From 76620cc4664018bdd47f09c0a3ddbab34d9b1422 Mon Sep 17 00:00:00 2001 From: Rak Siva Date: Tue, 7 Jan 2025 09:57:19 -0700 Subject: [PATCH 1/9] Add checkov guide for Terraform provider users. --- docs/guides/terraform/checkov.mdx | 106 ++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 docs/guides/terraform/checkov.mdx diff --git a/docs/guides/terraform/checkov.mdx b/docs/guides/terraform/checkov.mdx new file mode 100644 index 000000000..d062834e0 --- /dev/null +++ b/docs/guides/terraform/checkov.mdx @@ -0,0 +1,106 @@ +--- +description: Use checkov for static analysis of a Nitric project deployed with Terraform +tags: + - Terraform + - Testing +published_at: 2025-01-09 +--- + +# Static analysis of Terraform with Checkov + +This guide will walk you through generating a report with [Checkov](https://www.checkov.io/) from a Nitric project. + +## How Checkov works + +[Checkov](https://www.checkov.io/) is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations that may lead to security or compliance problems. + +This guide assumes that you have already [installed Checkov](https://www.checkov.io/1.Welcome/Quick%20Start.html#install-checkov-from-pypi) by following their installation guide. + +## What we'll be doing + +1. Create and set up your application. +2. Deploying to AWS with a Terraform provider. +3. Run Checkov. + +## Create and set up your application + +Checkov can be used with any Nitric project that you intend to deploy with Terraform. We'll be using a basic starter template in this guide, however, you can use your own Nitric project or an [example project](https://github.com/nitrictech/examples). + +Let's start by creating a new project from a Nitric template, this will provide a base to start building the API. + +```typescript +nitric new my-profile-api ts-starter +``` + +Next, open the project in your editor of choice and make sure all dependencies are resolved: + +Using NPM: + +```bash +npm install +``` + +You can test the project to verify everything is working as expected: + +```bash +nitric start +``` + +## Deploying to AWS with a Terraform provider + +To deploy your application with Terraform you'll need to use Nitric's Terraform providers. You can learn more about using Nitric with Terraform here. + +```bash +nitric stack new dev aws-tf +``` + +Update this newly created stack file to include your target region: + +```yaml title:nitric.dev.yaml +# The nitric provider to use +provider: nitric/awstf@1.11.6 + +# The target aws region to deploy to +region: us-east-2 +``` + +The Nitric Terraform providers are currently in preview, to enable them you'll need to enable beta-providers in your Nitric project. You can do this by adding the following to your project's nitric.yaml file: + +```yaml title:nitric.yaml +preview: + - beta-providers +``` + +Once you've created your stack file, you can generate the Terraform code by running the following command: + +```bash +nitric up +``` + +This will generate Terraform code which can deploy your application. The output will be in a folder named cdktf.out by default. + +## Run checkov + +Use the Terraform CLI to generate a terraform plan expressed in a json file and then run Checkov on this file. + +```bash +cd cdktf.out/stacks/my-profile-api-dev + +terraform init +terraform plan --out tfplan.binary +terraform show -json tfplan.binary | jq > tfplan.json + +checkov -f tfplan.json +``` + +## Analysing the results + +Checkov comes with some great default checks, however, they do need to be aligned with the requirements of your application. + +Here is an example: + +The Checkov policy ‘CKV_AWS_136‘ checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). Thus, Checkov will fail if it doesn’t see a KMS key reference, even though your ECR repository is still encrypted by SSE-S3 automatically. + +This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don’t explicitly configure a KMS key. + +If you have any concerns, please don't hesitate to [reach out](https://discord.com/invite/Webemece5C). From d9fbde9865500e1028a31e6b29755f079573666d Mon Sep 17 00:00:00 2001 From: Rak Siva Date: Tue, 7 Jan 2025 13:41:23 -0700 Subject: [PATCH 2/9] add to dictionary. --- dictionary.txt | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dictionary.txt b/dictionary.txt index a0e349e29..fbf5b6c9b 100644 --- a/dictionary.txt +++ b/dictionary.txt @@ -37,6 +37,7 @@ args async aws backend +checkov codebase composable config @@ -253,6 +254,8 @@ Trivy's KMS