Bridgecrew’s 2021 Year in Code Reviews

If you’ve been following the Bridgecrew journey, you know just how much has changed since the beginning of 2021. You’ve seen all the new features, use cases, research, and projects we’ve launched, and you might have noticed that we joined Palo Alto Networks as part of the Prisma Cloud family!

But despite going through an incredible acquisition and the change that comes with it, what I find most remarkable is how much has stayed the same. Our mission to bridge the gap between security and engineering hasn’t changed, and we’re still steadfast in our goal to build the most developer-friendly security tools.

In 2021 we met some incredible milestones in helping us reach that mission and goal.

Company milestones

2021 was an eventful year at Bridgecrew—including our first in-person event ever. As a COVID-native company, I can’t express how transformative it has been for our different teams to get together and to meet our community of customers and contributors.

That community has also grown considerably with some exciting milestones reached, including over 3 million Checkov downloads, 3,600 GitHub stars, 6,500 Twitter followers, and 3,300 LinkedIn followers!

The acquisition has definitely been the most significant milestone of our company’s history, and it’s hard to believe that we only started building Bridgecrew a few years ago. It has, without a doubt, contributed to the amplification of all we do—including our continued investment in open source.

Open-source updates

Right out of the gate post-acquisition, we announced Checkov 2.0 that included a new graph-based backend, allowing for context-aware policies and faster scan results, along with hundreds of new out-of-the-box policies.

But, of course, we weren’t going to leave it there. We also integrated the detect-secrets project to allow Checkov to detect and block secrets identified in IaC. We were also so fortunate to have some fantastic contributions to Checkov during Hacktoberfest, including JSON analysis that can be used for pipeline posture and CycloneDX output for IaC SBOMs.

We also welcomed a new addition to our Star Trek-themed open-source family—Yor. Yor is our IaC tag and trace tool that automatically adds metadata and unique trace tags to IaC resources that are carried through to runtime to simplify searching through code for misconfigurations.

Yor has already garnered over 400 GitHub stars and has been integrated into the Bridgecrew platform to enable Multi-Cloud Drift Detection, one of 2021’s most exciting new code-to-cloud features!

Bridgecrew platform milestones

With the help of our customers’ feedback, we made some major improvements and additions to the Bridgecrew platform. We added a shiny new Projects page and Resource Inventory that make code and cloud visibility and remediation a lot easier. We also drastically upped our library of fixes with an innovative take on complex and multi-value fixes—by leveraging past secure coding patterns with Smart Fixes.

Some of our biggest innovations for our codified security platform weren’t even in our platform. This year, we invested heavily in our integrations, adding pull request comments and inline fixes to every VCS we support and shifting even more left with our VS Code and JetBrains extensions. By surfacing feedback earlier—during code reviews and during development as you type—Bridgecrew makes it easier than ever to address policy violations fast.

Finally, Prisma Cloud and Bridgecrew did some Vulcan mind-melding knowledge sharing. Prisma Cloud integrated IaC security from Bridgecrew and Bridgecrew integrated container image scanning from Prisma Cloud. Working together to solve tough customer challenges is one of the most amazing parts of the acquisition, and we’re excited to share more collaborations soon!

Partnership milestones

No developer tooling would be complete without partners, and we are fortunate to have the best partners in the business. We rounded out our VCS partnerships by adding GitLab and Azure Repos to our GitHub and BitBucket partnerships.

With our DevDays that we host with AWS and HashiCorp, we’ve now helped over 5,000 engineers on their path to securing IaC with Bridgecrew. To bolster this, we added a new Terraform workshop for those interested in getting their hands dirty building an entire lifecycle DevSecOps pipeline.

Along with that workshop, we’ve had a bevy of HashiCorp news. First, we were elated to be a part of the HashiConf EU keynote with Armon Dadgar and the Terraform Cloud Run Tasks launch. Our two teams also got together and produced a white paper for securing multi-cloud infrastructure and workloads leveraging Palo Alto Networks’ and HashiCorp’s suite of products.

https://twitter.com/bridgecrewio/status/1402254642428497920

New research

Our DevRel team was very busy this year. In addition to contributing to (in-person and virtual) talks all over the world and maintaining our various open-source projects, they performed some deep technical analysis on open source repositories and registries.

The first deep dive came from examining Artifact Hub to check the security posture of open-source Helm charts. We scanned over 2,000 charts and 6,000 Kubernetes template files and found a shocking 71% of repos and 47% of Helm charts contained a misconfiguration. We also took that one step further and analyzed one of the most popular Helm charts and the transitive impact of its dependencies’ posture.

Then, we teamed up with Unit 42 to dive into open-source software supply chains. Together we analyzed the various public Terraform files, Kubernetes manifests, and container images to provide a picture of the implications of using off-the-shelf open-source projects. Our own assessment included a graph analysis and visualization showing the Blast Radius of the CVEs of a Helm chart and its dependent images.

···

2021 was a year of big change for the world (although it often didn’t feel like it) and for us at Bridgecrew. We are excited by the accelerated investment from our acquisition and humbled by the community that continues to make our projects great.

Believe it or not, these are just the highlights. We couldn’t possibly cover everything, so check out our changelog for all the other features we added and our blog to see all the open-source, partner, and research updates we celebrated this year.

As always, we welcome any contributions or issues opened for our open-source projects, and you can join us in the #CodifiedSecurity Slack channel for any questions or conversations around cloud code security.

Expect us to move even faster in 2022. We can’t wait to share what’s coming next. 🖖

Make it So Meme