Synchronizing Bridgecrew custom policies with Checkov using our public APIs

We recently updated our Bridgecrew public APIs to extend to policy management. This opens the door for development and integrations both internally at Bridgecrew and by our customers. The first use case we’re launching is a deeper integration between Bridgecrew and Checkov.

Adding a Bridgecrew API token to a Checkov CLI or VS Code scan will now include custom policies built in the Bridgecrew platform.

Now Bridgecrew can act as the source of truth for all custom policies!

Updates to the Bridgecrew APIs

We extended our public APIs to include the latest scan results, custom policy CRUD (create, read, update, delete) controls, and the ability to list resources that violate a custom policy.

This means you can create, edit, and delete custom policies from other platforms or directly in code. For example, if you run the following curl command with your Bridgecrew API token

curl -H 'Accept: application/json' -H 'authorization: $BC_API_KEY'

or in Python…

import requests
url = ""
headers = {
    "Accept": "application/json",
    "authorization": "bc_api_key"
response = requests.request("GET", url, headers=headers)

…it will output the custom policies we’ve added to the Bridgecrew platform.

screenshot of checkov

Check out our reference documentation for more details about our APIs and examples.

Checkov scans with the ease of Bridgecrew custom policies

Using this functionality, we extended the integration between Checkov and Bridgecrew. Prior to the update, adding an API token and `–repo-id` would output results in your terminal and store the scan results in Code Reviews and the Projects page of the Bridgecrew platform. From Checkov v2.0.247 on, adding a Bridgecrew API token will automatically include any custom policy built in Bridgecrew in the Checkov scan. This includes our VS Code extension that leverages Checkov.

Let’s walk through an example. Say we want to ensure that no one uses t2.nano or t2.micro instances because it could result in under-resourced applications. In the Bridgecrew platform, we can go to the Policies page and click “New Policy.”

We can use the following code to check for undersized instances.

  name: "Undersized instances"
  guidelines: "Use a more powerful instance"
  category: "general"
  severity: "low"
  provider: "aws"
   - cond_type: "attribute"
  - "aws_instance"
  attribute: "instance_type"
  operator: "not_equals"
  value: "t2.micro"
   - cond_type: "attribute"
  - "aws_instance"
  attribute: "instance_type"
  operator: "not_equals"
  value: "t2.nano" 

The benefit of building a policy in the Bridgecrew UI is the visual editor, auto-complete help code editor, and the ability to test a policy before it’s applied. Bridgecrew will also evaluate this policy everywhere it performs a scan, such as in pull or merge requests.

screenshot of policy editor

Now when we add our API token to a Checkov scan, it will automatically include that custom policy. For example, scanning the file of the TerraGoat repo will fail against the added custom policy because it includes a t2.nano instance.

checkov -f terraform/aws/ --bc-api-key $BC_API_KEY

screenshot of checkov scan

The results of that Checkov scan—including the custom policies—will get sent to the Bridgecrew platform as a Code Review with the link at the bottom of the Checkov CLI output. The same custom policies will appear in the Checkov VS Code extension:

screenshot of checkov code extension

And that’s it!

More API use cases to come

The combination of Bridgecrew and Checkov using our public APIs let’s the Bridgecrew platform hold all custom policies across the development cycle. This is just one way we’re extending the Bridgecrew platform using APIs. Having public APIs allows for much more extensibility and flexibility. Expect more use cases to come as we help customers integrate Bridgecrew into more of their product use cases.

Try the APIs and the Bridgecrew platform by signing up for free today.