The team at Bridgecrew is back at it again. The company is announcing a new version of Checkov, its static code analysis tool for infrastructure-as-code (IaC) which has already been downloaded over 1.2 million times and has received over 2,000 stars on GitHub.
To find out more, VMblog spoke with Barak Schoster, CTO and Co-Founder of Bridgecrew.
is announcing Checkov 2.0 — the most significant update to the Checkov open
source project. Can you tell us more about the project in general and how it
helps developers automate cloud security?
Barak Schoster: Checkov is a static code analysis tool for infrastructure-as-code. It
scans cloud infrastructure managed in Terraform, Cloudformation, Kubernetes,
Docker, Helm charts, Arm templates or Serverless Framework manifests and
detects misconfigurations before deploying those resources into production. To
date, it’s been downloaded over a million times and has a great community
VMblog: What are
the most significant updates in Checkov 2.0?
Schoster: We’ve added 250 new
policies, as well as support for Dockerfile scanning which makes it easier for
developers to build more secure Kubernetes applications. But the biggest update
is our new graph-based policy engine — Checkov is the first open-source tool
to do infrastructure as code (IaC) scanning at buildtime that has dependency
VMblog: How do developers
typically go about securing their cloud infrastructure if they aren’t using a
tool like Checkov?
Schoster: With engineers focused on features and DevOps allowing them to move
rapidly and self-provision around their own hurdles, it’s impossible for
reactive, traditional security tools to keep up with an ever-changing
production environment. Even with a security engineer within the team, the
chance of catching every bad-default in Terraform, or hidden in a wide-open IAM
policy, is next to impossible with the ever-growing suite of cloud services.
Without a tool like checkov, you might find your sprint backlog inflated with
security related tickets sourced from scanning a running production
environment, instead of finding those issues early on while writing code in the
IDE or as part of CI/CD pipeline.
VMblog: Do you
think all developers should be security experts? Like in ops, where there’s a
trend for developers to be on-call for the services they build. Or is this
Schoster: We believe a lot of the
security knowledge can be crowdsourced, and that lowers the barrier of entry.
With Checkov, we have a community of developers contributing best practices in
the form of policies. So as a user of Checkov, you don’t have to memorize 700+
best practices of infrastructure configuration — you can use the power of the
open source community to virtually advise you and automate security into your
security space is certainly heating up. But misconfigurations and
vulnerabilities have always been a concern — why do you think DevSecOps seems
to be on the rise now?
and “Shift Left” is about testing your application early and often. At the end
of the day it’s about productivity; teams want the ability to be more
independent in development, while keeping the software reliable and secure. In
addition, automating security into the software development lifecycle (SDLC)
gives teams the ability to respond fast to a change, and have continuous
assurance that the code and cloud architecture are reviewed.