Automating Terraform Security Scans with Checkov and Azure Pipelines

Checkov Scan para Terraform com Azure Pipelines

Leonan Viana demonstrates the integration of Checkov into Azure DevOps to automate static analysis of Infrastructure as Code. The system prevents misconfigured cloud resources from being provisioned by enforcing security standards directly within the CI/CD runner.

Why This Matters

In high-velocity engineering environments, manual infrastructure audits cannot keep pace with automated deployments. Implementing automated static analysis like Checkov shifts security left, ensuring that vulnerabilities—such as exposed EKS endpoints or unencrypted storage—are identified and blocked before the ‘plan’ or ‘apply’ phases. This approach bridges the gap between theoretical security policies and actual cloud configurations, significantly reducing the attack surface by enforcing compliance at the code level. Caching dependencies within the pipeline further ensures that these security gates do not become bottlenecks in the development lifecycle.

Key Insights

• Checkov supports a wide array of frameworks including Terraform, CloudFormation, Kubernetes, Helm, ARM Templates, and AWS CDK.
• Using the Cache@2 task in Azure DevOps allows engineers to store the Checkov Python environment, preventing redundant installations across pipeline runs.
• The tool provides granular feedback on cloud resources, reporting the number of passed, failed, and skipped checks in the pipeline logs.
• Security exceptions can be handled through inline annotations like #checkov:skip=CKV_AWS_39, providing an audit trail for accepted risks.
• Checkov installation is managed via Python venv within the $(Agent.ToolsDirectory) to ensure runner environment stability.

Working Examples

Azure Pipelines template for reusable Checkov scanning with caching logic.

parameters:
- name: CheckovVersion
  type: string
  default: ''
- name: WorkingDir
  type: string
  default: '.'
steps:
- task: Cache@2
  displayName: Restore checkov $(CheckovVersion) from cache
  name: checkov_restore_cache
  inputs:
    key: '"checkov $(CheckovVersion)" | $(Agent.OS)'
    path: $(Agent.ToolsDirectory)/checkov
    cacheHitVar: CACHE_RESTORED
- task: CmdLine@2
  displayName: Install checkov $(CheckovVersion)
  condition: and(succeeded(), ne(variables.CACHE_RESTORED, 'true'))
  inputs:
    targetType: 'inline'
    script: |
      CHECKOV_DIR=${AGENT_TOOLSDIRECTORY}/checkov
      mkdir -p $CHECKOV_DIR
      python3 -m venv $CHECKOV_DIR
      source $CHECKOV_DIR/bin/activate
      pip3 install checkov==${{ parameters.CheckovVersion }}
      echo "##vso[task.prependpath]$CHECKOV_DIR/bin"
- task: CmdLine@2
  displayName: Add checkov to PATH
  inputs:
    targetType: 'inline'
    script: |
      CHECKOV_DIR=${AGENT_TOOLSDIRECTORY}/checkov
      echo "##vso[task.prependpath]$CHECKOV_DIR/bin"
- task: CmdLine@2
  displayName: Run checkov
  inputs:
    targetType: 'inline'
    script: checkov --directory "${{ parameters.WorkingDir }}" --framework terraform

Example of skipping specific Checkov rules within Terraform resources using inline comments.

resource "aws_eks_cluster" "cluster-eks" {
  #checkov:skip=CKV_AWS_39: "Ensure Amazon EKS public endpoint disabled"
  #checkov:skip=CKV_AWS_37: "Ensure Amazon EKS control plane logging enabled for all log types"
  # ... configuration
}

Practical Applications

• Use Case: Standardizing infrastructure security gates across multiple Azure DevOps projects using a centralized YAML template.
• Pitfall: Neglecting to use the Cache@2 task, resulting in long pipeline wait times due to repeated Checkov and Python dependency installations.
• Use Case: Documenting security policy exceptions directly in code to maintain traceability for compliance audits.
• Pitfall: Placing the Checkov scan after the Terraform Apply step, which permits the creation of insecure resources before they are analyzed.

References:

• https://dev.to/leonanviana/checkov-scan-para-terraform-com-azure-pipelines-3lo8