Bridgecrew.io
  • About Bridgecrew by Prisma Cloud
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Try Bridgecrew

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
    • Feature Descriptions
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing and Skipping Policies
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • Integrate Checkov with Github Actions
      • Use a Checkov Action from the Marketplace
      • Create Your Own Action: Basic Set-up
      • Example Results
        • Action Failure
        • Pipeline Success
    • GitLab CI
    • Kubernetes
    • Pre-Commit
    • Docker
    • Terraform Scanning
  • 5.Policy Index
    • all resource scans
    • arm resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • kubernetes resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contribute YAML-based Policies
    • Contribute New Terraform Provider
  • Docs
  • 4.integrations
  • Github Actions
Edit on GitHub

Integrate Checkov with Github Actions

Integrating Checkov into GitHub Actions provides a simple, automatic way of applying policies to your Terraform code both during pull request review and as part of any build process.

Use a Checkov Action from the Marketplace

Check out our pre-made action.

Create Your Own Action: Basic Set-up

Add a new step in the workflow.yml.

├───.github
│   └───workflows

Here is a basic example:

---
name: Checkov
on:
  push:
    branches:
      - master
jobs:
  build:

    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Set up Python 3.8
        uses: actions/setup-python@v1
        with:
          python-version: 3.8
      - name: Test with Checkov
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: example/examplea
          framework: terraform 

Example Results

Any time after you push your code to GitHub, it will run your job. If Checkov finds any errors, it will fail the build.

Action Failure

In the original examples code, the file aws_efs_file_system.sharedstore.tf is not set to encrypted:

resource "aws_efs_file_system" "sharedstore" {
  creation_token = var.efs["creation_token"]

  lifecycle_policy {
    transition_to_ia = var.efs["transition_to_ia"]
  }

  kms_key_id                      = var.efs["kms_key_id"]
  encrypted                       = false
  performance_mode                = var.efs["performance_mode"]
  provisioned_throughput_in_mibps = var.efs["provisioned_throughput_in_mibps"]
  throughput_mode                 = var.efs["throughput_mode"]
}

This will fail a Checkov test:

Actions Failure

Pipeline Success

The previous error can be fixed by setting the value of encryption to true. Actions success

Read more details on using Python in GitHub Actions.

Powered By

  • Slack Community
  • About Bridgecrew
  • Platform
  • Terms of use
  • GitHub
  • Contact Us
  • Privacy policy