CodifiedSecurity Office Hours Recap: Episode 02

Codified Security Office Hours Episode 02

We’ve been moving at lightning speed here at Bridgecrew! Catch up with us in Episode 02 of the #CodifedSecurity Office Hours where we discuss our latest open source and cloud security updates. Replay the full episode on-demand below or read on for a quick written recap!

Community shout-outs

We’ve seen lots of updates to our open source projects in the past two weeks. Thanks once again to our awesome community, with many new community members making their first issues and PRs!
Open source community shout outs
As always, we led with a shout-out to our contributors, followed by a little roundup of the merged PRs for the past couple of weeks. Later on in the episode, we take some time to answer your community questions.

Bridgecrew roundup of open source merged PRs

Checkov output colors in CI/CD

Firstly, we wanted to briefly cover an interesting issue that pops up when trying to emulate a full terminal in a lot of CI/CD tools, specifically CircleCI in this case. Running Checkov within a subshell or subcommand often hides the return code, allowing a job that should have failed to pass and the pipeline to continue. We work our way through the issue to show solutions and workarounds, achieving nicely-formatted output in the end.

Community Q&A

As promised, we surfaced some of your questions from our #CodifiedSecurity Slack channel for wider thoughts and discussion. In Episode 02, the conversation revolved around module scanning:

  • Module scanning challenges have been widely discussed in our open source community, with the current solution being to terraform init to then scan the resulting .terraform directory. While useful, this provides an output that doesn’t differentiate between local code and module code. It also needs credentials in the pipeline to support the terraform init command. We’ll be working on a full fix over the next few weeks.
  • While on the topic of modules, another community question set the scene of users writing custom checks to validate their in-house modules. These users aim to only scan using custom checks. However, the current reigning solution of specifying a fake check name to --check SOMETHING_HERE has downsides with certain frameworks. We’d love to get your feedback on potential remedies, such as the concept of --no-inbuilt-checks being used with the custom checks flag.
  • To round out our segment of module madness, Issue #610 brings up the need to have inline annotations for skipping checks, but inside custom Terraform modules rather than in the definition/instantiation of the module itself. This is a question that relies on a more context-aware module implementation. Again, community input is more than welcome if you have thoughts on the matter!

Deep dive into AirIAM

Checkov’s open-source cousin, AirIAM, is a tool to alert on old, unused, and over-privileged IAM configurations in your AWS account. AirIAM produces a Terraform version (and usable state file) of your current IAM configuration.

In Episode 02 we walked through the features of AirIAM when used against a live AWS account, showing how to snapshot your IAM state with AirIAM and use the resulting Terraform to produce auditable diffs. Stay tuned for more on IAM best practices on our blog and in our next episode of CodifiedSecurity Office Hours.

Continue the conversation

If you’d like to get involved with the topics discussed here, be sure to join the ongoing chat in our #Checkov and #AirIAM channels. Next week, we’re excited to reveal new developments from Bridgecrew in Episode 03 of the #CodifiedSecurity Office Hours. Join us live on Twitch next Tuesday to learn more!