deployable VMs +json +KMS CDN subdirectories AzureTF From 9bc17e49c78aa8699c54f093b24e72bab4b3c29b Mon Sep 17 00:00:00 2001 From: David Moore <4121492+davemooreuws@users.noreply.github.com> Date: Thu, 9 Jan 2025 15:59:38 +1100 Subject: [PATCH 3/9] Apply suggestions from code review --- docs/guides/terraform/checkov.mdx | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/docs/guides/terraform/checkov.mdx b/docs/guides/terraform/checkov.mdx index d062834e0..3992f92bd 100644 --- a/docs/guides/terraform/checkov.mdx +++ b/docs/guides/terraform/checkov.mdx @@ -28,7 +28,7 @@ Checkov can be used with any Nitric project that you intend to deploy with Terra Let's start by creating a new project from a Nitric template, this will provide a base to start building the API. -```typescript +```bash nitric new my-profile-api ts-starter ``` @@ -48,7 +48,7 @@ nitric start ## Deploying to AWS with a Terraform provider -To deploy your application with Terraform you'll need to use Nitric's Terraform providers. You can learn more about using Nitric with Terraform here. +To deploy your application with Terraform you'll need to use Nitric's Terraform providers. You can learn more about using Nitric with Terraform [here](/providers/terraform). ```bash nitric stack new dev aws-tf @@ -97,10 +97,6 @@ checkov -f tfplan.json Checkov comes with some great default checks, however, they do need to be aligned with the requirements of your application. -Here is an example: - -The Checkov policy ‘CKV_AWS_136‘ checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). Thus, Checkov will fail if it doesn’t see a KMS key reference, even though your ECR repository is still encrypted by SSE-S3 automatically. - -This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don’t explicitly configure a KMS key. +For example the Checkov policy ‘CKV_AWS_136‘ checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don’t explicitly configure a KMS key. -If you have any concerns, please don't hesitate to [reach out](https://discord.com/invite/Webemece5C). +If you have any concerns, please don't hesitate to [reach out](https://nitric.io/chat). From d6cb533f8172a8c21b283acfa205a6c501bafa75 Mon Sep 17 00:00:00 2001 From: David Moore <4121492+davemooreuws@users.noreply.github.com> Date: Thu, 16 Jan 2025 09:29:04 +1100 Subject: [PATCH 4/9] Update docs/guides/terraform/checkov.mdx --- docs/guides/terraform/checkov.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/terraform/checkov.mdx b/docs/guides/terraform/checkov.mdx index 3992f92bd..eaf1710ab 100644 --- a/docs/guides/terraform/checkov.mdx +++ b/docs/guides/terraform/checkov.mdx @@ -3,7 +3,7 @@ description: Use checkov for static analysis of a Nitric project deployed with T tags: - Terraform - Testing -published_at: 2025-01-09 +published_at: 2025-01-16 --- # Static analysis of Terraform with Checkov From b03b939a58e122e1dc007f9ee274739fce664e8e Mon Sep 17 00:00:00 2001 From: Rak Date: Tue, 4 Mar 2025 11:57:42 -0700 Subject: [PATCH 5/9] Apply suggestions from code review Co-authored-by: Ryan Cartwright <39504851+HomelessDinosaur@users.noreply.github.com> --- docs/guides/terraform/checkov.mdx | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/guides/terraform/checkov.mdx b/docs/guides/terraform/checkov.mdx index eaf1710ab..d5bf3ebbf 100644 --- a/docs/guides/terraform/checkov.mdx +++ b/docs/guides/terraform/checkov.mdx @@ -18,9 +18,9 @@ This guide assumes that you have already [installed Checkov](https://www.checkov ## What we'll be doing -1. Create and set up your application. -2. Deploying to AWS with a Terraform provider. -3. Run Checkov. +1. Creating and setting up your application. +2. Generating a Terraform plan with a Nitric Terraform provider. +3. Running Checkov. ## Create and set up your application @@ -34,8 +34,6 @@ nitric new my-profile-api ts-starter Next, open the project in your editor of choice and make sure all dependencies are resolved: -Using NPM: - ```bash npm install ``` From aa7a4b407d5438148248e046ac148d377ec3e380 Mon Sep 17 00:00:00 2001 From: Ryan Cartwright Date: Thu, 10 Apr 2025 18:11:42 +1000 Subject: [PATCH 6/9] add extra sections to checkov guide --- docs/guides/terraform/checkov.mdx | 69 +++++++++++++++++++++++++------ 1 file changed, 56 insertions(+), 13 deletions(-) diff --git a/docs/guides/terraform/checkov.mdx b/docs/guides/terraform/checkov.mdx index d5bf3ebbf..35daf10ce 100644 --- a/docs/guides/terraform/checkov.mdx +++ b/docs/guides/terraform/checkov.mdx @@ -3,18 +3,32 @@ description: Use checkov for static analysis of a Nitric project deployed with T tags: - Terraform - Testing -published_at: 2025-01-16 +published_at: 2025-04-11 --- # Static analysis of Terraform with Checkov This guide will walk you through generating a report with [Checkov](https://www.checkov.io/) from a Nitric project. -## How Checkov works +## What is Checkov? -[Checkov](https://www.checkov.io/) is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations that may lead to security or compliance problems. +[Checkov](https://www.checkov.io/) is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations. Checkov provides several key benefits for your projects: -This guide assumes that you have already [installed Checkov](https://www.checkov.io/1.Welcome/Quick%20Start.html#install-checkov-from-pypi) by following their installation guide. +- **Security Scanning**: Automatically detects misconfigurations and security vulnerabilities in your infrastructure code before deployment +- **Compliance**: Helps ensure your infrastructure meets compliance requirements for standards like CIS, HIPAA, and PCI DSS +- **Best Practices**: Enforces infrastructure best practices and coding standards +- **Early Detection**: Catches potential issues during development rather than after deployment +- **Custom Rules**: Allows you to create custom rules specific to your organization's requirements + +## Prerequisites + +Before you begin, ensure you have: + +- [AWS CLI](https://aws.amazon.com/cli/) installed and configured +- [Terraform CLI](https://www.terraform.io/downloads.html) installed +- [Node.js](https://nodejs.org/) and npm installed +- [Nitric CLI](https://docs.nitric.io/cli/installation) installed +- [Checkov](https://www.checkov.io/2.Basics/Installing%20Checkov.html) installed ## What we'll be doing @@ -62,20 +76,13 @@ provider: nitric/awstf@1.11.6 region: us-east-2 ``` -The Nitric Terraform providers are currently in preview, to enable them you'll need to enable beta-providers in your Nitric project. You can do this by adding the following to your project's nitric.yaml file: - -```yaml title:nitric.yaml -preview: - - beta-providers -``` - Once you've created your stack file, you can generate the Terraform code by running the following command: ```bash nitric up ``` -This will generate Terraform code which can deploy your application. The output will be in a folder named cdktf.out by default. +This will generate Terraform code which can deploy your application. The output will be in a folder named `cdktf.out` by default. ## Run checkov @@ -91,10 +98,46 @@ terraform show -json tfplan.binary | jq > tfplan.json checkov -f tfplan.json ``` +This should produce the `checkov` scan results in the terminal, which should look something like this: + +```bash +terraform_plan scan results: + +Passed checks: 22, Failed checks: 9, Skipped checks: 0 + +Check: CKV_AWS_41: "Ensure no hard coded AWS access key and secret key exists in provider" + PASSED for resource: aws.default + File: /tfplan.json:0-1 + Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/secrets-policies/bc-aws-secrets-5 +Check: CKV_AWS_364: "Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount" + PASSED for resource: module.api_main.aws_lambda_permission.apigw_lambda["checkov_services-api"] + File: /tfplan.json:0-0 + Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-364 +Check: CKV_AWS_301: "Ensure that AWS Lambda function is not publicly accessible" + PASSED for resource: module.api_main.aws_lambda_permission.apigw_lambda["checkov_services-api"] + File: /tfplan.json:0-0 + Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-301 +Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS" + FAILED for resource: module.service_checkov_services-api.aws_ecr_repository.repo + File: /tfplan.json:0-0 + Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted +``` + ## Analysing the results Checkov comes with some great default checks, however, they do need to be aligned with the requirements of your application. -For example the Checkov policy ‘CKV_AWS_136‘ checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don’t explicitly configure a KMS key. +For example the Checkov policy `CKV_AWS_136` checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don't explicitly configure a KMS key. + +A way to handle these false positives is to use [suppress/skip comments](https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html) in