• Stars
    star
    238
  • Rank 169,306 (Top 4 %)
  • Language HCL
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated about 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.

Maintained by Bridgecrew.io slack-community

Checkov GitHub action

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.

Example usage for IaC and SCA

name: checkov

# Controls when the workflow will run
on:
  # Triggers the workflow on push or pull request events but only for the "main" branch
  push:
    branches: [ "main", "master" ]
  pull_request:
    branches: [ "main", "master" ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "scan"
  scan:
    permissions:
      contents: read # for actions/checkout to fetch code
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
      
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it
      - uses: actions/checkout@v3

      - name: Checkov GitHub Action
        uses: bridgecrewio/checkov-action@v12
        with:
          # This will add both a CLI output to the console and create a results.sarif file
          output_format: cli,sarif
          output_file_path: console,results.sarif
        
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v2
        
        # Results are generated only on a success or failure
        # this is required since GitHub by default won't run the next step
        # when the previous one has failed. Security checks that do not pass will 'fail'.
        # An alternative is to add `continue-on-error: true` to the previous step
        # Or 'soft_fail: true' to checkov.
        if: success() || failure()
        with:
          sarif_file: results.sarif

Example usage for options/environment variables in 'with' block

on: [push]
jobs:
  checkov-job:
    runs-on: ubuntu-latest
    name: checkov-action
    steps:
      - name: Checkout repo
        uses: actions/checkout@master

      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: example/
          file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided.
          check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list
          skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
          quiet: true # optional: display only failed checks
          soft_fail: true # optional: do not return an error code if there are failed checks
          framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
          output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif
          output_file_path: reports/results.sarif # folder and name of results file
          download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry
          repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file`
          var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans.
          log_level: DEBUG # optional: set log level. Default WARNING
          config_file: path/this_file
          baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline.
          container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
          use_enforcement_rules: true # optional - use enforcement rule configs from the platform

Example usage for container images

on: [push]

env:
  IMAGE_NAME: ${{ github.repository }}:${{ github.sha }}
  IMAGE_PATH: /path/

jobs:
  checkov-image-scan:
    runs-on: ubuntu-latest
    name: checkov-image-scan
    steps:
      - name: Checkout repo
        uses: actions/checkout@master

      - name: Build the image
        run: docker build -t ${{ env.IMAGE_NAME }} ${{ env.IMAGE_PATH }}

      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          quiet: true # optional: display only failed checks
          soft_fail: true # optional: do not return an error code if there are failed checks
          log_level: DEBUG # optional: set log level. Default WARNING
          docker_image: ${{ env.IMAGE_NAME }} # define the name of the image to scan
          dockerfile_path: ${{ format('{0}/Dockerfile', env.IMAGE_PATH) }} # path to the Dockerfile
          container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
          api-key: ${{ secrets.BC_API_KEY }} # Bridgecrew API key stored as a GitHub secret

Note that this example uses the latest version (master) but you could also use a static version (e.g. v3). Also, the check ids specified for '--check' and '--skip-check' must be mutually exclusive.

Example usage for private Terraform modules

To give checkov the possibility to download private GitHub modules you need to pass a valid GitHub PAT with the needed permissions.

on: [push]
jobs:
  checkov-job:
    runs-on: ubuntu-latest
    name: checkov-action
    steps:
      - name: Checkout repo
        uses: actions/checkout@master

      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: .
          soft_fail: true
          download_external_modules: true
          github_pat: ${{ secrets.GH_PAT }}
        env:
          GITHUB_OVERRIDE_URL: true  # optional: this can be used to instruct the action to override the global GIT config to inject the PAT to the URL

More Repositories

1

checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
Python
7,015
star
2

terragoat

TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
HCL
1,139
star
3

yor

Extensible auto-tagger for your IaC files. The ultimate way to link entities in the cloud back to the codified resource which created it.
Go
812
star
4

