To prevent checkov from scanning Dockerfiles and other non terraform stuff present in the directory you specify with '--directory', just add the extra flag '--framework terraform' to only run the terraform rule set. This way you don't have to worry about skipping checks for other technologies. Current list of supported 'frameworks' as of version 2.0.926 is: arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all Default value is 'all'
Chekov is not running for me .. Not getting test results and only the warnings . Is it normal?? Reached too many edge duplications of 90% for 4 iterations. breaking. 2021-10-01 16:35:59,864 [MainThread ] [WARNI] The json runner requires that external checks are defined. 2021-10-01 16:36:01,428 [MainThread ] [WARNI] The json runner requires that external checks are defined.
Thank you Ned! This video was an excellent help in getting Checkov up and running for our IaC scanning. I am looking forward to your videos on build validation pre-merge on PR and tfplan stashing. Any idea when these updates will be posted? As always, keep up the good work.
great videos , very useful thank you , when u use .tf in checkov command it coverge all ur tf files even local modules but ./terraform it covrege third party modules like when u use source="howdio/eks/aws" for example : ( checkov documentation)
@@NedintheCloud thank you for replying. yes, I am using Private Repo in ADO. I can try with Github Priate Repo if that works. Your video's are amzing help. thank you once again for that ☺
Ty Ned this video is so awesome! Just want to hear your opinion on what value does this validation bring if we could do the same with azure policy? For aws it is simple must present, however for azure is it really needed? (As for educational perposes really great, I've learned a lot!)
True you could do it with Azure Policy. If you're trying to stick with a cloud agnostic approach, then Checkov could be your one policy tool to rule them all.
Can we run checkov without terraform init and creating terraform plan. I wish documentation should explain this. Can we run checkov on just *.tf file or parent directory.
Please do not remove the install terraform task at the start. Youll get a new version of TF every month as a result without you even checking the release notes to see its not creating new issues. You should have full control over the versions both of the terraform engine and the provider version you are using and lock them to let you verify them before you run things on your cloud infra. If the version you want is the one installed its exactly 1 sec of checking added to your process and if there is a new one but you wanted one version before it will install it on the hosted agent
I totally get where you're coming from with the install task. Since Terraform hit 1.0, I feel okay using the latest, but I probably wouldn't recommend it for production workloads or regulated industries.
To prevent checkov from scanning Dockerfiles and other non terraform stuff present in the directory you specify with '--directory', just add the extra flag '--framework terraform' to only run the terraform rule set. This way you don't have to worry about skipping checks for other technologies.
Current list of supported 'frameworks' as of version 2.0.926 is: arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all
Default value is 'all'
Chekov is not running for me .. Not getting test results and only the warnings . Is it normal??
Reached too many edge duplications of 90% for 4 iterations. breaking.
2021-10-01 16:35:59,864 [MainThread ] [WARNI] The json runner requires that external checks are defined.
2021-10-01 16:36:01,428 [MainThread ] [WARNI] The json runner requires that external checks are defined.
Love this concept Ned, very useful stuff. Thank you.
I ran checkov on the setup code Terraform files, and there were a lot of failures! This is a great tool, by the way!
Thank you Ned! This video was an excellent help in getting Checkov up and running for our IaC scanning. I am looking forward to your videos on build validation pre-merge on PR and tfplan stashing. Any idea when these updates will be posted? As always, keep up the good work.
Really nice! I have to move this to jenkins and test aws infraestructura.
great videos , very useful thank you , when u use .tf in checkov command it coverge all ur tf files even local modules but ./terraform it covrege third party modules like when u use source="howdio/eks/aws" for example : ( checkov documentation)
Great video Ned! Do you have any sample of getting it work with modules in Azure Private Repo?
No, sorry. Are you using Private Repos in ADO instead of GitHub?
@@NedintheCloud thank you for replying. yes, I am using Private Repo in ADO. I can try with Github Priate Repo if that works. Your video's are amzing help. thank you once again for that ☺
Good video thanks 😊
Ty Ned this video is so awesome!
Just want to hear your opinion on what value does this validation bring if we could do the same with azure policy? For aws it is simple must present, however for azure is it really needed? (As for educational perposes really great, I've learned a lot!)
True you could do it with Azure Policy. If you're trying to stick with a cloud agnostic approach, then Checkov could be your one policy tool to rule them all.
Question is how do you setup your auth creds so you can use Azure, do you have a starting tutorial?
Can you please cover the topic of using Atlantis and Chekhov? It’s rarely covered on the internet
where can I find the code for the pipeline?
`pwd` might be more succinct in telling you which directory you're in than `ls`
Valid point. Linux is still my second language and I think it will be forever.
Can we run checkov without terraform init and creating terraform plan. I wish documentation should explain this. Can we run checkov on just *.tf file or parent directory.
Yes: install checkov locally with pip, and run the command (checkov -d path/to/your/dir).
Please do not remove the install terraform task at the start. Youll get a new version of TF every month as a result without you even checking the release notes to see its not creating new issues. You should have full control over the versions both of the terraform engine and the provider version you are using and lock them to let you verify them before you run things on your cloud infra. If the version you want is the one installed its exactly 1 sec of checking added to your process and if there is a new one but you wanted one version before it will install it on the hosted agent
I totally get where you're coming from with the install task. Since Terraform hit 1.0, I feel okay using the latest, but I probably wouldn't recommend it for production workloads or regulated industries.