Ansible configuration scanning

Checkov supports the evaluation of policies on your Ansible files. When using checkov to scan a directory that contains Ansible tasks it will validate if the file is compliant with Ansible best practices such as validating certificates and using HTTPS to download files, and more.

Full list of Ansible policies checks can be found here.

Example misconfigured Ansible file

- name: Verify tests
  hosts: all
  gather_facts: False
  tasks:
    - name: disabled
      yum:
        name: httpd>=2.4
        state: present
        validate_certs: false

Running in CLI

checkov -d . --framework ansible

Example output

 
       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: .2.258


ansible scan results:

Passed checks: 1, Failed checks: 1, Skipped checks: 0

Check: CKV_ANSIBLE_4: "Ensure that SSL validation isn't disabled with yum"
	PASSED for resource: task.disabled
	File: /site.yaml:6-12
Check: CKV_ANSIBLE_3: "Ensure that certificate validation isn't disabled with yum"
	FAILED for resource: task.disabled
	File: /site.yaml:6-12

		6  |     - name: disabled
		7  |       yum:
		8  |         name: httpd>=2.4
		9  |         state: present
		10 |         validate_certs: false