BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Infrastructure Vulnerability Scanner Checkov Adds Context Aware Assessments

Infrastructure Vulnerability Scanner Checkov Adds Context Aware Assessments

This item in japanese

Bookmarks

Bridgecrew has announced the first 2.x version of Checkov. Checkov is an open-source scanner for infrastructure as code (IaC). The 2.0 release includes a re-architected backend that is now graph-based allowing for better processing of multi-resource queries. There has also been an increase in coverage with the addition of nearly 250 new policies.

With the adoption of a graph-based framework for the Terraform processing logic, it is now possible to take into account the context of the environment in assessments. This sample Terraform from Checkov's training repo TerraGoat creates a MySQL RDS database:

resource "aws_db_instance" "default" {
  name                    = var.dbname
  engine                  = "mysql"
  option_group_name       = aws_db_option_group.default.name
  parameter_group_name    = aws_db_parameter_group.default.name
  db_subnet_group_name    = aws_db_subnet_group.default.name
  vpc_security_group_ids  = ["${aws_security_group.default.id}"]

  identifier              = "rds-${local.resource_prefix.value}"
  engine_version          = "8.0" # Latest major version 
  instance_class          = "db.t3.micro"
  allocated_storage       = "20"
  username                = "admin"
  password                = var.password
  multi_az                = false
}

Nothing in the sample above indicates if the database is publicly accessible; for that, the scan would need to assess the security groups and VPCs. Previous versions of Checkov would be able to indicate if the security group was publicly exposed but not be able to tie that back to the affected instance. With the graph-based approach, version 2 is able to identify the affected instances that are exposed due to the overly permissive security group.

To facilitate writing these checks, a new YAML-based policy definition language has been added. This language contains a number of constructs including equality, existence, contains, and, or, and within filtering.

These new policies use a CKV2_ naming scheme to easily differentiate them from the existing CKV_ policies. The new graph checks available for GCP, Azure, and AWS are available within the GitHub repo. The following included policy for AWS ensures that only encrypted EBS volumes are attached to EC2 instances:

metadata:
  name: "Ensure that only encrypted EBS volumes are attached to EC2 instances"
  category: "ENCRYPTION"
  id: "CKV2_AWS_2"
definition:
  and:
    - or:
      - cond_type: "connection"
        resource_types:
          - "aws_volume_attachment"
        connected_resource_types:
          - "aws_ebs_volume"
        operator: "not_exists"
      - and:
          - cond_type: "attribute"
            resource_types:
              - "aws_ebs_volume"
            attribute: "encrypted"
            operator: "equals"
            value: true
          - cond_type: "connection"
            resource_types:
              - "aws_volume_attachment"
            connected_resource_types:
              - "aws_ebs_volume"
            operator: "exists"
    - cond_type: "filter"
      attribute: "resource_type"
      value:
        - "aws_ebs_volume"
      operator: "within"


This release also includes the ability to scan Dockerfiles for misconfigurations. Along with the following included policies, it is possible to create custom policies: this policy is able to handle EC2 instances with or without attached EBS volumes. Instead of only being able to identify unencrypted EBS volumes, the graph's context can be used to also identify the EC2 instance it is attached to.

  • Ensuring that COPY is used instead of ADD in Dockerfiles
  • Ensuring that HEALTHCHECK instructions have been added to container images
  • Ensuring update instructions are not used alone in the Dockerfile
  • Ensuring that a user for the container has been created
  • Ensuring port 22 is not exposed

Nearly 250 new policies have been added with this release, both in CKV_ (Python) and CKV2_ (graph) formats. With these new policies, CIS benchmark coverage has increased in a number of areas.

CIS benchmark coverage improvements with Checkov 2.0

CIS benchmark coverage improvements with Checkov 2.0 (credit: Bridgecrew)

 

Upgrading to the latest version can be done via pip, brew, or by pulling the latest bridgecrewio/checkov Docker container. Bridgecrew has community office hours and a Slack group available as well for support.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT