Add cdk synth before running checkov security scans #1023
Comments
|
Hi @zsaltys thanks for the issue. We faced similar issues when introducing CDK Nag to test the infra. All the alternatives are described in the #767 pull request. We went to the root of the problem which is the need for credentials to look up AWS resources. We pass the context object as a variable of cdk deploy based on the environment variable The second part of this issue is the synthesis of Environment, Dataset etc stacks for scanning. It is core infrastructure that should also be scanned. In this case instead of running Happy to collaborate on these features |
|
@anmolsgandhi @mourya-33 @noah-paige updated this to mention reworking checkov scanning to use checkov baselines as I couldn't find any other open tickets for that. |
### Feature or Bugfix <!-- please choose --> - Feature ### Detail - Add checkov scans on cdk synth output ### Relates - #1023 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Currently the github action is using checkov to scan data.all repo. However it cannot find much because most of the stacks are generated with CDK.
We should generate the stacks using cdk synth before running checkov scans. I was able to do it on our own custom build environment which does not use github actions. What I had to do:
The tricky bit is that cdk synth needs AWS credentials and it does connect to an actual account to check a few things. I've created a basic role template that is required to run cdk synth successfull
cdk-synth-example-role.txt
y.
There have been numerous findings reported by checkov so this is definitely worthwhile.
Additionally Im thinking how we could generate templates for datasets and environments as these are created during runtime use of data.all
Additionally the problem with checkov scanning which was added in #881 is that we added all the skippable checks directly into code. This means that when we run checkov scans your exceptions apply to us as well even if they are not exceptions for OUR organization... To fix this please remove the skips from code and use checkov BASELINE files instead.
The text was updated successfully, but these errors were encountered: