bridgecrewio

Open Source

checkov-action

[![Maintained by Bridgecrew.io](https://img.shields.io/badge/maintained%20by-bridgecrew.io-blueviolet)](https://bridge.dev/2WBms5Q) [![slack-community](https://img.shields.io/badge/Slack-4A154B?style=plastic&logo=slack&logoColor=white)](https://slack.bridgecrew.io/) # Checkov GitHub action This GitHub Action runs [Checkov](https://github.com/bridgecrewio/checkov) against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues. ## Example usage for IaC and SCA ```yaml name: checkov # Controls when the workflow will run on: # Triggers the workflow on push or pull request events but only for the "main" branch push: branches: [ "main", "master" ] pull_request: branches: [ "main", "master" ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: # A workflow run is made up of one or more jobs that can run sequentially or in parallel jobs: # This workflow contains a single job called "scan" scan: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status # The type of runner that the job will run on runs-on: ubuntu-latest # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so follow-up steps can access it - uses: actions/checkout@v3 - name: Checkov GitHub Action uses: bridgecrewio/checkov-action@v12 with: # This will add both a CLI output to the console and create a results.sarif file output_format: cli,sarif output_file_path: console,results.sarif - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 # Results are generated only on a success or failure # this is required since GitHub by default won't run the next step # when the previous one has failed. Security checks that do not pass will 'fail'. # An alternative is to add `continue-on-error: true` to the previous step # Or 'soft_fail: true' to checkov. if: success() || failure() with: sarif_file: results.sarif ``` ## Example usage for options/environment variables in 'with' block ```yaml on: [push] jobs: checkov-job: runs-on: ubuntu-latest name: checkov-action steps: - name: Checkout repo uses: actions/checkout@master - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@master with: directory: example/ file: example/tfplan.json # optional: provide the path for resource to be scanned. This will override the directory if both are provided. check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list quiet: true # optional: display only failed checks soft_fail: true # optional: do not return an error code if there are failed checks framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} skip_framework: terraform # optional: skip a specific infrastructure {cloudformation,terraform,kubernetes,all} skip_cve_package: CVE_2019_8331 # optional: skip a specific CVE package in SCA scans, can be comma separated list output_format: sarif # optional: the output format, one of: cli, json, junitxml, github_failed_only, or sarif. Default: sarif output_file_path: reports/results.sarif # folder and name of results file output_bc_ids: true # optional: output Bridgecrew platform IDs instead of checkov IDs download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry repo_root_for_plan_enrichment: example/ #optional: Directory containing the hcl code used to generate a given terraform plan file. Use together with `file` var_file: ./testdir/gocd.yaml # optional: variable files to load in addition to the default files. Currently only supported for source Terraform and Helm chart scans. log_level: DEBUG # optional: set log level. Default WARNING config_file: path/this_file baseline: cloudformation/.checkov.baseline # optional: Path to a generated baseline file. Will only report results not in the baseline. container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues use_enforcement_rules: true # optional - use enforcement rule configs from the platform ``` ## Example usage for container images ```yaml on: [push] env: IMAGE_NAME: ${{ github.repository }}:${{ github.sha }} IMAGE_PATH: /path/ jobs: checkov-image-scan: runs-on: ubuntu-latest name: checkov-image-scan steps: - name: Checkout repo uses: actions/checkout@master - name: Build the image run: docker build -t ${{ env.IMAGE_NAME }} ${{ env.IMAGE_PATH }} - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@master with: quiet: true # optional: display only failed checks soft_fail: true # optional: do not return an error code if there are failed checks log_level: DEBUG # optional: set log level. Default WARNING docker_image: ${{ env.IMAGE_NAME }} # define the name of the image to scan dockerfile_path: ${{ format('{0}/Dockerfile', env.IMAGE_PATH) }} # path to the Dockerfile container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues api-key: ${{ secrets.BC_API_KEY }} # Bridgecrew API key stored as a GitHub secret ``` Note that this example uses the latest version (`master`) but you could also use a static version (e.g. `v3`). Also, the check ids specified for '--check' and '--skip-check' must be mutually exclusive. ## Example usage for private Terraform modules To give `checkov` the possibility to download private GitHub modules you need to pass a valid GitHub PAT with the needed permissions. ```yaml on: [push] jobs: checkov-job: runs-on: ubuntu-latest name: checkov-action steps: - name: Checkout repo uses: actions/checkout@master - name: Run Checkov action id: checkov uses: bridgecrewio/checkov-action@master with: directory: . soft_fail: true download_external_modules: true github_pat: ${{ secrets.GH_PAT }} env: GITHUB_OVERRIDE_URL: true # optional: this can be used to instruct the action to override the global GIT config to inject the PAT to the URL ```

