dev-resources.site

for different kinds of informations.

SBOM with Checkov

Published at

11/25/2022

Categories

4 categories in total

Author

11 person written this

pawelpiwosz

open

This episode might be quite surprising, at least for those of us who know IaC and did quality and security scans of IaC templates.

Well, yes, Checkov is a quality scanner, but from some time already it is more than that! Let's see on the frameworks which can be scanned by Checkov:

--framework {bitbucket_pipelines,circleci_pipelines,argo_workflows,arm,azure_pipelines,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} [{bitbucket_pipelines,circleci_pipelines,argo_workflows,arm,azure_pipelines,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} ...]

Quite a number, don't you think?

But... What about SBOMs? Can Checkov generate SBOM?

No. Well, not really.

But the report generated by Checkov can be exported in CDX format, what means, it can be consumed in the process!

Let's take a look. I install Checkov and download random repos from GitHub:

Terraform
CloudFormation
Dockerfile
Serverless
Kubernetes
Helm

$ pip install checkov

So, installation is not that hard, isn't it? ;P

$ git clone https://github.com/dwmkerr/terraform-consul-cluster.git
$ git clone https://github.com/splunk/splunk-aws-cloudformation.git
$ git clone https://github.com/webdevops/Dockerfile.git
$ git clone https://github.com/softprops/serverless-aws-rust-http.git
$ git clone https://github.com/kubernetes/examples.git
$ git clone https://github.com/prometheus-community/helm-charts.git

Ok. I'll generate a report for each repo with CycloneDX output. Also, I will not specify the framework, so it is a huge possibility, that some of these repos contain not only the "main" framework, but others as well. Will see.

checkov -d terraform-consul-cluster/ -o cyclonedx > tf.xml

For some reason, Checkov didn't save the report to the specified file, but created a folder. But it is not an issue, I used simple redirection and didn't spent time on it :)

Report is not very readable for human, but it doesn't matter, it should be (and it is) readable for machine. Checkov uses the newest version for CycloneDX - 1.4.

Let's take a look on details. In the "standard report" I found this issue:

Check: CKV2_AWS_12: "Ensure the default security group of every VPC restricts all traffic"
        FAILED for resource: module.consul-cluster.aws_vpc.consul-cluster
        File: /modules/consul/01-vpc.tf:2-10
        Guide: https://docs.bridgecrew.io/docs/networking_4

                2  | resource "aws_vpc" "consul-cluster" {
                3  |   cidr_block           = "${var.vpc_cidr}" // i.e. 10.0.0.0 to 10.0.255.255
                4  |   enable_dns_hostnames = true
                5  |
                6  |   tags {
                7  |     Name    = "Consul Cluster VPC"
                8  |     Project = "consul-cluster"
                9  |   }
                10 | }

What we have in generated SBOM?

<vulnerability bom-ref="070be6ca-0732-4cf3-b0c7-a423fc0f45be">
    <id>CKV2_AWS_12</id>
    <source>
        <name>checkov</name>
    </source>
    <ratings>
        <rating>
            <severity>unknown</severity>
        </rating>
    </ratings>
    <description>Resource: module.consul-cluster.aws_vpc.consul-cluster. Ensure the default security group of every VPC restricts all traffic</description>
    <advisories>
        <advisory>
            <url>https://docs.bridgecrew.io/docs/networking_4</url>
        </advisory>
    </advisories>
    <affects>
        <target>
            <ref>pkg:terraform/cli_repo/terraform-consul-cluster/modules/consul/01-vpc.tf/module.consul-cluster.aws_vpc.consul-cluster@sha1:26077595ad94ad61098ccc203af70aaf518a847b</ref>
        </target>
    </affects>
    </vulnerability>

Looks quite nice.

I generated SBOM reports from all repos I cloned. And I am really satisfied with results. Well done Bridgecrew!:)

Summary

I really like Checkov, and I say if for a few years now. It is more and more complex tool, even in the version available for free. I am really happy to see the SBOM option, as it becomes very important part of the process.

The great news is that SBOMs can cover also infrastructure as Code. Imagine, you buy a car. And you receive report where you see that every single component in this car passed verification and validation. Every single one, except the wheels. What can go wrong? These wheels here - it is IaC.

Why I said no on the beginning, when I asked myself if Checkov is a SBOM tool? Well, the point is that SBOM should contain all dependencies. Checkov's focus is on templates. Don't get me wrong, that is OK, there are other tools which should take care about code's dependencies. I said that to emphasize, Checkov cannot be only tool used in SBOM generation process.

So, to be correct, Checkov is not SCA tool but can generate SBOM report for its part.

Cover image by Suzy from Pixabay

sbom Article's

30 articles in total