layout | published | title | nav_order |
---|---|---|---|
default |
true |
Quick Start |
3 |
This Quick Start guide shows how to install Checkov, run a scan, and analyze the results. For more advanced configuration, see the CLI Reference and the rest of this documentation.
pip install checkov
Use the command below to indicate the folder that contains your Terraform plan files and run a scan.
checkov -d /user/tf
Consider the configuration of an S3 bucket as represented in the Terraform sample below.
resource "aws_s3_bucket" "foo-bucket" {
region = var.region
bucket = local.bucket_name
force_destroy = true
tags = {
Name = "foo-${data.aws_caller_identity.current.account_id}"
}
versioning {
enabled = true
}
logging {
target_bucket = "${aws_s3_bucket.log_bucket.id}"
target_prefix = "log/"
}
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "${aws_kms_key.mykey.arn}"
sse_algorithm = "aws:kms"
}
}
}
acl = "private"
}
The scan output would be:
Passed checks: 4, Failed checks: 0, Skipped checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
PASSED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25
Check: "Ensure the S3 bucket has access logging enabled"
PASSED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25
Check: "Ensure all data stored in the S3 bucket have versioning enabled"
PASSED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25
Check: "S3 Bucket has an ACL defined which allows public access."
PASSED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25
The configuration complies with the policies for AWS S3 resources.
Suppose that now the same bucket is configured to allow public access:
resource "aws_s3_bucket" "foo-bucket" {
#same resource configuration as previous example, but acl set for public access.
acl = "public-read"
}
data "aws_caller_identity" "current" {}
The output report would then contain a failed check:
Passed checks: 3, Failed checks: 1, Skipped checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
PASSED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25
Check: "Ensure the S3 bucket has access logging enabled"
PASSED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25
Check: "Ensure all data stored in the S3 bucket have versioning enabled"
PASSED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25
Check: "S3 Bucket has an ACL defined which allows public access."
FAILED for resource: aws_s3_bucket.foo-bucket
File: /example.tf:1-25
1 | resource "aws_s3_bucket" "foo-bucket" {
2 | region = var.region
3 | bucket = local.bucket_name
4 | force_destroy = true
5 |
6 | tags = {
7 | Name = "foo-${data.aws_caller_identity.current.account_id}"
8 | }
9 | versioning {
10 | enabled = true
11 | }
12 | logging {
13 | target_bucket = "${aws_s3_bucket.log_bucket.id}"
14 | target_prefix = "log/"
15 | }
16 | server_side_encryption_configuration {
17 | rule {
18 | apply_server_side_encryption_by_default {
19 | kms_master_key_id = "${aws_kms_key.mykey.arn}"
20 | sse_algorithm = "aws:kms"
21 | }
22 | }
23 | }
24 | acl = "public-read"
25 | }
In addition to the various formats for seeing scan results (for example, CLI), you can also visualize Checkov results with a quick integration with a Prisma Cloud account. Read more about visualizing scan results in Prisma Cloud.
In addition to integrating with your code repository, Checkov can also integrate with your automated build pipeline via CI/CD providers. When your build tests run, Checkov will scan your infrastructure as code files for misconfigurations. You can integrate Checkov with:
- Jenkins
- Bitbucket Cloud Pipelines
- GitHub Actions
- GitLab CI
- Kubernetes
- Pre-Commit
- Docker
- Terraform Plans and Third-Party Modules
To get real-time IaC scanning and in-line fixes directly from your IDE, check out the Checkov Visual Studio Code extension and the Checkov JetBrains Plugin.