|
| 1 | +--- |
| 2 | +description: Use checkov for static analysis of a Nitric project deployed with Terraform |
| 3 | +tags: |
| 4 | + - Terraform |
| 5 | + - Testing |
| 6 | +published_at: 2025-04-15 |
| 7 | +--- |
| 8 | + |
| 9 | +# Static analysis of Terraform with Checkov |
| 10 | + |
| 11 | +This guide will walk you through generating a report with [Checkov](https://www.checkov.io/) from a Nitric project. |
| 12 | + |
| 13 | +## What is Checkov? |
| 14 | + |
| 15 | +Checkov is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations. Checkov provides several key benefits for your projects: |
| 16 | + |
| 17 | +- **Security Scanning**: Automatically detects misconfigurations and security vulnerabilities in your infrastructure code before deployment |
| 18 | +- **Compliance**: Helps ensure your infrastructure meets compliance requirements like HIPAA and PCI-DSS |
| 19 | +- **Best Practices**: Enforces infrastructure best practices and coding standards |
| 20 | +- **Early Detection**: Catches potential issues during development rather than after deployment |
| 21 | +- **Custom Rules**: Allows you to create custom rules specific to your organization's requirements |
| 22 | + |
| 23 | +## Prerequisites |
| 24 | + |
| 25 | +Before you begin, ensure you have: |
| 26 | + |
| 27 | +- [AWS CLI](https://aws.amazon.com/cli/) installed and configured |
| 28 | +- [Terraform CLI](https://terraform.io/downloads.html) installed |
| 29 | +- [Node.js](https://nodejs.org/) and npm installed |
| 30 | +- [Nitric CLI](/get-started/installation) installed |
| 31 | +- [Checkov](https://checkov.io/2.Basics/Installing%20Checkov.html) installed |
| 32 | + |
| 33 | +## What we'll be doing |
| 34 | + |
| 35 | +1. Creating and setting up your application. |
| 36 | +2. Generating a Terraform plan with a Nitric Terraform provider. |
| 37 | +3. Running Checkov. |
| 38 | + |
| 39 | +## Create and set up your application |
| 40 | + |
| 41 | +Checkov can be used with any Nitric project that you intend to deploy with Terraform. We'll be using a basic starter template in this guide, however, you can use your own Nitric project or an [example project](https://github.com/nitrictech/examples). |
| 42 | + |
| 43 | +Let's start by creating a new project from a Nitric template, this will provide a base to start building the API. |
| 44 | + |
| 45 | +```bash |
| 46 | +nitric new my-profile-api ts-starter |
| 47 | +``` |
| 48 | + |
| 49 | +Next, open the project in your editor of choice and make sure all dependencies are resolved: |
| 50 | + |
| 51 | +```bash |
| 52 | +npm install |
| 53 | +``` |
| 54 | + |
| 55 | +You can test the project to verify everything is working as expected: |
| 56 | + |
| 57 | +```bash |
| 58 | +nitric start |
| 59 | +``` |
| 60 | + |
| 61 | +## Deploying to AWS with a Terraform provider |
| 62 | + |
| 63 | +To deploy your application with Terraform you'll need to use Nitric's Terraform providers. You can learn more about using Nitric with Terraform [here](/providers/terraform). |
| 64 | + |
| 65 | +```bash |
| 66 | +nitric stack new dev aws-tf |
| 67 | +``` |
| 68 | + |
| 69 | +Update this newly created stack file to include your target region: |
| 70 | + |
| 71 | +```yaml title:nitric.dev.yaml |
| 72 | +# The nitric provider to use |
| 73 | +provider: nitric/[email protected] |
| 74 | + |
| 75 | +# The target aws region to deploy to |
| 76 | +region: us-east-2 |
| 77 | +``` |
| 78 | +
|
| 79 | +Once you've created your stack file, you can generate the Terraform code by running the following command: |
| 80 | +
|
| 81 | +```bash |
| 82 | +nitric up |
| 83 | +``` |
| 84 | + |
| 85 | +This will generate Terraform code which can deploy your application. The output will be in a folder named `cdktf.out` by default. |
| 86 | + |
| 87 | +## Run checkov |
| 88 | + |
| 89 | +Use the Terraform CLI to generate a terraform plan expressed in a json file and then run Checkov on this file. |
| 90 | + |
| 91 | +```bash |
| 92 | +cd cdktf.out/stacks/my-profile-api-dev |
| 93 | + |
| 94 | +terraform init |
| 95 | +terraform plan --out tfplan.binary |
| 96 | +terraform show -json tfplan.binary | jq > tfplan.json |
| 97 | + |
| 98 | +checkov -f tfplan.json |
| 99 | +``` |
| 100 | + |
| 101 | +This should produce the `checkov` scan results in the terminal, which should look something like this: |
| 102 | + |
| 103 | +```bash |
| 104 | +terraform_plan scan results: |
| 105 | + |
| 106 | +Passed checks: 22, Failed checks: 9, Skipped checks: 0 |
| 107 | + |
| 108 | +Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider" |
| 109 | + PASSED for resource: aws.default |
| 110 | + File: /tfplan.json:0-1 |
| 111 | + Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/secrets-policies/bc-aws-secrets-5 |
| 112 | +Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount" |
| 113 | + PASSED for resource: module.api_main.aws_lambda_permission.apigw_lambda["checkov_services-api"] |
| 114 | + File: /tfplan.json:0-0 |
| 115 | + Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364 |
| 116 | +Check: CKV_AWS_301: "Ensure that AWS Lambda function is not publicly accessible" |
| 117 | + PASSED for resource: module.api_main.aws_lambda_permission.apigw_lambda["checkov_services-api"] |
| 118 | + File: /tfplan.json:0-0 |
| 119 | + Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-301 |
| 120 | +Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS" |
| 121 | + FAILED for resource: module.service_checkov_services-api.aws_ecr_repository.repo |
| 122 | + File: /tfplan.json:0-0 |
| 123 | + Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted |
| 124 | +``` |
| 125 | + |
| 126 | +## Analysing the results |
| 127 | + |
| 128 | +Checkov comes with some great default checks, however, they do need to be aligned with the requirements of your application. |
| 129 | + |
| 130 | +For example the Checkov policy `CKV_AWS_136` checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don't explicitly configure a KMS key. |
| 131 | + |
| 132 | +A way to handle these false positives is to use [suppress/skip comments](https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html) in the Terraform code. |
| 133 | + |
| 134 | +```terraform |
| 135 | +# checkov:skip=CKV_AWS_136 |
| 136 | +resource "aws_ecr_repository" "repo" { |
| 137 | + name = "my-ecr-repo" |
| 138 | +} |
| 139 | +``` |
| 140 | + |
| 141 | +You could also use custom policies to handle these false positives or create custom rules to better match your infrastructure requirements. |
| 142 | + |
| 143 | +If you have any concerns, please don't hesitate to [reach out](https://nitric.io/chat). |
0 commit comments