add extra sections to checkov guide

Author: HomelessDinosaur

docs/guides/terraform/checkov.mdx

@@ -3,18 +3,32 @@ description: Use checkov for static analysis of a Nitric project deployed with T
 tags:
   - Terraform
   - Testing
-published_at: 2025-01-16
+published_at: 2025-04-11
 ---
 
 # Static analysis of Terraform with Checkov
 
 This guide will walk you through generating a report with [Checkov](https://www.checkov.io/) from a Nitric project.
 
-## How Checkov works
+## What is Checkov?
 
-[Checkov](https://www.checkov.io/) is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations that may lead to security or compliance problems.
+[Checkov](https://www.checkov.io/) is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations. Checkov provides several key benefits for your projects:
 
-This guide assumes that you have already [installed Checkov](https://www.checkov.io/1.Welcome/Quick%20Start.html#install-checkov-from-pypi) by following their installation guide.
+- **Security Scanning**: Automatically detects misconfigurations and security vulnerabilities in your infrastructure code before deployment
+- **Compliance**: Helps ensure your infrastructure meets compliance requirements for standards like CIS, HIPAA, and PCI DSS
+- **Best Practices**: Enforces infrastructure best practices and coding standards
+- **Early Detection**: Catches potential issues during development rather than after deployment
+- **Custom Rules**: Allows you to create custom rules specific to your organization's requirements
+
+## Prerequisites
+
+Before you begin, ensure you have:
+
+- [AWS CLI](https://aws.amazon.com/cli/) installed and configured
+- [Terraform CLI](https://www.terraform.io/downloads.html) installed
+- [Node.js](https://nodejs.org/) and npm installed
+- [Nitric CLI](https://docs.nitric.io/cli/installation) installed
+- [Checkov](https://www.checkov.io/2.Basics/Installing%20Checkov.html) installed
 
 ## What we'll be doing
 
@@ -62,20 +76,13 @@ provider: nitric/[email protected]
 region: us-east-2
 ```
 
-The Nitric Terraform providers are currently in preview, to enable them you'll need to enable beta-providers in your Nitric project. You can do this by adding the following to your project's nitric.yaml file:
-
-```yaml title:nitric.yaml
-preview:
-  - beta-providers
-```
-
 Once you've created your stack file, you can generate the Terraform code by running the following command:
 
 ```bash
 nitric up
 ```
 
-This will generate Terraform code which can deploy your application. The output will be in a folder named cdktf.out by default.
+This will generate Terraform code which can deploy your application. The output will be in a folder named `cdktf.out` by default.
 
 ## Run checkov
 
@@ -91,10 +98,46 @@ terraform show -json tfplan.binary | jq > tfplan.json
 checkov -f tfplan.json
 ```
 
+This should produce the `checkov` scan results in the terminal, which should look something like this:
+
+```bash
+terraform_plan scan results:
+
+Passed checks: 22, Failed checks: 9, Skipped checks: 0
+
+Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider"
+  PASSED for resource: aws.default
+  File: /tfplan.json:0-1
+  Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/secrets-policies/bc-aws-secrets-5
+Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount"
+  PASSED for resource: module.api_main.aws_lambda_permission.apigw_lambda["checkov_services-api"]
+  File: /tfplan.json:0-0
+  Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364
+Check: CKV_AWS_301: "Ensure that AWS Lambda function is not publicly accessible"
+  PASSED for resource: module.api_main.aws_lambda_permission.apigw_lambda["checkov_services-api"]
+  File: /tfplan.json:0-0
+  Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-301
+Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
+  FAILED for resource: module.service_checkov_services-api.aws_ecr_repository.repo
+  File: /tfplan.json:0-0
+  Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted
+```
+
 ## Analysing the results
 
 Checkov comes with some great default checks, however, they do need to be aligned with the requirements of your application.
 
-For example the Checkov policy ‘CKV_AWS_136‘ checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don’t explicitly configure a KMS key.
+For example the Checkov policy `CKV_AWS_136` checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don't explicitly configure a KMS key.
+
+A way to handle these false positives is to use [suppress/skip comments](https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html) in the Terraform code.
+
+```terraform
+# checkov:skip=CKV_AWS_136
+resource "aws_ecr_repository" "repo" {
+  name = "my-ecr-repo"
+}
+```
+
+You could also use custom policies to handle these false positives or create custom rules to better match your infrastructure requirements.
 
 If you have any concerns, please don't hesitate to [reach out](https://nitric.io/chat).