Guides
Log InSign UpBlog

Checkov

Suggest Edits

Overview

Checkov is a code analysis tool that scans Terraform deployments for vulnerabilities and compliance violations. If Checkov is enabled, Scalr will insert the Checkov step before the Terraform init phase runs. Checkov will evaluate the code that is being pulled in, and if any errors are found, the run in Scalr will stop. Runs that are stopped during the Checkov step are not billed for.

To enable Checkov, go to the integrations page at the administrative scope. Users need the integrations:read and integrations:manage permissions to set up and manage this integration.:

Click on Checkov and then "Add connection", where you will be prompted to name the integration and provide the Checkov version(i.e. 3.2.288) that you want to run. Do not use the "sha..." tag that is also provided in the Docker hub list of versions:

Environment enforcement

Environment enforcement of the Checkov integration in Scalr gives administrators control over the security and compliance posture of Opentofu/Terraform runs within an environment. Scalr supports two types of enforcement in environments:

  • Enforce in all current and future environments—This option automates the enforcement of Checkov in all environments and does not require manual interventions when new ones are created.
  • Manual mode —This option limits the environments where Checkov checks must be performed. However, manual intervention is required when new environments are created, and Checkov integration is required.

Once enforced, Checkov will execute on ALL workspaces within the selected environments:

Custom Parameters

Custom parameters can be used to customize the rules against which checkov checks. For example, you may want to skip certain checks, which can be done by adding the --skip-check parameter followed by the ID to skip:

IMPORTANT: No spaces should be added to the list of rules, only commas, and the commas should not have a space before or after.

Other options like hard or soft fail are commonly used to determine whether a run should be stopped or not.

Lastly, custom policies can be passed in using the --external-checks-git parameter:

--external-checks-git=https://github.com/link/to/checkov-custom-policies.git

Scalr supports most of the parameters that Checkov supports; the skip-check is just an example. See the full list here.

Updated 13 days ago