Bridgecrew.io
  • About Bridgecrew by Prisma Cloud
Checkov home
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Try Bridgecrew
  • Docs
    • Quick start
    • Overview
    • Integrations

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
    • Feature Descriptions
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing and Skipping Policies
    • Hard and soft fail
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • GitHub Actions
    • GitLab CI
    • Kubernetes
    • Pre-Commit
    • Docker
  • 5.Policy Index
    • all resource scans
    • ansible resource scans
    • argo_workflows resource scans
    • arm resource scans
    • azure_pipelines resource scans
    • bicep resource scans
    • bitbucket_configuration resource scans
    • bitbucket_pipelines resource scans
    • circleci_pipelines resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • github_actions resource scans
    • github_configuration resource scans
    • gitlab_ci resource scans
    • gitlab_configuration resource scans
    • kubernetes resource scans
    • openapi resource scans
    • secrets resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Checkov Runner Contribution Guide
    • Implementing CI Metadata extractor
    • Implementing ImageReferencer
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contribute YAML-based Policies
    • Contribute New Terraform Provider
    • Contribute New Argo Workflows configuration policy
    • Contribute New Azure Pipelines configuration policy
    • Contribute New Bitbucket configuration policy
    • Contribute New GitHub configuration policy
    • Contribute New Gitlab configuration policy
  • 7.Scan Examples
    • Terraform Plan Scanning
    • Terraform Scanning
    • Helm
    • Kustomize
    • AWS SAM configuration scanning
    • Ansible configuration scanning
    • Argo Workflows configuration scanning
    • Azure ARM templates configuration scanning
    • Azure Pipelines configuration scanning
    • Azure Bicep configuration scanning
    • Bitbucket configuration scanning
    • AWS CDK configuration scanning
    • Cloudformation configuration scanning
    • Dockerfile configuration scanning
    • GitHub configuration scanning
      • GitHub scanning configuration
        • Example organization security configuration
        • Example policy
        • Running in CLI
        • Example output
    • Gitlab configuration scanning
    • Kubernetes configuration scanning
    • OpenAPI configuration scanning
    • SCA scanning
    • Serverless framework configuration scanning
  • 8.Outputs
    • CSV
    • CycloneDX BOM
    • GitLab SAST
    • JUnit XML
    • SARIF
  • 9.Level up
    • Upgrade from Checkov to Bridgecrew
  • Docs
  • 7.scan examples
  • GitHub configuration scanning
Edit on GitHub

GitHub configuration scanning

Checkov supports the evaluation of policies on your GitHub organization and repositories settings. When using checkov with GitHub token it can collect your current org settings and validate it complies with GitHub security best practices such as having 2FA defined, having SSO and more. Full list of github organization and repository settings related checks can be found here.

GitHub scanning configuration

Environment Variable Default value Description
CKV_GITHUB_CONFIG_FETCH_DATA “True” checkov will try to fetch GitHub configuration from API by default (unless no access token provided)
CKV_GITHUB_CONF_DIR_NAME “github_conf” checkov will create a new directory named “github_conf” under current working directory
GITHUB_API_URL “https://api.github.com/”  
GITHUB_TOKEN   GitHub personal access token to be used to fetch GitHub configuration
GITHUB_REF refs/heads/master Github branch for which to fetch branch protection rules configuration
GITHUB_ORG   Github organization
GITHUB_REPOSITORY   Github repositry for which to fetch repository configuration info
GITHUB_REPO_OWNER   The owner of the repository. This could be either Github repository owner user name or the organization name, in which the user is the owner.

Example organization security configuration

{
    "data": {
        "organization": {
            "name": "Bridgecrew",
            "login": "bridgecrewio",
            "description": "Secure public cloud infrastructure",
            "ipAllowListEnabledSetting": "ENABLED",
            "ipAllowListForInstalledAppsEnabledSetting": "ENABLED",
            "requiresTwoFactorAuthentication": false,
            "samlIdentityProvider": {
                "ssoUrl": "https://bridgecrew.okta.com/app/githubcloud/foo/sso/saml"
            }
        }
    }
}

Example policy

from checkov.github.base_github_org_security import OrgSecurity


class Github2FA(OrgSecurity):
    def __init__(self):
        name = "Ensure GitHub organization security settings require 2FA"
        id = "CKV_GITHUB_1"
        super().__init__(
            name=name,
            id=id
        )

    def get_evaluated_keys(self):
        return ['data/organization/requiresTwoFactorAuthentication']



check = Github2FA()

Running in CLI

#configure github personal access token
export GITHUB_TOKEN="ghp_abc"
#configure vpn (optional)
export REQUESTS_CA_BUNDLE="/usr/local/etc/openssl/cert.pem"
export BC_CA_BUNDLE="globalprotect_certifi.txt"

checkov -d . --framework github_configuration

Example output


       _               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By bridgecrew.io | version: 2.0.707 

github_configuration scan results:

Passed checks: 2, Failed checks: 1, Skipped checks: 0

Check: CKV_GITHUB_3: "Ensure GitHub organization security settings has IP allow list enabled"
	PASSED for resource: _conf/org_security.json
	File: /github_conf/org_security.json:2-15

Check: CKV_GITHUB_2: "Ensure GitHub organization security settings require SSO"
	PASSED for resource: _conf/org_security.json
	File: /github_conf/org_security.json:2-15

Check: CKV_GITHUB_1: "Ensure GitHub organization security settings require 2FA"
	FAILED for resource: _conf/org_security.json
	File: /github_conf/org_security.json:2-15

		2  |     "data": {
		3  |         "organization": {
		4  |             "name": "Bridgecrew",
		5  |             "login": "bridgecrewio",
		6  |             "description": "Secure public cloud infrastructure",
		7  |             "ipAllowListEnabledSetting": "ENABLED",
		8  |             "ipAllowListForInstalledAppsEnabledSetting": "ENABLED",
		9  |             "requiresTwoFactorAuthentication": false,
		10 |             "samlIdentityProvider": {
		11 |                                 "ssoUrl": "https://bridgecrew.okta.com/app/githubcloud/foo/sso/saml"
		12 |             }
		13 |         }
		14 |     }
		15 | }


To add more GitHub policies and configuration to be inspected take a look at the GitHub policy contribution guide

Powered By

  • Slack Community
  • About Bridgecrew
  • Platform
  • Terms of use
  • GitHub
  • Docs
  • Contact Us
  • Privacy policy