Integrate Checkov with Kubernetes

Background

Checkov is built to scan static code and is typically used at build time. However, resources running in a Kubernetes cluster can be described in the same way as at build time. This allows Checkov to run in a cluster with read-only access and report on the same violations.

Execution

To run Checkov in your cluster you must have Kubernetes CLI access to the cluster.

To execute a job against your cluster, run the following manifest.

kubectl apply -f https://raw.githubusercontent.com/bridgecrewio/checkov/master/kubernetes/checkov-job.yaml

Review the output of the job.

kubectl get jobs -n checkov
kubectl logs job/checkov -n checkov