Scanning Terraform Plans with Checkov

Terrateam integrates with Checkov, a popular tool for scanning infrastructure as code, to help you detect and prevent common misconfigurations in your Terraform plans. By running Checkov against your Terraform plans as part of your Terrateam workflows, you can identify potential issues before they are applied to your infrastructure, ensuring better security and compliance.

What is Checkov?

Checkov is an open-source tool that scans infrastructure as code (IaC) files, such as Terraform configurations, to identify misconfigurations, security issues, and compliance violations. It provides a comprehensive set of built-in policies and checks based on industry best practices and compliance standards like the CIS Benchmark, HIPAA, and PCI-DSS. Checkov can be integrated into your CI/CD pipeline to automatically scan your Terraform plans and provide feedback on potential issues, helping you catch and fix problems early in the development process.

Configuring Checkov

To integrate Checkov with Terrateam, you need to configure a custom workflow in your Terrateam configuration file (.terrateam/config.yml). Here’s an example configuration that runs Checkov against the generated Terraform plan:

workflows:
  - tag_query: ''
    plan:
      - type: init
      - type: plan
      - type: run
        cmd: ['checkov-wrapper']
        capture_output: true

In this configuration:

• The init and plan steps generate the Terraform plan as usual.
• The run step executes the checkov-wrapper script, which calls the checkov binary with the generated Terraform plan file.
• The capture_output option is set to true to include the Checkov output in the Terrateam plan results.

Note

The checkov-wrapper is a simple bash script that calls the checkov binary using the generated Terraform plan file. You can find the source code here.

Scanning Terraform Plans

When a Terrateam plan operation runs with Checkov enabled, the following steps occur:

1. Terrateam generates the Terraform plan file.

2. Checkov is executed against the generated plan file, scanning for misconfigurations and policy violations.

3. If Checkov detects any issues, it returns a non-zero exit status, causing the Terrateam plan operation to fail.

4. The Checkov output, including details about the identified issues, is captured and included in the Terrateam plan results.

5. If the plan passes the Checkov scan without any issues, the Terrateam plan operation succeeds, and the plan can be reviewed and applied as usual.

Here’s an example of a Terrateam plan failing due to a Checkov scan detecting misconfigurations:

Customizing Checkov Options

Checkov provides various configuration options that can be customized using environment variables. You can find the full list of Checkov configuration options here. Here’s an example of how to skip a specific check using the CKV_SKIP_CHECK environment variable in your Terrateam workflow:

workflows:
  - tag_query: ''
    plan:
      - type: env
        name: CKV_SKIP_CHECK
        cmd: ['echo', 'CKV_GCP_73']
      - type: init
      - type: plan
      - type: run
        cmd: ['checkov-wrapper']
        capture_output: true

In this configuration:

• The env step sets the CKV_SKIP_CHECK environment variable toCKV_GCP_73, indicating that the specific check with ID CKV_GCP_73 should be skipped during the Checkov scan.
• The subsequent steps (init, plan, and run) are executed as usual, with Checkov using the specified configuration options.