Terraform enables developers to create cloud resources via a few lines of code. Hence, these developers must write code that is easy to understand and follows security best practices. Moreover, following best practices becomes a habit if there is a system to keep that in check. Checkov is a proven static analysis tool that checks for standard best practices in your Terraform code.
In this note, I will show you how to ensure that your Terraform code stored in a public GitHub repository is continuously scanned against the Checkov rules using GitHub Actions.
Note: As a reader, I assume you are familiar with Terraform, Checkov, and GitHub Actions.
Code scanning is auto-enabled once you add the Checkov scanning YAML file to your repository, provided your repository is open source (public repository). Before adding the code scanning YAML file, code scanning alerts were not enabled in my repository. This setting is accessible via the Security menu -> Vulnerability alerts -> Code scanning.
For private repositories, chances are that the code scanning alerts are disabled. You can find out how to enable that via GitHub-docs-code-scanning.
I have a public repository and did not have to enable this setting manually. After adding the checkov scan YAML file in the .github\workflows folder and pushing the changes to the GitHub remote, the scanning process started automatically under GitHub Actions. And that is due to the trigger setting that I set to on: push: branches ["*"].
You can control when the scan pipeline runs based on the on: setting in the YAML file. I enabled scanning for all the branches so that as part of development (when I am working on a separate branch,) the scan results are still available for me to review. The checkov scan pipeline will fail until all the static code analysis checks pass.
Although you can navigate to the Checkov GitHub Action step in the GitHub Actions pipeline run to evaluate the result and find out which Checkov rule is failing in which file, a better user interface is available under the Security menu -> Vulnerability alerts -> Code scanning. The report shows the violations for the default branch. If you are yet to merge your changes to the main branch or are working on a separate branch, select your specific branch (dropdown) and review the violations.
The below image shows the violations reported in my GitHub repository: add-aws-secretsmanager-terraform, where the branch is add-scaffolding.
Once I start working on these violations and fixing my code, the open scan error count will reduce, and the closed count will increase. Ideally, we’d want code with no scanning violations.
I found the Checkov GitHub Actions YAML pipeline neat and easy to work with. If you want a static analysis tool to scan your Terraform code using GitHub Actions, please try the Checkov YAML file. You can check my repository for the pipeline code, and GitHub Actions scan runs. You won’t have access to the repository security tab because you need permission to access the repository for that.
I hope you found this note helpful. Please let me know if you have any questions, and I will answer them.
My Devops Journal 