Mirtov Alexey 07d74c0f27 add translation of terraform security 2 年 前
..
.gitlab-ci(audit_mode).yml d818517b8e add some terraform security staff 2 年 前
.gitlab-ci(blocking_mode).yml 1bc98e192b Update .gitlab-ci(blocking_mode).yml 2 年 前
.gitlab-ci(blocking_mode_with_specific_checks_in_audit).yml d818517b8e add some terraform security staff 2 年 前
README.md c939209fab Update README.md 2 年 前
README_RU.md 07d74c0f27 add translation of terraform security 2 年 前

README.md

Checkov + Yandex Cloud

image

Intro

Checkov now supports Yandex Cloud terraform objects.

Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Helm charts,Kustomize, Dockerfile, Serverless, Bicep, OpenAPI or ARM Templates and detects security and compliance misconfigurations using graph-based scanning.

Installation and usage instructions are available on the checkov page

Screen Shot 2022-04-29 at 16 34 35

Information about checks for Yandex cloud

You can find all checks in source code

№ of check Description
CKV_YC_1 "Ensure security group is assigned to database cluster."
CKV_YC_2 "Ensure compute instance does not have public IP."
CKV_YC_3 "Ensure storage bucket is encrypted."

Expand for viewing all checks..........⬇️
№ of check Description
CKV_YC_1 "Ensure security group is assigned to database cluster."
CKV_YC_2 "Ensure compute instance does not have public IP."
CKV_YC_3 "Ensure storage bucket is encrypted."
CKV_YC_4 "Ensure compute instance does not have serial console enabled."
CKV_YC_5 "Ensure Kubernetes cluster does not have public IP address."
CKV_YC_6 "Ensure Kubernetes cluster node group does not have public IP addresses."
CKV_YC_7 "Ensure Kubernetes cluster auto-upgrade is enabled."
CKV_YC_8 "Ensure Kubernetes node group auto-upgrade is enabled."
CKV_YC_9 "Ensure KMS symmetric key is rotated."
CKV_YC_10 "Ensure etcd database is encrypted with KMS key."
CKV_YC_11 "Ensure security group is assigned to network interface."
CKV_YC_12 "Ensure public IP is not assigned to database cluster."
CKV_YC_13 "Ensure cloud member does not have elevated access."
CKV_YC_14 "Ensure security group is assigned to Kubernetes cluster."
CKV_YC_15 "Ensure security group is assigned to Kubernetes node group."
CKV_YC_16 "Ensure network policy is assigned to Kubernetes cluster."
CKV_YC_17 "Ensure storage bucket does not have public access permissions."
CKV_YC_18 "Ensure compute instance group does not have public IP."
CKV_YC_19 "Ensure security group does not contain allow-all rules."
CKV_YC_20 "Ensure security group rule is not allow-all."
CKV_YC_21 "Ensure organization member does not have elevated access."
CKV_YC_22 "Ensure compute instance group has security group assigned."
CKV_YC_23 "Ensure folder member does not have elevated access."
CKV_YC_24 "Ensure passport account is not used for assignment. Use service accounts and federated accounts where possible."

Examples of use in Managed Service for GitLab

<img src="https://user-images.githubusercontent.com/85429798/165978612-b1ee5f96-be71-4c2b-87a6-02333a46c857.png"
     alt="Kubernetes logo" title="Kubernetes" height="50" width="50" />

Prerequisites

  • ✅ Instance of Managed Service for GitLab (or vm with gitlab)
  • ✅ Registered runner on Compute Cloud VM
  • ✅ A service account assigned to the virtual machine with the necessary rights for terraform deployments

Global pipeline stages schema:

  • checkov-test-files (block or pass)
  • tfplan generate
  • checkov-test-tfplan (block or pass)
  • tf-apply

Examples are divided into 3 different files of pipelines:

  1. blocking mode ".gitlab-ci(blocking_mode).yml" - blocks pipeline if checkov find security misconfiguration(check failed).
  2. audit mode ".gitlab-ci(audit_mode).yml" - NOT blocks pipeline if checkov find security misconfiguration(check failed) but you can see alerts.
  3. blocking mode with specific checks in audit mode ".gitlab-ci(blocking_mode_with_specific_checks_in_audit).yml" - blocks pipeline if checkov find security misconfiguration(check failed) but skip specific non critical Checks.