Checkov originally started as an open source static code analysis tool for Infrastructure as Code (IaC) at Bridgecrew that provided DevOps teams the ability to scan Terraform, Kubernetes manifest, and other manifests in their development pipeline at every stage of development. The project is now adding a new feature to Checkov that secures the pipeline itself. In this episode, Swapnil Bhartiya sits down with Barak Schoster, Senior Director, Chief Architect at Palo Alto Networks, to discuss Checkov and its new features. He goes into detail about how it helps secure CI/CD pipelines and its benefits for DevOps teams. He also discusses the challenges developers face and why the responsibility of securing CI/CD pipelines lies with the engineer, not the vendor.
Key highlights from this video interview are:
- Schoster goes into detail about Checkov and its capabilities.
- Schoster shares how he defines CI/CD, explaining that CI is the step where you have unit tests, and in some cases, provisioning into a staging environment CD takes the provisioning using secrets that have access to a cloud environment or to a Kubernetes cluster, deploying a portion of the application into a live environment. He goes into detail about what CI/CD means to him.
- Checkov’s new features bring security into the CI/CD pipeline. One of the main concerns for DevOps teams is security, particularly with public instances in the cloud and instances that are over-privileged. Schoster discusses why the CI/CD pipeline needs to be secured and the sort of attacks that are a risk.
- Securing the software supply chain is a hot topic right now particularly if developers are consuming open source. Checkov explains that when we are securing the supply chain we are also securing the pipelines with the pipelines themselves. Schoster describes the relationship between securing the two.
- Schoster goes into detail about two key examples where developers can use Checkov to scan for vulnerabilities that would weaken the security of CI/CD pipelines: when editing GitHub action workflows and on a weekly scheduled basis scanning the version control system configuration.
- While Checkov comes with a lot of best practices coming out of the box so developers usually will not have to configure anything or do any custom changes, it is possible to have a specialized policy. Schoster talks us through the process.
- Schoster explains what some of the policies are that users will get out of the box with Checkov, such as, TFA, SSO, reviewers, and code owners. He goes on to detail some of the more complicated policies Checkov provides.
- The best way to get started with Checkov is via the Bridgecrew website to read the blog on how to use Checkov to check for pipeline security or supply chain security best practices. Schoster shares the best ways for people to find out more and get started.
- Schoster highlights the point that it is not the vendor’s responsibility to secure the CI system. While they are giving engineers the tools to have a secure pipeline, the responsibility lies with a DevOps admin to ensure it is configured correctly and secured by default. He explains that this is the shared criteria between vendor and customer of CI.
- There are often misconceptions that just because you move to the cloud, you do not have to worry about security. Schoster explains that the responsibility lies with the engineer to ensure the security is in place. He discusses how Bridgecrew can help with securing and auditing cloud environments, infrastructure code and the CI pipelines.
The summary of the show is written by Emily Nicholls.