We’re back with Episode 05 of the #CodifiedSecurity Office Hours! We welcomed Rob Eden from the security team at Granular to join the discussion on some big changes to our open-source static analysis tool, Checkov. Rob is a Checkov super-contributor with his 106-file PR containing all kinds of goodies, including the following!
Continuing Corcoran’s tradition from Episode 03, Rob arrived wonderfully holiday themed with a Santa hat, while I dug out a suitably festive jumper, which was a holiday miracle in itself given the state of my wardrobe.
Read on for a bite-sized recap of the discussion–including AWS re:Invent news, the latest Checkov features, and insights from Rob on his team’s DevSecOps pipeline!
Community credits
As always, we started with a well deserved shout-out to our growing community of contributors! This #CodifiedSecurity episode is jam-packed with new OSS features, which wouldn’t have been possible without this awesome group of people!
AWS re:Invent news
With the three weeks of this year’s virtual re:Invent conference in full swing, we took a few minutes to discuss some security-related AWS announcements. With the release of AWS CloudFormation Modules, it’s now easier to package, share, and re-use CloudFormation code. Similar to how the Terraform community has developed, this is a positive move for AWS security–allowing for scannable, public artifacts of infrastructure code that can be validated, versioned, and tracked.
This year, Bridgecrew has also been involved as an AWS Community Summit Security “Pundit”. Catch us on their CSO@re:Invent show where we joined a host of amazing AWS and cloud talent to give a digestible overview of the main highlights from re:Invent 2020.
If you want more re:Invent news to start off 2021 in-the-know, be sure to check out the WEEK in:Review shows as well.
News from KubeCon North America
Continuing the virtual conference news theme, we also touched on scanning Helm charts against the Kubernetes checks built into Checkov. We demoed this new capability for the KubeCon North America conference.
We’re also bringing this functionality to Checkov natively, for non-CI (local run) use cases. Keep an eye out for that PR!
Plan scanning with Checkov
Barak was next up to cover a new Checkov feature he’s super excited to announce: Terraform Plan Scanning.
While Checkov was always intended to be a static analysis tool, more and more we see use cases where Checkov is embedded in the same CI/CD pipeline responsible for deploying the Terraform to a real environment (i.e. AWS account).
In these cases it makes sense, given the cloud-credentials are already available, to also scan the Terraform plan file generated by Terraform. This provides extra data not found in the static files, such as UUID’s and ARN’s of objects, as well as any configuration options overridden or applied from the cloud-provider itself, or state information on existing objects.
Barak stripped back the cover to look at the decisions made in implementing this feature, and how the feature was designed to consume the existing Terraform Checkov checks, rather than needing new plan-specific ones. Read our Terraform plan analysis announcement to learn more and to see Terraform plan scanning in action with Checkov and Bridgecrew.
Variable rendering and security pipeline insights with Rob Eden
We reintroduced Rob to kick off a discussion on how he uses Checkov at Granular. Having embraced infrastructure as code a number of years ago, the Granular team leverages Checkov with other tools to form a validation pipeline, enabling their security team to scale across all of their projects, teams, and deployments.
It was this use case that led to Rob’s work on variable rendering within Checkov, allowing Checkov to realise Terraform variables and data operator constructs into the relevant data assigned in .tfvars or elsewhere in the Terraform code.
As we continue to extend Checkov’s existing coverage in both breadth and depth, we’re excited to bring our community this frequently requested feature! In case you don’t fancy reading a rather large pull request diff, you can learn how and why to implement this new functionality in our full feature announcement. Thanks again to Rob for your continued support and contributions!
Wishing you a prosperous 2021
From everyone in the #CodifiedSecurity Crew, we hope you’ve had a great holiday and wish you all the best for 2021. Feel free to dive deeper into developer-first cloud security with the articles linked in this recap and in the Bridgecrew Blog. We’ll catch you for Episode 06 of the office hours in January! For any questions or follow-ups, please jump into the #CodifiedSecurity conversation on Slack.