Playing with Checkov

If quarterly road maps are to be believed in a month or so I’ll have a lot more terraform back in my life so I’ve been dipping my toe back into terraforms ecosystem and supporting tools. One of the areas I’m most interested in updating myself regarding is automated testing, from static analysis tools and linting to integration testing the resources it creates. I recently spent a few days playing with rego, conftest and OpenPolicyAgent related tools in the Docker space (Playing with conftest and yum repository policies) and while it also supports Terraform I didn’t enjoy the process or the tooling and decided to look else where.

I’d like something with a little less of a learning curve and using a more familiar language. Looking back over some of the presentations on the subject from this years Config Management Camp, I stumbled onto Checkov, a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure managed in Terraform, CloudFormation or kubernetes and detects misconfigurations. I installed it inside a python virtualenv using pip, pointed it at one of our terraform repositories and then recoiled at a couple of the things it found.

After fixing the issues, mostly turning encryption on in resources that didn’t offer it when we deployed them, I decided to have a look at how the Checkov tests were implemented. Having a decent set of oddity detecting baseline “scans” is a great opening feature but if you can’t extend a tool it quickly becomes less useful once you’ve cleaned up the initial reports.

checkov is written in Python and has good documentation for adding your own extensions so I decided to add a allowed Lambda runtime Checkov extension to detect lambda functions written in languages we don’t support.

Check: DW_AWS_01: "Lambda runtime is allowed"
  FAILED for resource: aws_lambda_function.process_scans
  File: /

  1  | resource "aws_lambda_function" "process_scans" {
  ... snip ...
  7  |   runtime          = "nodejs12.x"

I’m much more familiar with Python than rego so comparisons are difficult but I enjoyed writing the Checkov extension much more than those using confest. The docs are more unified and have fuller examples. The checks are less composed and scattered around many tiny functions and the data model it provides to access the resources internals was quick and easy to work with.

If you’re looking for a tool to stop you making obvious mistakes in your AWS terraform code while also wanted to be able to extend and customise it then checkov is well worth a look. Even if it’s only to do an initial run and fix any issues it detects.