Checkov Terraform vulnerability scanning
What is it?
We have added Checkov to our Infrastructure pipeline to help us identify security vulnerabilities in our IaC (Infrastructure-as-code). You can read more about it here.
How does this impact you?
Any finding reported by Checkov will need to corrected. If it cannot be corrected immediately, a security-issue will need to be created and the proper suppression entered into the code. Also please tag the security team to review the PR. If it is a false-positive, the proper suppression entry will need to be entered into the code.
If Checkov finds vulnerabilities will it fail the pipeline?
Yes.
I have a vulnerability that is a false positive, or one that we will not fix. Can I make Checkov ignore it?
Yes. Simply follow the instructions in suppressing/skipping policies and then tag the security team to review the PR.
Are there any IDE Plugins for Checkov?
Yes. The following options are available for you to use: