DevSecOps Practices: Securing Infrastructure as Code (IaC)

In my previous article, I highlighted the key steps and important solutions with regard to the security of CI/CD pipelines. In this article, I would like to share the basic CI/CD configuration for Checkov and KICS, two Infrastructure as Code (IaC) analysis tools that can look through your IaC templates for potential vulnerabilities or misconfigurations. These tools support various languages, including Terraform, CloudFormation, Kubernetes, ARM, and others. I will use GitHub Actions and Gitlab CI to utilize them.

Checkov

https://github.com/bridgecrewio/checkov

1. Configuration with GitHub Actions:

In your GitHub repository, create a new file named .github/workflows/IaC_scan.yml. Add the following configuration to the IaC_scan.yml file:

name: IaC scanning stage
on:
 push:
   branches: [ "main", "master" ]
 pull_request:
   branches: [ "main", "master" ]
jobs:
 IaC_scan:
   runs-on: ubuntu-latest
   steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it
     - name: Checkout repository
       uses: actions/checkout@v3

     - name: Set up Python
       uses: actions/setup-python@v2
       with:
         python-version: 3.9

     - name: Install Checkov
       run: pip install checkov

     - name: Run Checkov
       run: checkov --directory .

This GitHub Actions workflow triggers a Checkov scan on every push and pull request to the repository.

2. Configuration with Gitlab CI:

In your Gitlab repository, create a new file named .gitlab-ci.yml. Add the following configuration to the .gitlab-ci.yml file:

stages:
  - IaC_scan

Checkov:
  stage: IaC_scan
  image: python:3.9
  allow_failure: true
  before_script:
    - pip install checkov
  script:
    - checkov -d .

In the GitLab CI pipeline configuration, an IaC_scan stage is defined with a job named Checkov. It uses the Python Docker image to set up a Python environment, installs Checkov, and runs Checkov to scan the IaC code.

KICS

https://kics.io/

1. Configuration with GitHub Actions:

In your GitHub repository, create a new file named .github/workflows/IaC_scan.yml. Add the following configuration to the IaC_scan.yml file:

name: IaC scanning stage
on:
 push:
   branches: [ "main", "master" ]
 pull_request:
   branches: [ "main", "master" ]
jobs:
 kics:
   runs-on: ubuntu-latest
   steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
     - name: Checkout repository
       uses: actions/checkout@v3
    # Scan Iac with kics
     - name: Run KICS scan
       uses: checkmarx/[email protected]
       with:
         path: "."

This GitHub Actions workflow triggers a KICS scan on every push and pull request to the repository.

2. Configuration with Gitlab CI:

   In your Gitlab repository, create a new file named .gitlab-ci.yml (or update it if you already have one). Add the following configuration to the .gitlab-ci.yml file:

stages:
  - IaC_scan

kics:
 stage: IaC_scan
 image:
   name: checkmarx/kics:latest
   entrypoint: [""]
 script:
   - kics scan -p ${PWD} -o ${PWD} --report-formats json --output-name kics-results
 artifacts:
     name: kics-results.json
     paths:
         - kics-results.json

In the GitLab CI pipeline configuration, an IaC_scan stage is defined with a job named kics. This job uses the KICS Docker image to run the KICS scan against the IaC code.

As a closing remark, I strongly suggest using Infrastructure as Code (IaC) scanner tools at an early stage to enhance your security measures. With this proactive approach, misconfigurations can be prevented. This preemptive tactic allows you to detect and address potential security risks early in the lifecycle, thus mitigating the threat of these risks infiltrating your live infrastructure.