### Install Pre-commit Hooks Source: https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md Installs the pre-commit hooks for the project. This should be done after setting up the Python environment. ```sh pre-commit install ``` -------------------------------- ### Install Pipenv and Development Dependencies Source: https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md Install pipenv and then install all development dependencies required for Checkov. ```shell pip install pipenv pipenv install --dev ``` -------------------------------- ### Alternative Checkov Pre-Commit Hook Installation Source: https://github.com/bridgecrewio/checkov/blob/main/docs/4.Integrations/pre-commit.md An alternative method to install pre-commit hooks, which involves separate commands for installation and hook setup. ```bash pre-commit install pre-commit install-hooks ``` -------------------------------- ### Install Checkov using Pip Source: https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Installing Checkov.md Use pip to install Checkov for general use. This is the most common installation method. ```shell pip install checkov ``` ```shell pip3 install checkov ``` -------------------------------- ### Install Checkov Pre-Commit Hooks Source: https://github.com/bridgecrewio/checkov/blob/main/docs/4.Integrations/pre-commit.md Run this command after adding the .pre-commit-config.yaml file to your project to install the necessary hooks. ```bash pre-commit install --install-hooks ``` -------------------------------- ### Example AWS DB Instance Configuration Source: https://github.com/bridgecrewio/checkov/blob/main/docs/3.Custom Policies/Python Custom Policies.md An example of the internal representation of an AWS DB instance resource configuration as used by Checkov. ```python conf = { "__end_line__": 11, # internal field "__start_line__": 3, # internal field "allocated_storage": [5], "enabled_cloudwatch_logs_ ஆதரவு": [["postgresql", "upgrade"]], "engine": ["postgres"], "instance_class": ["db.t3.small"], "password": ["postgres"], "username": ["postgres"], "__address__": "aws_db_instance.postgres", # internal field } ``` -------------------------------- ### Install Checkov Package Locally Source: https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md Installs the Checkov package from a local wheel file. Ensure the RELEASE_VERSION is updated to match the desired version. ```sh RELEASE_VERSION='xxx' pip install dist/checkov-${RELEASE_VERSION}-py3-none-any.whl ``` -------------------------------- ### Install Checkov using Homebrew Source: https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Installing Checkov.md Install Checkov on macOS or Linux systems that use Homebrew package manager. ```shell brew install checkov ``` -------------------------------- ### Checkov Configuration Display Source: https://github.com/bridgecrewio/checkov/blob/main/README.md Example output from the `--show-config` flag, detailing command-line arguments, environment variables, configuration file settings, and defaults. ```sh Command Line Args: --show-config Environment Variables: BC_API_KEY: your-api-key Config File (/Users/sample/.checkov.yml): soft-fail: False branch: master skip-check: ['CKV_DOCKER_3', 'CKV_DOCKER_2'] Defaults: --output: cli --framework: ['all'] --download-external-modules:False --external-modules-download-path:.external_modules --evaluate-variables:True ``` -------------------------------- ### Running Gitlab Configuration Scan with Checkov CLI Source: https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan Examples/Gitlab.md This example shows how to configure environment variables for Gitlab token and optional VPN certificates, and then run a Checkov scan for Gitlab configurations. ```bash #configure gitlab personal access token export CI_JOB_TOKEN="ghp_abc" #configure vpn (optional) export REQUESTS_CA_BUNDLE="/usr/local/etc/openssl/cert.pem" export BC_CA_BUNDLE="globalprotect_certifi.txt" checkov -d . --framework gitlab_configuration ``` -------------------------------- ### Example Misconfigured Azure Pipelines Template Source: https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan Examples/Azure Pipelines.md This YAML template demonstrates a misconfiguration in an Azure Pipelines setup, specifically regarding container image versioning. ```yaml trigger: - master resources: repositories: - repository: AzureDevOps type: git endpoint: AzureDevOps name: AzureDevOps/AzureDevOps jobs: - job: RunInContainer pool: vmImage: 'ubuntu-18.04' container: ubuntu:20.04 steps: - script: printenv ``` -------------------------------- ### Example Git History Scan Output Source: https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan Examples/Git History.md This is an example of the output generated by Checkov when scanning Git history for secrets. It details the number of passed, failed, and skipped checks, along with specific findings including the secret type, resource identifier, severity, file path, commit details, and a link to the relevant guide. ```bash _ _ ___| |__ ___ ___| | _______ __ / __| '_ \ / _ \/ __| |/ / _ \ \ / / | (__| | | | __/ (__| < (_) \ V / \___|_| |_|\___|\___|_|\_\___/ \_/ By Prisma Cloud | version: 2.3.172 secrets scan results: Passed checks: 0, Failed checks: 320, Skipped checks: 0 Check: CKV_SECRET_6: "Base64 High Entropy String" FAILED for resource: 732a8470a9623e89355d477688afd7f8f4d55e03 Severity: LOW File: /tests/plugins/azure_storage_key_test.py:12-13; Commit Added: 018c9d1ee2a152a82c612ee82c0cd952a4f3eae4 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6 12 | 'Accoun*********************************************************************************************', # noqa: E501 Check: CKV_SECRET_6: "Base64 High Entropy String" FAILED for resource: b57a3ad258d7674d2005a53aaa67460e25791f71 Severity: LOW File: /tests/plugins/keyword_test.py:22-23; Commit Added: 01cde918f5f471cb0e03964db37f905e5bcdd1cf; Commit Removed: e01d818ad118b0b1fccb1cc9b406e7aa1539e242 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6 22 | 'PASSWORD = "ve********"' Check: CKV_SECRET_2: "AWS Access Key" FAILED for resource: d70eab08607a4d05faa2d0d6647206599e9abc65 Severity: LOW File: /test_diff/test_data/add_sample.diff:10-11; Commit Added: 07d52374f6d1ccc8709069be43139a6ba7ae544b Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-2 ... ``` -------------------------------- ### Create and Activate Virtual Environment Source: https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Installing Checkov.md Set up a Python virtual environment for Checkov, recommended for environments like Debian 12. ```shell python3 -m venv /path/to/venv/checkov cd /path/to/venv/checkov source ./bin/activate ``` -------------------------------- ### Running Checkov with Repo ID and API Key Source: https://github.com/bridgecrewio/checkov/blob/main/docs/1.Welcome/Migration.md Example of how to run Checkov with a specified repository ID and API key, which is now a requirement for API key usage. ```shell checkov -d. --bc-api-key xyz --repo-id example/example ``` -------------------------------- ### Python CDK Example Source: https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan Examples/CDK.md This is an example of a Python CDK code snippet that can be scanned by Checkov. ```python from aws_cdk import ( aws_s3, Stack, ) from constructs import Construct ``` -------------------------------- ### View Effective Configuration Source: https://github.com/bridgecrewio/checkov/blob/main/README.md Use this flag to display all arguments and settings, indicating their source (command line, config file, environment variable, or default). ```sh checkov --show-config ``` -------------------------------- ### Install Checkov within a Virtual Environment Source: https://github.com/bridgecrewio/checkov/blob/main/docs/2.Basics/Installing Checkov.md Install Checkov after activating a Python virtual environment. ```shell pip install checkov ``` -------------------------------- ### Running GitHub Configuration Scan via CLI Source: https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan Examples/Github.md Example command to run Checkov for GitHub configuration scanning. Requires setting the GITHUB_TOKEN environment variable and optionally configuring CA bundles for VPNs. ```bash #configure github personal access token export GITHUB_TOKEN="ghp_abc" #configure vpn (optional) export REQUESTS_CA_BUNDLE="/usr/local/etc/openssl/cert.pem" export BC_CA_BUNDLE="globalprotect_certifi.txt" checkov -d . --framework github_configuration ``` -------------------------------- ### Example Misconfigured OpenAPI Source: https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan Examples/OpenAPI.md This snippet shows an example of a misconfigured OpenAPI file that Checkov can scan. ```yaml { "swagger": "2.0", "info": { "title": "example", "version": "1.0.0" }, "paths": { "/": { "get": { "operationId": "example", "summary": "example", "responses": { "200": { "description": "200 response" } }, "parameters": [ { "name": "limit2", "in": "body", "required": true, "schema": { "type": "object" } } ], "security": [ { "api_key": [] } ] } } }, "securityDefinitions": { "petstore_auth": { "type": "oauth2", "authorizationUrl": "http://swagger.io/api/oauth/dialog", "flow": "implicit", "scopes": { "write:pets": "write", "read:pets": "read" } } } } ``` -------------------------------- ### Check Checkov Version Source: https://github.com/bridgecrewio/checkov/blob/main/CONTRIBUTING.md Verifies the currently installed version of Checkov. This is useful after installing a local package. ```sh checkov --version ``` -------------------------------- ### Running Bitbucket Configuration Scan via CLI Source: https://github.com/bridgecrewio/checkov/blob/main/docs/7.Scan Examples/Bitbucket.md Example CLI command to run Checkov for Bitbucket configuration scanning. Ensure to export your Bitbucket credentials and repository details as environment variables before execution. ```bash #configure bitbucket personal access token export APP_PASSWORD="ghp_abc" export BITBUCKET_USERNAME="username" export BITBUCKET_REPO_FULL_NAME="prisma/terragoat" checkov -d . --framework bitbucket_configuration ```