In my I highlighted the key steps and important solutions with regard to the security of pipelines. In this article, I would like to share the basic CI/CD configuration for Checkov and KICS, two Infrastructure as Code (IaC) analysis tools that can look through your IaC templates for potential vulnerabilities or misconfigurations. These tools support various languages, including Terraform, CloudFormation, Kubernetes, ARM, and others. I will use GitHub Actions and Gitlab CI to utilize them. previous article , CI/CD Please keep in mind that all configuration files should be adapted to your environment and project requirements. Checkov https://github.com/bridgecrewio/checkov 1. Configuration with GitHub Actions: In your GitHub repository, create a new file named . Add the following configuration to the file: .github/workflows/IaC_scan.yml IaC_scan.yml name: IaC scanning stage
on:
 push:
   branches: [ "main", "master" ]
 pull_request:
   branches: [ "main", "master" ]
jobs:
 IaC_scan:
   runs-on: ubuntu-latest
   steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it
     - name: Checkout repository
       uses: actions/checkout@v3

     - name: Set up Python
       uses: actions/setup-python@v2
       with:
         python-version: 3.9

     - name: Install Checkov
       run: pip install checkov

     - name: Run Checkov
       run: checkov --directory . This GitHub Actions workflow triggers a Checkov scan on every push and pull request to the repository. 2. Configuration with Gitlab CI: In your Gitlab repository, create a new file named . Add the following configuration to the file: .gitlab-ci.yml .gitlab-ci.yml stages:
  - IaC_scan

Checkov:
  stage: IaC_scan
  image: python:3.9
  allow_failure: true
  before_script:
    - pip install checkov
  script:
    - checkov -d . In the GitLab CI pipeline configuration, an stage is defined with a job named . It uses the Python Docker image to set up a Python environment, installs Checkov, and runs Checkov to scan the IaC code. IaC_scan Checkov KICS https://kics.io/ 1. Configuration with GitHub Actions: In your GitHub repository, create a new file named . Add the following configuration to the file: .github/workflows/IaC_scan.yml IaC_scan.yml name: IaC scanning stage
on:
 push:
   branches: [ "main", "master" ]
 pull_request:
   branches: [ "main", "master" ]
jobs:
 kics:
   runs-on: ubuntu-latest
   steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
     - name: Checkout repository
       uses: actions/checkout@v3
    # Scan Iac with kics
     - name: Run KICS scan
       uses: checkmarx/kics-github-action@v1.7.0
       with:
         path: "." This GitHub Actions workflow triggers a KICS scan on every push and pull request to the repository. Configuration with Gitlab CI: In your Gitlab repository, create a new file named (or update it if you already have one). Add the following configuration to the file: .gitlab-ci.yml .gitlab-ci.yml stages:
  - IaC_scan

kics:
 stage: IaC_scan
 image:
   name: checkmarx/kics:latest
   entrypoint: [""]
 script:
   - kics scan -p ${PWD} -o ${PWD} --report-formats json --output-name kics-results
 artifacts:
     name: kics-results.json
     paths:
         - kics-results.json In the GitLab CI pipeline configuration, an stage is defined with a job named . This job uses the KICS Docker image to run the KICS scan against the IaC code. IaC_scan kics As a closing remark, I strongly suggest using Infrastructure as Code (IaC) scanner tools at an early stage to enhance your security measures. With this proactive approach, misconfigurations can be prevented. This preemptive tactic allows you to detect and address potential security risks early in the lifecycle, thus mitigating the threat of these risks infiltrating your live infrastructure.

Too Long; Didn't Read

Making security fun one episode at a time

DevSecOps Practices: Securing Infrastructure as Code (IaC)

Too Long; Didn't Read

Andrey Glukhov

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

DevSecOps Practices: Securing Infrastructure as Code (IaC)

Too Long; Didn't Read

Andrey Glukhov

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES