Efficient DevOps focuses on speed, delivery, and automation. Having solid Infrastructure as Code (IaC) should be a priority for companies looking to follow DevOps principles in their operations. Bridgecrew introduced Checkov in December 2019 to simplify IaC and security policies, prevent issues, and fix errors caused by misconfigurations, for your Infrastructure as Code. It was meant to be their solution for Policy-as-code, which is still maintained today, while Bridgecrew remains as their SaaS offering.

After joining Palo Alto Networks Headquarters in early 2021, they made several improvements. Advances include;

•  Greater investment in open source projects dealing with vulnerability by design
•  Development of new features
•  Introducing an entire range of Prisma Cloud's security features

It does not end there, the team behind Bridgcrew still has several tools and projects in the oven to be revealed in the future.

‍

Table of Contents

What is Bridgecrew?

Bridgecrew pricing

What are the Top Bridgecrew Integrations?

   Cloud Providers

   Kubernetes

   Source Control

   CI/CD

   Notifications

   Incidents

   Projects

   Policies

Conclusion

‍

What is Bridgecrew?

Bridgecrew is a great tool to employ the principles of DevSecOps as it bridges the gap between security and development by;

• Keeping infrastructure code secure. 
• Moving security to the left in the development process.
• Avoiding bad configurations.
• Applying security fixes.
• Preventing deployment of compromised builds.

In addition, using it will keep your project's code secure and compliant with the security auditing of the Center for Internet Security (CIS).

‍

Bridgecrew Pricing

Bridgecrew has a friendly pricing model with a free tier, that allows up to 50 resources, CI/CD integration, and fixes for IaC. It’s advisable to check if BridgeCrew's security and compliance fits your project. The pricing for the Standard version starts at $99 per month, and the Premium starts at $999 per month. 

You can contact support to have a time-limited demo for the premium tier. Both paid tiers offer a significant number of customizations and advantages that you can compare on their pricing page.

‍

What are the Top Bridgecrew Integrations?

‍

Cloud Providers

• AWS
• Azure
• Google Cloud Platform (GCP)

When you allow your Cloud Provider with Bridgecrew, it performs scans using read-only API calls. Regarding your license usage, please ensure you carefully read the guidelines:

In runtime, each of the following cloud resource types are counted as a resource. For AWS: EC2, RDS, Redshift, ELB, NAT gateway. For Azure: Virtual Machines, SQL DB, PostgreSQL DB, SQL Managed Instance, Load Balancer. For Google Cloud: GCE, Cloud SQL DB, Load Balancer, Cloud NAT. Each cloud workload is counted as a resource.

One key aspect of Bridgecrew is that It helps with the Principle of least privilege. It scans all IAM resources and notifies when weak IAM policies are applied to avoid unintentionally granting access to the wrong people. Many businesses grow fast, and it is easy to get out of the loop with IAM policies.

‍

Kubernetes

BridgeCrew analyzes each resource of your cluster against its best practices and security policies to follow. This capability is thanks to a Kubernetes cron job that runs, and results are sent back to BridgeCrew via API, where you can review them in your incident menu. If you have more than 1000 resources on your cluster, you might need to adjust the manifest with the following recommendation:

‍

‍

Note that you will need the Standard plan to unlock this integration.

‍

Source Control‍

• ‍‍Bitbucket and self hosted (Bitbucket server)
• GitHub
• GitHub Enterprise
• ‍Gitlab.com 
• Gitlab Self Managed

By integrating your Code Repositories to BridgeCrew, your code will be scanned for errors or potential incidents detected (a case of non-conformance to a Policy).

‍

CI/CD

• API Token
• AWS Code Build
• Azure Pipelines
• Circle CI
• GitHub Actions
• Jenkins
• Terraform Cloud

If you have an automated build pipeline via a CI/CD provider that deals with deploying IaC as a Terraform build, you can integrate BridgeCrew with this pipeline to scan any misconfigurations to prevent potential securities issues from being deployed.

‍

Notifications

Want to be notified of a new incident? BridgeCrew offers exemplary integrations with Slack, Splunk, and Jira to automatically create a ticket during Remediation.

‍

Incidents

With Bridgecrew, you can get an excellent glimpse at your issues thanks to their dashboard offered in the paid version (see screenshot below). However, if you plan on using the community edition, the Incidents menu is the section that you will be heading to when using BridgeCrew.

Each time BridgeCrew runs a scan, it creates an incident that contains 3 different types (Error, Insight, Alert) and 5 severity levels (Critical, High, Medium, Low, Info).

Example:

As you can see, each incident provides a guideline with a detailed explanation of the incident, how to fix it, and you also get the option to suppress it if you believe the incident is not problematic.

If you click on the fix button associated with your incident, Bridgecrew will trigger a Pull Request with their suggested solution:

When looking at all your incidents, you can filter your research based on factors such as the; 

• Source type
• Category
• Benchmark 
• Severity level

‍

Projects

This menu will help you dive into your repositories scanned by BridgeCrew. Thanks to a file and directory structure, you gain visibility to each resource and its incident associated with all repositories and branches.

‍

Policies

BridgeCrew comes with several default security policies that will help you follow the best security practices for your environment. In addition, with the Standard and Premium Plan, BridgeCrew gives you the option to create your own custom policy for specific needs you might have.

A policy is defined as;

• Provider: the provider with which the policy is associated (AWS, Kubernetes, etc.);
• Guideline: a link to an explanation of the policy;

• Resource Type: in the example link above, the resource type will be S3 Bucket.

If a policy triggered an incident, you would quickly see it with the Inspect button, which will show you the associated incident with the policy you have selected.

‍

Conclusion

BridgeCrew is a complete tool for DevSecOps, providing extra security for IaC. It can scan Terraform resources, Kubernetes clusters, check configurations, improve cloud visibility, and correct policy violations. It streamlines development by enforcing DevSecOps best practices, making for a safe and compliant development workflow.

‍

You may also be interested in:

How to Set up Trivy Scanner in GitLab CI: The Complete Guide

An Introduction to the Top 16 Azure Certifications for 2022

How to Install Grafana Loki Stack using AWS S3 Bucket

The Complete Python Developer Salary Guide for 2022

Diagrams as Code: The Complete How-to-Use Guide

Nearshore Staff Augmentation: Top 4 Benefits for Businesses

What is Kubecost: The Complete Guide

The Complete React Developer Salary Guide for 2022