Secure Your Terraform Infrastructure with Checkov

Checkov is a tool that helps you find security issues in your Infrastructure as Code (IaC) files before they become problems. Here’s how to use Checkov with Terraform, skip specific checks, and view the results in GitHub Actions.

What is Checkov?

Checkov scans your IaC files, like Terraform configurations, for security issues and compliance problems. It supports various frameworks and helps ensure your infrastructure is secure.

Getting Started with Checkov
Installation
First, install Checkov:

pip install checkov

Running a Scan
To scan your Terraform files in a specific directory (e.g., terraform) and skip certain checks, use:

checkov -d terraform --skip-check CKV_AWS_18,CKV_AWS_144,CKV_AWS_145

This command scans the terraform folder and skips checks with IDs CKV_AWS_18, CKV_AWS_144, and CKV_AWS_145.

Example Terraform Code

provider "aws" {
  region = "us-west-2"
}

resource "aws_s3_bucket" "example" {
  bucket = "my-example-bucket"
}

GitHub Actions Workflow

name: Checkov Scan

on: [workflow_dispatch]

permissions:
  contents: read

jobs:
  checkov:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout code
      uses: actions/checkout@v2

    - name: Install Python
      uses: actions/setup-python@v2
      with:
        python-version: '3.x'

    - name: Install Checkov
      run: pip install checkov

    - name: Run Checkov
      run: checkov -d terraform --skip-check CKV_AWS_18,CKV_AWS_144,CKV_AWS_145

Refer to my sample workflow log image here.

For more details, check out My GitHub

Conclusion

Checkov helps keep your Terraform configurations secure by scanning for issues and allowing you to skip unnecessary checks. Integrating it into your GitHub Actions workflow automates security checks and lets you view results easily within GitHub. This setup ensures your infrastructure is compliant and secure at all times.