Checkov Security Scan

As some of you might have realized, our IaC repository got a new check: Checkov Security Scan on every Pull Request. We implemented the check since yesterday (Thu, 27 May 2021) to increase our awareness of our infrastructure security vulnerability. We use Checkov tool that is available as open source (GitHub repo). The Checkov will scan security vulnerabilities against the changed directories on the Pull Request, not only the changed lines or files.

Seeing what’s wrong

You can see what’s wrong with your Pull Request by clicking Details on the Checkov check.

File ID: F023H8NUE9J, File URL: https://tvlk.slack.com/files/U0A86UVE1/F023H8NUE9J/screen_shot_2021-05-28_at_08.14.51.png

You will see the failing checks.

What should you do

Please fix your Pull Request to adhere with security standards. If you are confused with the error, you can google the “check” name to find guidance on what should you do. If you cannot find anything on Google, you can reach @data-cde on #data-kube-devops.

File ID: F02381JT161, File URL: https://tvlk.slack.com/files/U0A86UVE1/F02381JT161/screen_shot_2021-05-28_at_08.15.08.png

If the failing check is expected, like the one above (forked public GitHub repository cannot be made private), you can ignore/suppress the check by using Terraform comment. You can refer to this Checkov documentation to do that. Please use this very carefully and only if you are very sure that the failing check is expected.

Enforcement

Currently we don’t enforce this check to pass before Pull Request can be merged. You can merge the PR although the Checkov check fails. We are currently observing the alerts, because some alerts need change on our approach of using GCP services, which requires some additional efforts, e.g. the way we use service account key. We will let you know when we have plan to enforce this.

Please fix the failing checks as many as you can on your Pull Request to make Data Team infrastructure safer!