Chechov as IaC scanner on Azure DevOps

These days implementation and maintaining infrastructure is easy by using IaC (infrastructure-as-code) solutions, can make a code for doing a job once and use it repeatedly. But did you consider security when you write a code block? If you want to make sure about the security level of your Code, you must have an IaC scanner which is a Static Code Analysis tool. Let’s check Checkov as a tool for IaC scanning. CheckOv

What is CheckOV?

Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, Kubernetes, Dockerfile, Serverless or ARM Templates and detects security and compliance misconfigurations using graph-based scanning. Checkov’s Github reop

So let’s implement the tool by Azure DevOps pipeline. In your terrafrom repository you need a .yaml file. Ex: Iac-scanning-pipeline.yaml

trigger:
  branches:
    include:
      - master
 
pool:
  vmImage: 'ubuntu-latest'
 
variables:
- name: tf_folder
  value: $(System.DefaultWorkingDirectory)
 
stages:
  - stage: StaticCodeAnalysisStage
    displayName: Static Code Analysis Stage
    jobs:
      - job: ScanningCode
        displayName: Run Checkov
        steps:
          - task: Bash@3
            inputs:
              targetType: inline
              workingDirectory: $(tf_folder)
              script: |
                mkdir output
                docker run --volume $(tf_folder):/tf bridgecrew/checkov --directory /tf                
            displayName: 'Checkov Static Code Analysis'

After merging the file you just need to create a pipeline and the result should be like the following: CheckOv

If you want to use a “publish test results” task to publish the result and make it visual you can change the YAML file as follows:

trigger:
  branches:
    include:
      - master
 
pool:
  vmImage: 'ubuntu-latest'
 
variables:
- name: tf_folder
  value: $(System.DefaultWorkingDirectory)
 
stages:
  - stage: StaticCodeAnalysisStage
    displayName: Static Code Analysis Stage
    jobs:
      - job: ScanningCode
        displayName: Run Checkov
        steps:
          - task: Bash@3
            inputs:
              targetType: inline
              workingDirectory: $(tf_folder)
              script: |
                mkdir output
                docker run --volume $(tf_folder):/tf bridgecrew/checkov --directory /tf --output junitxml > $(tf_folder)/output/Checkov-Report.xml                
            displayName: 'Checkov Static Code Analysis'
 
          - task: PublishTestResults@2
            displayName: Publish Checkov Test Results
            condition: succeededOrFailed()
            inputs:
              testResultsFormat: 'JUnit'
              testResultsFiles: '**/*Checkov-Report.xml'
              searchFolder: '$(tf_folder)/output'
              mergeTestResults: false
              failTaskOnFailedTests: false
              testRunTitle: Checkov Scan 
              publishRunAttachments: true

So the fancy result must be like the following: CheckOv

Done!