DevSecOps in Practice

Terraform Security with Checkov

Checkov is an open-source static code analysis tool designed to detect misconfigurations in Infrastructure as Code (IaC) frameworks such as Terraform, CloudFormation, Kubernetes, and Helm. Developed by Bridgecrew, it helps enforce security best practices, compliance policies, and infrastructure governance by scanning code before deployment. Checkov evaluates resource configurations against predefined policies, including the Center for Internet Security (CIS) and Amazon Web Services (AWS) Foundations Benchmark. The main goal of using Checkov is to identify and remediate security issues early in the development process, reduce the attack surface, and prevent misconfigurations from reaching production environments. By integrating Checkov into CI/CD pipelines, teams can automate security checks and enforce security policies across their cloud infrastructure.

When it comes to Terraform security, Checkov scans two aspects of Terraform configurations:

• Terraform Files (.tf): Checkov analyzes the Terraform codebase to identify security issues, compliance violations, and best practice deviations. It checks for misconfigurations in resource definitions, provider settings, variables, outputs, and other elements of the Terraform configuration files. Third-party modules can be scanned locally (if the source is available) or fetched from the Terraform Registry/GitHub. This type of scanning can be considered a static analysis of the Terraform codebase.

• Terraform Plans: Checkov can also scan Terraform plans (JSON format) generated by terraform plan to detect security risks before applying changes to the infrastructure. This allows teams to identify potential issues in the execution plan and address them proactively. Some misconfigurations may only be visible in the plan stage and not in the code itself. This can be considered a dynamic analysis of the Terraform execution plan.

In both cases, when a policy is violated, Checkov provides detailed information about the issue, including the resource type, configuration details, and the specific policy that was breached. The output includes a URL to the Checkov documentation for further information on the policy and remediation steps. Here are some policy examples that Checkov can detect in HCL files when working with DigitalOcean, AWS, and Azure resources:

There are other platforms and cloud providers supported by Checkov, like Google Cloud Platform (GCP), Kubernetes, Helm, and more. You can find a full list of these policies in the Checkov documentation. Checkov does not only support Terraform but also other IaC frameworks like CloudFormation; you can find the full list of policies for all supported frameworks and platforms in the same website. In all, there are more than 4,000 policies available in Checkov to help you secure and harden multiple environments.

To install Checkov, you can use pip (Python package manager). Let's use the following command to start:

pip install checkov==3.2.382

Terraform File Scanning

To scan Terraform files with Checkov, navigate to your Terraform project directory and run the following command:

checkov -d $HOME/RestQR/deploy/terraform
# or
# checkov -d . -o json

You may see the following output:

secrets scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_SECRET_6: "Base64 High Entropy String"
    FAILED for resource: 6219f6f2054eb621ac456f68f5ea7d7e51552a2b
    File: /tfplan.json:70-71
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6

        70 |                 "token": "dop_v1**********"

To include third-party modules in the scan, use the following command:

checkov -d $HOME/RestQR/deploy/terraform \
  --download-external-modules true

The -d flag specifies the directory to scan, and the . indicates the current directory. To scan a single file, replace -d . with -f filename.tf. The following table summarizes the differences between file-based and directory-based scanning: