If you are running Checkov with the Bridgecrew API token and you use a proxy, you may need to turn off your VPN/proxy or use the
--ca-certificate flag to allow your proxy’s certificate using the directions here: https://github.com/bridgecrewio/checkov/pull/1099. If you run Checkov without the Bridgecrew API token, this won’t be an issue.
To demonstrate what kinds of security and compliance errors Bridgecrew can identify in Terraform templates, start by using Checkov and send the results to the Bridgecrew platform.
Make sure you are in the cloned directory from the previous step, copy your unique Bridgecrew API token, and scan the
s3.tf in the
checkov -f terraform/aws/s3.tf --bc-api-key $YOUR_BC_API_KEY --repo-id bridgecrewio/s3
You can also scan entire directories with -d
checkov -d terraform/aws/ --bc-api-key $YOUR_BC_API_KEY --repo-id bridgecrewio/awsterragoat
You can use Checkov without
--bc-api-key to display the results in the command line without uploading to the Bridgecrew platform for testing or local-only scan results.
The results will show all the failed policies and link to guides explaining the rationale behind each misconfiguration and steps to fix them. Note the output also includes the filename and snippet of code that is misconfigured:
In the example output above, you can see that Bridgecrew identified two failing policies: “Ensure EKS Cluster has Secrets Encryption Enabled” and “Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0”.
To get the list of policies that Checkov checks for, use
In many instances, when testing locally with the Checkov, you may only be interested in running just a few policies. In that case, you can add the
checkov -f terraform/aws/s3.tf -c CKV_AWS_18,CKV_AWS_52
Alternatively, if you want to run all but a few policies, use the
checkov -f terraform/aws/s3.tf --skip-check CKV_AWS_18,CKV_AWS_52