Member-only story
Securing GitHub workflows using Checkov
Checkov is probably best known as a SAST (Static Application Security Testing) package for Terraform, to stop non-compliant resources being deployed into your cloud provider of choice.
While it’s great at this, it’s uses don’t stop there! Checkov will also scan detected Dockerfiles, GitHub workflows and Kubernetes manifests within your repository.
Using checkov in your GitHub workflow as a security quality gate before PR’s can be merged is a great way of keeping your infrastructure as well as your workflows secure.
Using the GitHub action as below (Note `path: .` ) will scan all files in the repository (using all detected file types — eg Terraform, GitHub workflows and Kubernetes) for insecurities and will flag these in the PR.
name: Checkov
on:
pull_request:
branches:
- "main"
permissions: read-all
jobs:
checkov-job:
runs-on: ubuntu-latest
name: checkov-action
steps:
- name: Checkout repo
uses: actions/checkout@master
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@v12
with:
directory: .The full list of Checkov findings can be found in the Bridgecrew documentation.