the Terraform code. + +```terraform +# checkov:skip=CKV_AWS_136 +resource "aws_ecr_repository" "repo" { + name = "my-ecr-repo" +} +``` + +You could also use custom policies to handle these false positives or create custom rules to better match your infrastructure requirements. If you have any concerns, please don't hesitate to [reach out](https://nitric.io/chat). From a3582c49cead656c87a9c3d0244cfceca7121bee Mon Sep 17 00:00:00 2001 From: Ryan Cartwright Date: Mon, 14 Apr 2025 12:25:22 +1000 Subject: [PATCH 7/9] add compliance abbreviations to dictionary --- dictionary.txt | 2 ++ docs/guides/terraform/checkov.mdx | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/dictionary.txt b/dictionary.txt index fbf5b6c9b..ada68567b 100644 --- a/dictionary.txt +++ b/dictionary.txt @@ -243,6 +243,8 @@ NodeJS priviledge APIS TLS +HIPAA +PCI-DSS SRE ACM nav diff --git a/docs/guides/terraform/checkov.mdx b/docs/guides/terraform/checkov.mdx index 35daf10ce..b9f0bf34a 100644 --- a/docs/guides/terraform/checkov.mdx +++ b/docs/guides/terraform/checkov.mdx @@ -15,7 +15,7 @@ This guide will walk you through generating a report with [Checkov](https://www. [Checkov](https://www.checkov.io/) is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations. Checkov provides several key benefits for your projects: - **Security Scanning**: Automatically detects misconfigurations and security vulnerabilities in your infrastructure code before deployment -- **Compliance**: Helps ensure your infrastructure meets compliance requirements for standards like CIS, HIPAA, and PCI DSS +- **Compliance**: Helps ensure your infrastructure meets compliance requirements like HIPAA and PCI-DSS - **Best Practices**: Enforces infrastructure best practices and coding standards - **Early Detection**: Catches potential issues during development rather than after deployment - **Custom Rules**: Allows you to create custom rules specific to your organization's requirements From 5f2c335b35516be51b60cf13e85ab9191ccc41f0 Mon Sep 17 00:00:00 2001 From: Ryan Cartwright Date: Mon, 14 Apr 2025 13:02:29 +1000 Subject: [PATCH 8/9] fix broken link --- docs/guides/terraform/checkov.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/guides/terraform/checkov.mdx b/docs/guides/terraform/checkov.mdx index b9f0bf34a..b1ccb5687 100644 --- a/docs/guides/terraform/checkov.mdx +++ b/docs/guides/terraform/checkov.mdx @@ -12,7 +12,7 @@ This guide will walk you through generating a report with [Checkov](https://www. ## What is Checkov? -[Checkov](https://www.checkov.io/) is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations. Checkov provides several key benefits for your projects: +Checkov is a static code analysis tool for scanning infrastructure as code (IaC) files for misconfigurations. Checkov provides several key benefits for your projects: - **Security Scanning**: Automatically detects misconfigurations and security vulnerabilities in your infrastructure code before deployment - **Compliance**: Helps ensure your infrastructure meets compliance requirements like HIPAA and PCI-DSS @@ -25,10 +25,10 @@ This guide will walk you through generating a report with [Checkov](https://www. Before you begin, ensure you have: - [AWS CLI](https://aws.amazon.com/cli/) installed and configured -- [Terraform CLI](https://www.terraform.io/downloads.html) installed +- [Terraform CLI](https://terraform.io/downloads.html) installed - [Node.js](https://nodejs.org/) and npm installed -- [Nitric CLI](https://docs.nitric.io/cli/installation) installed -- [Checkov](https://www.checkov.io/2.Basics/Installing%20Checkov.html) installed +- [Nitric CLI](/get-started/installation) installed +- [Checkov](https://checkov.io/2.Basics/Installing%20Checkov.html) installed ## What we'll be doing From dbefc0b128822b035c655fde5eae5068d479f323 Mon Sep 17 00:00:00 2001 From: David Moore <4121492+davemooreuws@users.noreply.github.com> Date: Tue, 15 Apr 2025 15:41:14 +1000 Subject: [PATCH 9/9] bump date --- docs/guides/terraform/checkov.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/guides/terraform/checkov.mdx b/docs/guides/terraform/checkov.mdx index b1ccb5687..e9afbf2c8 100644 --- a/docs/guides/terraform/checkov.mdx +++ b/docs/guides/terraform/checkov.mdx @@ -3,7 +3,7 @@ description: Use checkov for static analysis of a Nitric project deployed with T tags: - Terraform - Testing -published_at: 2025-04-11 +published_at: 2025-04-15 --- # Static analysis of Terraform with Checkov