CI / CD Vulnerability Scanning

306 Github Stars

bridgecrew-action

# DEPRECATED: This project is no longer supported and will be archived end of 2023. Please use [checkov-action](https://github.com/bridgecrewio/checkov-action) instead. # Bridgecrew GitHub Action ## The Bridgecrew GitHub Action Use the Bridgecrew GitHub Action to scan for infrastructure-as-code misconfigurations, vulnerabilities and license issues in open source packages and images, and CI/CD misconfigurations. By signing up for a free Bridgecrew Community plan you can also view dashboards and reports. The community plan does not limit the number of scans or users you can invite to view the results. ## How to use the Bridgecrew GitHub Action 1. Follow the instructions at [GitHub configuration a workflow](https://help.github.com/en/actions/configuring-and-managing-workflows/configuring-a-workflow) to enable Github Action in your repository. 2. Set up an environment variable with your Bridgecrew API key, which you can get from your [Bridgecrew account](https://www.bridgecrew.cloud/integrations). 3. In the app build job, uses the `bridgecrewio/bridgecrew-action@master` 4. Optionally, supply parameters to customize GitHub action behaviour ## Usage Examples ### Scan IaC in your repository ```yaml - name: Run Bridgecrew id: Bridgecrew uses: bridgecrewio/bridgecrew-action@master with: api-key: ${{ secrets.BRIDGECREW_API_KEY }} directory: "example/examplea" check: CKV_AWS_1 # optional: run only a specific check_id. can be comma separated list skip_check: CKV_AWS_1 # optional: skip a specific check_id. can be comma separated list soft_fail: false framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all} output_format: cli quiet: false external_checks_dirs: ./checkov download_external_modules: true # optional: download external terraform modules from public git repositories and terraform registry log_level: DEBUG # optional: set log level. Default WARNING use_enforcement_rules: true # optional - use enforcement rule configs from the platform ``` ### Github code scanning Bridgecrew supports github [code scanning](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning). An example workflow configuration can be found [here](examples/code_scanning.yml). ## GitHub action Parameters | Parameter | Description | Required | Default | Type | |-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|---------|-----------------------------------------| | api-key | Environment variable name of the Bridgecrew API key from Bridgecrew app | No | | Secret parameter | | file | File to scan | No | | Input parameter | | directory | Root directory to scan | No | "." | Input parameter | | soft_fail | Runs checks without failing build | No | | Input parameters | | check | filter scan to run only on a specific check identifier, You can specify multiple checks separated by comma delimiter | No | | Input parameters | | skip_check | filter scan to run on all check but a specific check identifier(blacklist), You can specify multiple checks separated by comma delimiter, clashes with check | No | | Input parameters | | quiet | display only failed checks | No | | Input parameters | | external_checks_dirs | Directory for custom checks to be loaded | No | | Input parameters | | output_format | The format of the output - json - cli - sarif | No | | Input parameters | | output_file_path | The path for the file output | No | | Input parameters | | framework | run on a specific infrastructure | No | | cloudformation,terraform,kubernetes,all | | download_external_modules | download external terraform modules from public git repositories and terraform registry | No | | Input parameters | | repo_root_for_plan_enrichment | root directory containing the hcl templates used to generate the given terraform plan file. Use together with `file` | No | | Input parameters | | log_level | set log level | No | WARNING | Input parameters | Full reference docs [here](https://docs.bridgecrew.io/docs/integrate-with-github-actions-v2). ## Screenshots Reject pull requests containing infrastructure code configuration errors ![](resources/failed-action.png) Find & fix resources that might be a risk ![](resources/problem-matcher.png)

