name
db_subnet_group_name = aws_db_subnet_group.default.name
vpc_security_group_ids = ["${aws_security_group.default.id}"]
identifier = "rds-${local.resource_prefix.value}"
engine_version = "8.0" # Latest major version
instance_class = "db.t3.micro"
allocated_storage = "20"
username = "admin"
password = var.password
multi_az = false
}
Nothing in the sample above indicates if the database is publicly accessible; for that, the scan would need to assess the security groups and VPCs. Previous versions of Checkov would be able to indicate if the security group was publicly exposed but not be able to tie that back to the affected instance. With the graph-based approach, version 2 is able to identify the affected instances that are exposed due to the overly permissive security group.
To facilitate writing these checks, a new YAML-based policy definition language has been added. This language contains a number of constructs including equality, existence, contains, and, or, and within filtering.
These new policies use a CKV2_
naming scheme to easily differentiate them from the existing CKV_
policies. The new graph checks available for GCP, Azure, and AWS are available within the GitHub repo. The following included policy for AWS ensures that only encrypted EBS volumes are attached to EC2 instances:
metadata:
name: "Ensure that only encrypted EBS volumes are attached to EC2 instances"
category: "ENCRYPTION"
id: "CKV2_AWS_2"
definition:
and:
- or:
- cond_type: "connection"
resource_types:
- "aws_volume_attachment"
connected_resource_types:
- "aws_ebs_volume"
operator: "not_exists"
- and:
- cond_type: "attribute"
resource_types:
- "aws_ebs_volume"
attribute: "encrypted"
operator: "equals"
value: true
- cond_type: "connection"
resource_types:
- "aws_volume_attachment"
connected_resource_types:
- "aws_ebs_volume"
operator: "exists"
- cond_type: "filter"
attribute: "resource_type"
value:
- "aws_ebs_volume"
operator: "within"
This release also includes the ability to scan Dockerfiles for misconfigurations. Along with the following included policies, it is possible to create custom policies: this policy is able to handle EC2 instances with or without attached EBS volumes. Instead of only being able to identify unencrypted EBS volumes, the graph's context can be used to also identify the EC2 instance it is attached to.
- Ensuring that
COPY
is used instead ofADD
in Dockerfiles - Ensuring that
HEALTHCHECK
instructions have been added to container images - Ensuring update instructions are not used alone in the Dockerfile
- Ensuring that a user for the container has been created
- Ensuring port 22 is not exposed
Nearly 250 new policies have been added with this release, both in CKV_
(Python) and CKV2_
(graph) formats. With these new policies, CIS benchmark coverage has increased in a number of areas.
Upgrading to the latest version can be done via pip
, brew
, or by pulling the latest bridgecrewio/checkov
Docker container. Bridgecrew has community office hours and a Slack group available as well for support.