Add checkov security scanner to the build #881
Comments
|
Hi @zsaltys thanks for opening up this issue! We are checking with our team to ensure we can add Checkov as an additional GitHub workflow to have in place for all future PRs. We will get back to you shortly - I agree would be a good additional to the repo |
noah-paige
pushed a commit
that referenced
this issue
Jan 11, 2024
### Feature or Bugfix - Feature ### Detail #### Checkov Add checkov github action on PRs and push to `main` Checkov scans ignore the paths: tests/, .github, compose/, docker/dev/ that contain support or local development files. The PR ignores the findings, which should (or not) be handled in a separate PR - CKV_DOCKER_2, CKV_DOCKER_4 are skipped in the checkov github action definition. They are LOW severity recommendations - [CKV_DOCKER_2](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images) - Healthcheck instructions have not been added to container images - [CKV_DOCKER_4](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles) - Copy is not used instead of Add in Dockerfiles - Some CloudFormation findings on the pivot role and in the cdk execution role YAML templated are skipped with `# checkov:skip=` comments. We should review each finding one by one. In addition, other next steps include the assessment of how we can synthesize cdk templates so that checkov scans them. #### Other changes - upgraded all Python version to 3.9 in all actions - removed duplicated `static-checking.yaml` test in favor of `flake8` (Renamed from `Lint` - standardize names ### Relates - #881 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We should add checkov scanner and scan all CF templated and synthesized CDK templates to make sure there are no new violations.
The text was updated successfully, but these errors were encountered: