Efficient DevOps focuses on speed, delivery, and automation. Having solid Infrastructure as Code (IaC) should be a priority for companies looking to follow DevOps principles in their operations. Bridgecrew introduced Checkov in December 2019 to simplify IaC and security policies, prevent issues, and fix errors caused by misconfigurations, for your Infrastructure as Code. It was meant to be their solution for Policy-as-code, which is still maintained today, while Bridgecrew remains as their SaaS offering.
After joining Palo Alto Networks Headquarters in early 2021, they made several improvements. Advances include;
- Greater investment in open source projects dealing with vulnerability by design
- Development of new features
- Introducing an entire range of Prisma Cloud's security features
It does not end there, the team behind Bridgcrew still has several tools and projects in the oven to be revealed in the future.
Table of Contents
What is Bridgecrew?
Bridgecrew is a great tool to employ the principles of DevSecOps as it bridges the gap between security and development by;
- Keeping infrastructure code secure.
- Moving security to the left in the development process.
- Avoiding bad configurations.
- Applying security fixes.
- Preventing deployment of compromised builds.
In addition, using it will keep your project's code secure and compliant with the security auditing of the Center for Internet Security (CIS).
Bridgecrew has a friendly pricing model with a free tier, that allows up to 50 resources, CI/CD integration, and fixes for IaC. It’s advisable to check if BridgeCrew's security and compliance fits your project. The pricing for the Standard version starts at $99 per month, and the Premium starts at $999 per month.
You can contact support to have a time-limited demo for the premium tier. Both paid tiers offer a significant number of customizations and advantages that you can compare on their pricing page.
What are the Top Bridgecrew Integrations?
- Google Cloud Platform (GCP)
When you allow your Cloud Provider with Bridgecrew, it performs scans using read-only API calls. Regarding your license usage, please ensure you carefully read the guidelines:
In runtime, each of the following cloud resource types are counted as a resource. For AWS: EC2, RDS, Redshift, ELB, NAT gateway. For Azure: Virtual Machines, SQL DB, PostgreSQL DB, SQL Managed Instance, Load Balancer. For Google Cloud: GCE, Cloud SQL DB, Load Balancer, Cloud NAT. Each cloud workload is counted as a resource.
One key aspect of Bridgecrew is that It helps with the Principle of least privilege. It scans all IAM resources and notifies when weak IAM policies are applied to avoid unintentionally granting access to the wrong people. Many businesses grow fast, and it is easy to get out of the loop with IAM policies.
BridgeCrew analyzes each resource of your cluster against its best practices and security policies to follow. This capability is thanks to a Kubernetes cron job that runs, and results are sent back to BridgeCrew via API, where you can review them in your incident menu. If you have more than 1000 resources on your cluster, you might need to adjust the manifest with the following recommendation:
Note that you will need the Standard plan to unlock this integration.
- Bitbucket and self hosted (Bitbucket server)
- GitHub Enterprise
- Gitlab Self Managed
By integrating your Code Repositories to BridgeCrew, your code will be scanned for errors or potential incidents detected (a case of non-conformance to a Policy).
- API Token
- AWS Code Build
- Azure Pipelines
- Circle CI
- GitHub Actions
- Terraform Cloud
If you have an automated build pipeline via a CI/CD provider that deals with deploying IaC as a Terraform build, you can integrate BridgeCrew with this pipeline to scan any misconfigurations to prevent potential securities issues from being deployed.
Want to be notified of a new incident? BridgeCrew offers exemplary integrations with Slack, Splunk, and Jira to automatically create a ticket during Remediation.
With Bridgecrew, you can get an excellent glimpse at your issues thanks to their dashboard offered in the paid version (see screenshot below). However, if you plan on using the community edition, the Incidents menu is the section that you will be heading to when using BridgeCrew.
Each time BridgeCrew runs a scan, it creates an incident that contains 3 different types (Error, Insight, Alert) and 5 severity levels (Critical, High, Medium, Low, Info).
As you can see, each incident provides a guideline with a detailed explanation of the incident, how to fix it, and you also get the option to suppress it if you believe the incident is not problematic.
If you click on the fix button associated with your incident, Bridgecrew will trigger a Pull Request with their suggested solution:
When looking at all your incidents, you can filter your research based on factors such as the;
- Source type
- Severity level
This menu will help you dive into your repositories scanned by BridgeCrew. Thanks to a file and directory structure, you gain visibility to each resource and its incident associated with all repositories and branches.
BridgeCrew comes with several default security policies that will help you follow the best security practices for your environment. In addition, with the Standard and Premium Plan, BridgeCrew gives you the option to create your own custom policy for specific needs you might have.
A policy is defined as;
- Provider: the provider with which the policy is associated (AWS, Kubernetes, etc.);
- Guideline: a link to an explanation of the policy;
- Resource Type: in the example link above, the resource type will be S3 Bucket.
If a policy triggered an incident, you would quickly see it with the Inspect button, which will show you the associated incident with the policy you have selected.
BridgeCrew is a complete tool for DevSecOps, providing extra security for IaC. It can scan Terraform resources, Kubernetes clusters, check configurations, improve cloud visibility, and correct policy violations. It streamlines development by enforcing DevSecOps best practices, making for a safe and compliant development workflow.
You may also be interested in:
More cost-effective than hiring in-house, with Nearshore Boost, our nearshore software development service, you can ensure your business stays competitive with an expanded team and a bigger global presence, you can be flexible as you respond to your customers’ needs.
Learn more about our services by booking a free consultation with us today!