Checkov IaC Misconfiguration Detection
Overview
Checkov is a static analysis tool that scans cloud infrastructure configurations to detect security and compliance issues. This integration leverages Checkov to run misconfiguration framework scanning across multiple IaC frameworks, helping you identify potential security vulnerabilities in your infrastructure code before deployment.
Jit uses KICS by default as the Infrastructure as Code (IaC) scanning tool to detect misconfigurations and security issues. However, this page explains how customers can use Checkov as an alternative if they prefer.
Supported Frameworks
Checkov supports scanning the following IaC frameworks:
- Terraform
- CloudFormation
- Kubernetes
- Serverless
- Helm
- OpenAPI
Requirements
Before using the Checkov IaC integration, ensure that:
- You have a
jit-plan.yml
file in your repository - Your CI/CD pipeline is configured to run Jit scans
- Your repository contains IaC files in one of the supported formats
Configuration
Enabling the Scan
To enable Checkov IaC scanning, you need to update the jit-plan.yml
file which is located in the Jit repository.
The jit-plan.yml
file defines the user's security plan as code and supports the ability to configure additional security tools beyond the default ones provided by Jit, giving customers the flexibility to choose the tools that best fit their security needs.
To enable Checkov IaC scanning, update the jit-plan.yml
file in your repository with the following configuration:
override:
workflows:
iac-misconfiguration-detection:
jobs:
checkov-iac-misconfig-detection:
enabled: true
iac-misconfig-detection-cloudformation:
enabled: false
iac-misconfig-detection-kubernetes:
enabled: false
iac-misconfig-detection-pulumi:
enabled: false
iac-misconfig-detection-serverless:
enabled: false
iac-misconfig-detection-terraform:
enabled: false
This configuration enables the generic Checkov scanner while disabling the framework-specific scanners, which are no longer needed when using the comprehensive scanner.
Severity Filtering
By default, Checkov will only report findings with HIGH severity. You can customize the severity threshold using the SEVERITY_THRESHOLD
environment variable.
Available severity options:
HIGH
(default) - Only show high severity issuesMEDIUM
- Show high and medium severity issuesLOW
- Show all detected issues (high, medium, and low)
Example Configuration with Custom Severity
override:
workflows:
iac-misconfiguration-detection:
jobs:
checkov-iac-misconfig-detection:
enabled: true
steps:
- name: Run Checkov
with:
env:
SEVERITY_THRESHOLD: MEDIUM
Examples
Basic Configuration
Here's an example of a minimal configuration to enable Checkov scanning:
override:
workflows:
iac-misconfiguration-detection:
jobs:
checkov-iac-misconfig-detection:
enabled: true
Configuration with Low Severity Threshold
To catch all issues, including those with low severity:
override:
workflows:
iac-misconfiguration-detection:
jobs:
checkov-iac-misconfig-detection:
enabled: true
steps:
- name: Run Checkov
with:
env:
SEVERITY_THRESHOLD: LOW
Updated 1 day ago