Validate Terraform code using Checkov in Azure DevOps
Date published:
I will show how to validate your terraform code using Checkov Static Code Analysis Tool. Checkov is an open-source Infrastructure as Code(IaC) scanning tool created by Bridgecrew. It can support resources such as Azure Resource Manager, AWS, Terraform, Cloudformation and Kubernetes. It is used to detect security and compliance within your code. You can get more details on it by visiting the GitHub repo here.
The other day I was trying to get checkov working via pipeline and I got it working; I would like to share it with you all.
1) Getting Started
It is better to manage the Azure DevOps Pipeline code in the same location as all the resources. In this blog, we will assume that your code is in Azure Repo.
The pipeline that I used to get it working is shown below which can also be found on my repo here
2) Pipeline YAML
Add the following pipeline to start deploying the checkov. Please change the variable to your directory of the code you would like to scan. The first stay will be getting the image from the Docker Hub by calling the directory provided and the second bash script will be mounting the image and running it then exporting it into a file called CheckovReport.xml.
3) Pipeline Deployment
I will be using my Azure Repo to scan my terraform code in the application gateway/terraform directory path. To start setting up the pipeline:
- Go to Azure DevOps organisation and create a project.
- Select Pipelines from the left menu.
- Click on New pipeline and select Azure DevOps Git and choose your Repo
- Select Existing Azure Pipeline or Click on the new starter pipeline. (choose the existing Azure Pipeline if you pushed your commit to the repo, otherwise just select the new starter pipeline option. In this instance, I would assume you already have the pipeline on the repo. Selecting the pipeline file, review it then run it.
4) Pipeline Result
Once the pipeline has been completed, it should fail. As you can see there are only six tests published and three of them are failed tests.
Head back into the main pipeline screen and you should see a tab called Tests next to summary. Click on it to view your result and any reported failures.
5) Conclusion:
I have been using checkov and it is very good as you can even whitelist rules to meet your requirements. However, there is always lots of good static analytics tool out there and this is one of them.
I hope this can help you decide on which one to use :)
References: