How to Install Checkov for IaC Scanning: The Complete Guide

Traditionally, IT infrastructure setups required extensive manual work such as physical provisioning of servers, network configurations, and manual software installation on every instance. However, the growth of Infrastructure as Code (IaC), an infrastructure management approach that automates tedious procedures, has allowed Software professionals to save time spent on these tasks, increasing overall operational efficiency.

While automation is beneficial, IaC comes with several challenges that can cause trouble in production. Since the entire infrastructure is defined with code, there is always a risk of misconfigurations and security vulnerabilities leaking into the final build.

For this reason, IaC scanning tools, like Checkov come in handy during the deployment process. This is because such Infrastructure as Code tools, ensure all your configurations are both up-to-date and comply with regulatory standards.

This blog explores how to install Checkov on your servers and integrate it with your CI pipelines.

‍

What is Infrastructure-as-Code (IaC)?

The Infrastructure as Code (IaC) paradigm allows IT experts to define server configurations as code. This code usually resides in YAML files and can deploy an entire infrastructure with a few clicks.

Like software programs, an IaC file is written once and subsequently deployed across multiple environments. Moreover, it is version-controlled and can be integrated into a DevOps pipeline. This allows easy collaboration between administrators and applies security checks and tests before rolling out the changes to production.

However, similar to software products, Infrastructure as Code deployments are susceptible to errors and require strong checks and balances. Let’s discuss some of the challenges of IaC and how Checkov solves them for you.

Learn more about the best Infrastructure as Code Tools with our in-depth review.

‍

Common Infrastructure as Code (IaC) Issues

‍

Privilege Escalation Risk

In a software ecosystem, different user groups have different levels of access and authority. These security policies ensure that unauthorized personnel do not access critical information. However, if the user privileges are misconfigured in the IaC YAML file, it can cause severe security risks.

Checkov scans the entire Infrastructure as Code according to pre-defined policies and notifies if any such security vulnerabilities are found.

‍

Drifting Configuration

Deploying Infrastructure in an IaC environment is supposedly immutable. However, Developers often have to bypass testing and staging environments and make changes directly to the production setting. This breaks the deployment practices and continuity between the provisioned environment and the IaC code. Furthermore, Developers often forget to revert the changes or bring all their environments back to sync, which causes further issues.

Checkov scans all environments for posture drifts and fails in the build until all risk-inducing changes are removed.

‍

Network Exposures

IaC misconfigurations can also lead to unintended network exposure to third parties. Misconfigurations can lead to public access to security keys, databases, and storage locations. This invites hackers and cyber-attacks and essentially puts the entire project at risk.

Checkov ensures the entire infrastructure complies with security standards and that all policies are in place and up to date.

‍

Compliance Violation

Using software principles in network infrastructure invites all sorts of security risks. This can be due to Developer carelessness or the use of open-source modules that may contain security vulnerabilities. With flaws like these, deployments may fail to meet certain compliance standards, such as HIPAA for healthcare systems or CCPA for data protection.

Overall, IaC scanning tools like Checkov are specifically designed to analyze such security vulnerabilities and compliance violations. Essentially, Checkov has a vast library of pre-defined rules and policies that ensure all configurations are up to modern standards.

‍

Infrastructure as Code Scanning With Checkov

Checkov is a command-line utility that scans cloud infrastructures for misconfigurations and vulnerabilities. It is an essential integration for IaC environments and scans Cloud infrastructure provisioned by platforms like Terraform, Kubernetes, and CloudFormation.

Checkov hosts a vast library of more than 750 pre-defined rules and policies that ensure all deployments are error-free. It also offers finer control with custom policy creation and deployment. Moreover, Checkov is a static code analysis tool which means that all analysis is conducted without having to run any of the code.

‍

How to Install Checkov

The easiest way to install Checkov is by using Python’s package manager, PIP. With the latest version of Python installed on your system, run the following command in the terminal.

   
      pip install checkov

Additionally, if you are on MacOS, you can also use Homebrew. Run the following command in the Mac terminal.

   
      brew install checkov

And that's it. You are now ready to use the Checkov command-line interface.

After installation, you can access Checkov via command. While the base command is simple, it includes several parameters to customize the run and its output.

Internally, we have Checkov validation integrated into our GitLab CI pipelines. The validation step executes right before Terraform deployments and ensures all infrastructure is properly configured and secure. The sample output of Checkov scanning is shown below:

The output text displays all the checks that failed, the reason for failure, and a guide to correct the errors. The main command above is:

   
      checkov --quiet --compact -d . ; echo $> CHVEXIT

The `--quiet` parameter specifies the program to suppress unnecessary output text. The `--compact` parameter specifies to display all output in a compressed (short) form. The `-d` parameter specifies the directory that the program should scan, the current directory in this case, as represented by the `.` (dot).

Checkov CLI includes several such parameters, as shown below. You can find the entire list of parameters in the documentation.

Parameter	Description
-h, --help	Show a help message and exit.
--add-check	Generate a new check via CLI Prompt.
-I, --list	List checks.
-c, --check CHECK	Checks to run: A comma-separated list of checks to run. Either a Checkov check ID, a BC check ID, or a severity.

‍

The final parameter `echo $> CHVEXIT` is specified to save the output text to a file named CHVEXIT. This is great for logging outputs for future reference.

‍

How to Integrate Checkov with Gitlab CI

Let’s briefly touch on integrating Checkov into your GitLab CI pipelines. This can be done by adding a new job to the `.gitlab-ci.yml` file. In this file, you can specify;

At which stage to run Checkov validation.
Rules under which the job should be executed.
The exact script to execute.

This way, you can automate the IaC scanning portion and ensure that Infrastructure as Code scanning occurs every time prior to deployment.

‍

Conclusion

IaC deployments help automate IT infrastructure configurations by defining configurations as reusable code. This allows Administrators to enjoy the benefits of DevOps principles like CI/CD and Version Control. However, IaC brings certain challenges, such as security vulnerabilities and drifting configurations. Due to this, IaC deployments need to be strictly monitored for any misconfigurations.

IaC scanning tools such as Checkov allow you to scan all network configurations for errors and vulnerabilities. This tool tests the configurations against several pre-defined rules and policies and fails the build if any misalignments are found. For this reason, Checkov is an essential utility that can improve efficiency and productivity for IT Administrators and protect against critical issues.

Blog