As some of you might have realized, our IaC repository got a new check: Checkov Security Scan
on every Pull Request
. We implemented the check since yesterday (Thu, 27 May 2021) to increase our awareness of our infrastructure security vulnerability. We use Checkov tool that is available as open source (GitHub repo). The Checkov will scan security vulnerabilities against the changed directories on the Pull Request, not only the changed lines or files.
You can see what’s wrong with your Pull Request by clicking Details
on the Checkov check.
You will see the failing checks.
Please fix your Pull Request
to adhere with security standards. If you are confused with the error, you can google the “check” name to find guidance on what should you do. If you cannot find anything on Google, you can reach @data-cde on #data-kube-devops.
If the failing check is expected, like the one above (forked public GitHub repository cannot be made private), you can ignore/suppress the check by using Terraform comment. You can refer to this Checkov documentation to do that. Please use this very carefully and only if you are very sure that the failing check is expected.
Currently we don’t enforce this check to pass before Pull Request
can be merged. You can merge the PR although the Checkov check fails. We are currently observing the alerts, because some alerts need change on our approach of using GCP services, which requires some additional efforts, e.g. the way we use service account key. We will let you know when we have plan to enforce this.
Please fix the failing checks as many as you can on your Pull Request
to make Data Team infrastructure safer!