Scan entire a Terraform repository by Checkov

In the last post (Running Chechov as IaC scanner on Azure DevOps), we saw how we implemented an IaC scanning by the Checkov. As you may know, we have some limitations on that implementation. The first obstruction is we can use that one as a solution for scanning whole a terraform code repo because the checkov only searches for terraform code in the current directory. Yeah, the Checkov has this limitation that we can set a switch to scan the entire repo. But we have a solution to make it possible!
And the answer is to execute a bash code to crawl a repository and find the Terraform files and run the Checkov for any of the found files. let see how we can manage it.

Continue reading “Scan entire a Terraform repository by Checkov”

Running Chechov as IaC scanner on Azure DevOps

These days implementation and maintaining infrastructure is easy by using IaC (infrastructure-as-code) solutions, can make a code for doing a job once and use it repeatedly. But did you consider security when you write a code block? If you want to make sure about the security level of your Code, you must have an IaC scanner which is a Static Code Analysis tool. Let’s check Checkov as a tool for IaC scanning.

What is CheckOV?

Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, CloudformationKubernetesDockerfileServerless or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.

Checkov’s Github reop
Continue reading “Running Chechov as IaC scanner on Azure DevOps”

Our OWASP project

As you may know we started a project under OWASP organization for preparing a guideline for DevSecOps. The project goal is preparing a documentation with describing steps of we need to achieve a secure development pipeline and also comparing tools and solutions that we can take for make it happen.

OWASP DevSecOps Guideline

Main part of the project is steps explanation and tools comparison. We want to provide a clear glance of what you need to achieve a real DevSecOps pipeline and also how you can do it! Since in the plat we have a lot of tools for doing this we should consider which one is better for us based on our environment, other tools, development stack and budget.

If you’re interested in this topic and enjoy with knowledge sharing, so join us, Your PR always welcome 😀

In the following you can find more information about the project:

Project Github repository: https://github.com/OWASP/DevSecOpsGuideline

Project home page: https://owasp.org/www-project-devsecops-guideline/

Thanks in advance