如何 运行 在 Terraform 计划上进行 checkov 扫描
How to run checkov scan on terraform plan
我想要 checkov 扫描 terraform 计划输出,但我没有获得任何成功 that.Below 是我在 terragrunt.hcl、GitHub 操作工作流程中的代码和我收到的消息当我的工作流程 completed.I 尝试了几种方法使其工作但我仍然无法正确配置它以便 checkov 可以分析 terraform plan.I 的 Json 输出时,我将不胜感激可以上车 this.Thank 你提前帮忙
terragrunt.hcl
terraform {
after_hook "after_hook_plan" {
commands = ["plan"]
execute = ["sh", "-c", "terraform show -json tfplan.binary > ${get_parent_terragrunt_dir()}/plan.json"]
}
}
GitHubActions Workflow
name: 'Checkov Security Scan'
on:
push:
branches:
- test
jobs:
Terraform:
name: 'Terraform'
runs-on: ubuntu-latest
defaults:
run:
working-directory: ${{ env.tf_working_dir }}
steps:
- name: 'checkout'
uses: actions/checkout@v2
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: us-east-1
role-to-assume: ${{ env.dev_role_arn }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1.3.2
with:
terraform_version: ${{ env.tf_version }}
terraform_wrapper: true
- name: Setup Terragrunt
uses: autero1/action-terragrunt@v1.1.0
with:
terragrunt_version: ${{ env.tg_version }}
- name: Init
id: init
run: |
terragrunt run-all init --terragrunt-non-interactive
- name: Plan
id: plan
run: |
terragrunt run-all plan -out=tfplan.binary -no-color --terragrunt-non-interactive
- name: 'Test Plan (Checkov)'
uses: bridgecrewio/checkov-action@master
with:
directory: ./applied/test/
quiet: false # optional: display only failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
output_format: json # optional: the output format, one of: cli, json, junitxml, github_failed_only
checkov output message
{
"passed": 0,
"failed": 0,
"skipped": 0,
"parsing_errors": 0,
"resource_count": 0,
"checkov_version": "2.0.706"
我猜它不支持但是你可以试试这个
- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
run: terraform plan --out tfplan.binary -no-color
continue-on-error: true
- name: Terraform Show
id: show
run: terraform show -json tfplan.binary | jq '.' > tfplan.json
- name: Set up Python 3.8
uses: actions/setup-python@v1
with:
python-version: 3.8
id: setup_py
- name: Install Checkov
id: checkov
run: |
python3 -m pip3 install --upgrade pip3
pip3 install checkov
continue-on-error: true
- name: Run Checkov
id: run_checkov
run: checkov -f tfplan.json -o sarif -s
continue-on-error: true
- name: Upload SARIF file
id: upload_sarif
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
category: checkov
continue-on-error: true
我想要 checkov 扫描 terraform 计划输出,但我没有获得任何成功 that.Below 是我在 terragrunt.hcl、GitHub 操作工作流程中的代码和我收到的消息当我的工作流程 completed.I 尝试了几种方法使其工作但我仍然无法正确配置它以便 checkov 可以分析 terraform plan.I 的 Json 输出时,我将不胜感激可以上车 this.Thank 你提前帮忙
terragrunt.hcl
terraform {
after_hook "after_hook_plan" {
commands = ["plan"]
execute = ["sh", "-c", "terraform show -json tfplan.binary > ${get_parent_terragrunt_dir()}/plan.json"]
}
}
GitHubActions Workflow
name: 'Checkov Security Scan'
on:
push:
branches:
- test
jobs:
Terraform:
name: 'Terraform'
runs-on: ubuntu-latest
defaults:
run:
working-directory: ${{ env.tf_working_dir }}
steps:
- name: 'checkout'
uses: actions/checkout@v2
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials@master
with:
aws-region: us-east-1
role-to-assume: ${{ env.dev_role_arn }}
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1.3.2
with:
terraform_version: ${{ env.tf_version }}
terraform_wrapper: true
- name: Setup Terragrunt
uses: autero1/action-terragrunt@v1.1.0
with:
terragrunt_version: ${{ env.tg_version }}
- name: Init
id: init
run: |
terragrunt run-all init --terragrunt-non-interactive
- name: Plan
id: plan
run: |
terragrunt run-all plan -out=tfplan.binary -no-color --terragrunt-non-interactive
- name: 'Test Plan (Checkov)'
uses: bridgecrewio/checkov-action@master
with:
directory: ./applied/test/
quiet: false # optional: display only failed checks
framework: terraform # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
output_format: json # optional: the output format, one of: cli, json, junitxml, github_failed_only
checkov output message
{
"passed": 0,
"failed": 0,
"skipped": 0,
"parsing_errors": 0,
"resource_count": 0,
"checkov_version": "2.0.706"
我猜它不支持但是你可以试试这个
- name: Terraform Plan
id: plan
if: github.event_name == 'pull_request'
run: terraform plan --out tfplan.binary -no-color
continue-on-error: true
- name: Terraform Show
id: show
run: terraform show -json tfplan.binary | jq '.' > tfplan.json
- name: Set up Python 3.8
uses: actions/setup-python@v1
with:
python-version: 3.8
id: setup_py
- name: Install Checkov
id: checkov
run: |
python3 -m pip3 install --upgrade pip3
pip3 install checkov
continue-on-error: true
- name: Run Checkov
id: run_checkov
run: checkov -f tfplan.json -o sarif -s
continue-on-error: true
- name: Upload SARIF file
id: upload_sarif
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: results.sarif
category: checkov
continue-on-error: true