AirIAM

Least privilege AWS IAM Terraformer
Python
771
star
5

cfngoat

Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
91
star
6

helm-scanner

Open source IaC security scanner for public Helm charts
Python
87
star
7

bridgecrew-action

This GitHub Action runs Bridgecrew against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
72
star
8

checkov-vscode

Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework, and other infrastructure-as-code-languages with Checkov by Bridgecrew in your VSCODE IDE.
TypeScript
68
star
9

kustomizegoat

Vulnerable Kustomize Kubernetes templates for training and education
HTML
47
star
10

terraform-aws-session-manager

Terraform module for deploying AWS Session Manager
HCL
43
star
11

cdkgoat

CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Python
43
star
12

redshirts

TypeScript
20
star
13

terraform-aws-route53-backup-restore

A module that backs up and restores route53 zones and records
Python
20
star
14

yor-action

Github action for Yor
TypeScript
16
star
15

HowCrew

Super-powered know how tools for AWS and GCP cloud security
Python
14
star
16

bridgecrew-orb

This CircleCI Orb Action runs Bridgecrew analysis of Infrastructure-as-Code repository. Bridgecrerw performs static security analysis of Terraform, CloudFormation and Kubernetes Infrastructure code security
11
star
17

whorf

Python
10
star
18

cdk-validator-checkov

AWS CDK policy validation plugin powered by checkov
TypeScript
7
star
19

bicepgoat

BicepGoat is Bridgecrew's "Vulnerable by Design" Bicep and ARM repository. BicepGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
Bicep
7
star
20

jsonpath-ng

Finally, a JSONPath implementation for Python that aims to be standard compliant. That's all. Enjoy it.
Python
6
star
21

cloud-security-notebooks

Jupyter notebooks of various cloud security subjects
Jupyter Notebook
6
star
22

aws-collect-unused-security-groups

Track unused security groups of an AWS account over period of time with control of the interval to sample the security groups
JavaScript
6
star
23

terraform-provider-bridgecrew

USE https://github.com/paloaltonetworks/terraform-provider-bridgecrew
Go
5
star
24

terraform-aws-secured-postgresql-rds

A Terraform module to create an Amazon Web Services (AWS) PostgreSQL Relational Database Server (RDS) in a VPC, NAT implementing security best practices.
HCL
5
star
25

bridgecrew-integrations

Integrations that supported by Bridgecrew. Each integration collect data from different sensors and send the log data to Bridgecrew
HCL
4
star
26

aws-modernization-workshop-bridgecrew

HTML
4
star
27

bridgecrew-kubernetes

Resources for Kubernetes
4
star
28

terraform-aws-bridgecrew-read-only

Bridgecrew READ ONLY integration module
HCL
4
star
29

terraform-aws-bridgecrew-cloudtrail

Integrate your AWS account Cloudtrail with Bridgecrew
HCL
4
star
30

terraform-google-bridgecrew-gcp-read-only

Connecting your GCP project to Bridgecrew
HCL
3
star
31

checkov-jetbrains-ide

Checkov is a static code analysis tool for infrastructure as code.The Checkov Plugin for Intellij enables developers to get real-time scan results, as well as inline fix suggestions as they develop cloud infrastructure.
Kotlin
3
star
32

terraform-azurerm-bridgecrew-azure-read-only

Read Only module to connect Azure subscriptions to https://bridgecrew.cloud
HCL
3
star
33

bc-pipeline-utils

utils for jenkins pipelines
Groovy
2
star
34

sample-custom-checks

Example custom checks to use with the Checkov CLI.
Python
2
star
35

bc-toolbox

Bridgecrew utility scripts and more.
JavaScript
2
star
36

terraform-aws-bridgecrew-remediation

HCL
2
star
37

prisma-cloud-vscode-plugin

TypeScript
2
star
38

fluentd-dlp

Dockerfile
1
star
39

docker-syslog-integration

JavaScript
1
star
40

WHP_IaC_Scanning

A repository for the We Hack Purple mini-course on IaC scanning with Checkov. (https://checkov.io)
HCL
1
star
41

checkov-pre-receive-hooks

Shell
1
star
42

yor-choco

PowerShell
1
star
43

bridgecrew-py

Shell
1
star
44

iam-alerting-cleanup

Python
1
star
45

prisma-cloud-jetbrains-ide

The Prisma cloud Plugin for Intellij enables developers to get real-time scan results, as well as inline fix suggestions as they develop cloud infrastructure.
Kotlin
1
star