Running Chechov as IaC scanner on Azure DevOps

These days implementation and maintaining infrastructure is easy by using IaC (infrastructure-as-code) solutions, can make a code for doing a job once and use it repeatedly. But did you consider security when you write a code block? If you want to make sure about the security level of your Code, you must have an IaC scanner which is a Static Code Analysis tool. Let’s check Checkov as a tool for IaC scanning.

What is CheckOV?

Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, CloudformationKubernetesDockerfileServerless or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.

Checkov’s Github reop

So let’s implement the tool by Azure DevOps pipeline. 

In your terrafrom repository you need a .yaml file. Ex: Iac-scanning-pipeline.yaml

trigger:
  branches:
    include:
      - master

pool:
  vmImage: 'ubuntu-latest'

variables:
- name: tf_folder
  value: $(System.DefaultWorkingDirectory)

stages:
  - stage: StaticCodeAnalysisStage
    displayName: Static Code Analysis Stage
    jobs:
      - job: ScanningCode
        displayName: Run Checkov
        steps:
          - task: Bash@3
            inputs:
              targetType: inline
              workingDirectory: $(tf_folder)
              script: |
                mkdir output
                docker run --volume $(tf_folder):/tf bridgecrew/checkov --directory /tf
            displayName: 'Checkov Static Code Analysis'

After merging the file you just need to create a pipeline and the result should be like the following:

If you want to use a “publish test results” task to publish the result and make it visual you can change the YAML file as follows:

trigger:
  branches:
    include:
      - master

pool:
  vmImage: 'ubuntu-latest'

variables:
- name: tf_folder
  value: $(System.DefaultWorkingDirectory)

stages:
  - stage: StaticCodeAnalysisStage
    displayName: Static Code Analysis Stage
    jobs:
      - job: ScanningCode
        displayName: Run Checkov
        steps:
          - task: Bash@3
            inputs:
              targetType: inline
              workingDirectory: $(tf_folder)
              script: |
                mkdir output
                docker run --volume $(tf_folder):/tf bridgecrew/checkov --directory /tf --output junitxml > $(tf_folder)/output/Checkov-Report.xml
            displayName: 'Checkov Static Code Analysis'

          - task: PublishTestResults@2
            displayName: Publish Checkov Test Results
            condition: succeededOrFailed()
            inputs:
              testResultsFormat: 'JUnit'
              testResultsFiles: '**/*Checkov-Report.xml'
              searchFolder: '$(tf_folder)/output'
              mergeTestResults: false 
              failTaskOnFailedTests: false 
              testRunTitle: Checkov Scan 
              publishRunAttachments: true 

So the fancy result must be like the following:

Done!

2 thoughts on “Running Chechov as IaC scanner on Azure DevOps

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s