Inline IaC scanning and fixes with the Checkov Visual Studio Code extension

Infrastructure-as-code (IaC) frameworks such as Terraform, CloudFormation, and Azure Resource Manager (ARM), play a crucial role in shifting cloud security left. As organizations distribute ownership of infrastructure to native development teams, DevOps now have the opportunity and responsibility to educate developers on IaC security best practices. 

At Bridgecrew, we believe that the most sustainable way to evangelize and enforce those best practices is by embedding guardrails throughout the development lifecycle. Getting IaC security feedback within code reviews and CI/CD pipelines is a great way to prevent risky infrastructure from being deployed. But for individual developers, catching misconfigurations before code gets integrated into shared repositories is even better.

That’s where Checkov and Bridgecrew CLI come in handy, providing pre-commit feedback to prevent pull requests from being blocked and builds from failing (due to misconfigurations, at least!).

Today, we’re excited to shift IaC security feedback even further left with the new Checkov Visual Studio Code extension!

By combining Checkov’s community-powered library of 500+ policies along with our platform APIs, the Checkov VS Code extension provides real-time identification of misconfigurations and inline code fixes. 

Getting started with the Checkov VS Code extension

VS Code is the market-leading IDE for Windows, macOS, and Linux desktops. Its minimalistic, extensible, and modular design enables developers to improve their code composition experience with popular extensions like linters, code-completion, and debugging modules.

The Checkov VS Code extension, which is now available for download from the Visual Studio Marketplace, applies that same ease-of-use to improve the quality of IaC without the need for context switching. And as a tribute to our Checkov contributors, we are publishing the source code and licensing the extension under the Apache 2.0 license. The extension can be used without restrictions as part of Bridgecrew’s free Community plan. 

Here’s how to get started.

1. Install the extension

In Visual Studio Code, go to Extensions and search for Checkov. 

Select Install to download and install it locally. 

Note: The extension requires Python 3.7 and will install the latest version of Checkov.

Once downloaded, you will be required to enter a valid Bridgecrew API token to invoke real-time scans and fixes from Bridgecrew.

Learn more about obtaining your API token from your Bridgecrew account.

2. Scan resources for misconfigurations

Open an IaC file or clone one of our “vulnerable-by-design” IaC projects, TerraGoat, CfnGoat, or CDKGoat, to scan with Checkov.

Checkov will then automatically start scanning your IaC file in for security and compliance misconfigurations. Resources with failing checks will be underlined in red. To see what misconfigurations have been identified, hover over the resource:

From there, you can go to the guidelines documentation for the failing policy to learn the rationale behind it.

Note: To avoid the additional prompt when investigating policy guidelines, use the command Manage Trusted Domains and add https://docs.bridgecrew.io to the list.

3. Implementing inline code fixes

For many errors, you can also implement inline fixes right then and there by selecting Quick Fix… (⌘.)

This will modify the resource by either adding a missing attribute, removing an unwanted argument or replacing it with a preferred value.

· · ·

For Bridgecrew customers, Checkov users, and anyone interested in secure IaC development, this is the fullest extension of shifting cloud security left. By placing guardrails directly where developers are coding, the VS Code extension not only improves the quality of code but saves time and resources spent identifying, detecting, and resolving issues further downstream.

Happy (secure) IaC-ing!

If you have any issues, questions, or want to contribute to the project, check out the extension on GitHub, or join us in our CodifiedSecurity Slack Workspace