CI / CD Vulnerability Scanning

73 Github Stars

bridgecrew-orb

# Bridgecrew Orb for CircleCI ## The Bridgecrew Orb Use the Bridgecrew orb to scan for infrastructure-as-code errors in your CircleCI Workflows. By utilizing this orb in your project workflow, you can automatically start to find, fix and monitor your project for configuration errors in Terraform and CloudFormation. By signing up for a free Bridgecrew Community plan you can also view dashboards and reports. The community plan does not limit the number of scans or users you can invite to view the results. ## How to use the Bridgecrew Orb In fact, it is very easy to start using the Orb. All you need to do is: 1. Follow the instructions at the [Orb Quick Start Guide](https://circleci.com/orbs/registry/orb/bridgecrew/bridgecrew#quick-start) to enable usage of Orbs in your project workflow. 2. Set up an environment variable with your Bridgecrew API key, which you can get from your [Bridgecrew account](https://www.bridgecrew.cloud/integrations). 3. In the app build job, call the `bridgecrew/scan` 4. Optionally, supply parameters to customize orb behaviour 5. Prisma members - set your prisma cloud API URL which you can get from [Prisma cloud API URLs](https://prisma.pan.dev/api/cloud/api-urls). Your environment variable (api-key-variable) requires to be a prisma cloud access key in the following format: <access_key_id>::<secret_key> ## Usage Examples ### Scan IaC Directory ```yaml version: 2.1 orbs: bridgecrew: bridgecrew/[email protected] jobs: build: executor: bridgecrew/default steps: - checkout - bridgecrew/scan: directory: '.' soft-fail: true api-key-variable: BC_API_KEY prisma-api-url: PRISMA_API_URL ``` ### Scan IaC Files ```yaml version: 2.1 orbs: bridgecrew: bridgecrew/[email protected] jobs: build: executor: bridgecrew/default steps: - checkout - bridgecrew/scan: file: "./terraform/db-app.tf" api-key-variable: BC_API_KEY prisma-api-url: PRISMA_API_URL ``` ### Advanced Example ```yaml version: 2.1 orbs: bridgecrew: bridgecrew/[email protected] jobs: build: executor: bridgecrew/default steps: - checkout - bridgecrew/scan: directory: "./terragoat" # tell bridgecrew where is the directory you want to scan soft-fail: true # do not fail the workflow in case vulnerabilities have found api-key-variable: BC_API_KEY # bridgecrew API key or prisma cloud access key (see PRISMA_API_URL) prisma-api-url: PRISMA_API_URL # prisma cloud API URL (see: https://prisma.pan.dev/api/cloud/api-urls). Requires api-key-variable to be a prisma cloud access key in the following format: <access_key_id>::<secret_key> ``` ## Orb Parameters Full reference docs https://circleci.com/orbs/registry/orb/bridgecrew/bridgecrew | Parameter | Description | Required | Default | Type | | -----------|----------------------------------------------------------------------| ------------- | ------------- |-----------------------| | api-key-variable | Environment variable name for the Bridgecrew API key from Bridgecrew app | no | BC_API_KEY | env_var_name | | prisma-api-url | Prisma Cloud API URL | no | "none" | string | | directory | IaC root directory to scan | no | "none" | string | | file | IaC file to scan | no | "none" | string | | soft-fail | Runs checks without failing build | no | false | boolean | | output | Report output format | no | "cli" | cli \ json \ junitxml | ## Screenshots Run bridgecrew orb in your CircleCI workflow ![scan-screenshot](https://raw.githubusercontent.com/bridgecrewio/bridgecrew-orb/master/screenshot.gif)

CI / CD Infrastructure as Code Vulnerability Scanning

11 Github Stars

Software by bridgecrewio

checkov-action

bridgecrew-action

bridgecrew-orb