Checkov’s new CI/CD security policies for GitHub Actions, GitLab Runners, CircleCI, and Argo Workflows highlight the open source project’s commitment to software supply chain security, empowering developers to secure their delivery pipelines by leveraging scanning as part of the pipelines themselves.
As software supply chains become more complex and connected, so too does the task of keeping them secure. From software components like infrastructure as code (IaC) modules and open source packages to delivery pipelines like version control systems (VCS) and CI/CD pipelines, our applications have never been so reliant on third parties.
To help teams stay on top of weaknesses that could be exploited or chained together to orchestrate a large-scale attack, we have chipped away at each part of the software supply chain. Up until now, we’ve doubled down on IaC security, paved the way for securing VCS organizations and repos, and built a visualization to help teams understand and prioritize risk.
Today, we’re excited to announce the next step in our software supply chain security coverage. Checkov now comes pre-built with new CI/CD configuration policies that can be applied across popular CI/CD frameworks such as GitHub Actions, GitLab Runners, BitBucket Pipelines, CircleCI, and Argo.
These CI/CD security policies, along with thousands of infrastructure policies and integrations, are all part of Checkov’s extensive library of policies, including graph-based checks that provide a context-aware way of identifying and connecting risk within infrastructure and application code. This is particularly important when it comes to the software supply chain, which according to a recent report produced by Verizon, was responsible for 62% of System Intrusion Incidents in 2021. The rise in attacks on supply chains led industry consortiums to develop benchmarks, such as SLSA and CIS, that include best practices for secure software supply chains.
Checkov’s developer-first approach to supply chain security codifies CI/CD best practices and embeds them into existing DevOps workflows so that developers are empowered to secure their pipelines with their pipelines. These policies are in part influenced by the SLSA and CIS benchmarks, which help developers bring their pipelines in line with industry standards.
The developer’s role in helping to keep the software supply chain secure cannot be overstated. Nearly half of developers (47%) use either continuous integration or continuous delivery platforms to help accelerate and automate their software deployment processes. The benefits of maintaining efficient CI/CD pipelines are clear, but if not properly secured, CI/CD pipelines can provide attackers with an easy entry point.
For example, if a repository is configured to run any command in a pull request or if an administrator unknowingly merges a rogue pull request, bad actors can inject code that sends API tokens and other secrets to a domain the attackers control. For self-hosted tools like Argo, the stakes are higher. Ensuring workflow pods are not privileged can prevent a successful breach from expanding to other parts of the pipeline.
Unit 42’s Cloud Threat Report found that access to hardcoded credentials opened the door for lateral movement and CI/CD pipeline poisoning. To help combat this, Checkov’s new policies include:
- Ensuring each pull request has two reviewers
- Ensuring each individual commit is signed
- Preventing the use of deprecated commands/beta features
- Preventing the use of curl with secrets (secrets exfiltration)
- Blocking privileged workflow pods
- And more
This is just the beginning of our journey to help developers and security teams work together to harden each component of the software supply chain, across each layer of the cloud-native stack and at each phase of the development lifecycle.
Check out the new policies and join in on the software supply chain fun by contributing back to Checkov.