{"id":22724780,"url":"https://github.com/mridang/serverless-checkov-plugin","last_synced_at":"2025-06-20T15:37:57.892Z","repository":{"id":235732904,"uuid":"791114697","full_name":"mridang/serverless-checkov-plugin","owner":"mridang","description":"A plugin for the Serverless framework to integrate Checkov into the pipeline","archived":false,"fork":false,"pushed_at":"2024-09-17T06:53:34.000Z","size":1511,"stargazers_count":0,"open_issues_count":5,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2024-09-17T09:25:47.725Z","etag":null,"topics":["aws","checkov","cloudformation","iac","serverless","serverless-framework","serverless-plugin"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/@mridang/serverless-checkov-plugin","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mridang.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-24T05:57:00.000Z","updated_at":"2024-09-17T06:53:36.000Z","dependencies_parsed_at":"2024-06-10T05:37:30.206Z","dependency_job_id":"b672a4a2-631f-400b-8b2a-14030d7b8d60","html_url":"https://github.com/mridang/serverless-checkov-plugin","commit_stats":null,"previous_names":["mridang/serverless-checkov-plugin"],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mridang%2Fserverless-checkov-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mridang%2Fserverless-checkov-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mridang%2Fserverless-checkov-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mridang%2Fserverless-checkov-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mridang","download_url":"https://codeload.github.com/mridang/serverless-checkov-plugin/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229082305,"owners_count":18017251,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","checkov","cloudformation","iac","serverless","serverless-framework","serverless-plugin"],"created_at":"2024-12-10T15:07:55.540Z","updated_at":"2024-12-10T15:07:56.060Z","avatar_url":"https://github.com/mridang.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"A plugin for the Serverless framework to inspect the underlying\nstack using [Checkov](https://www.checkov.io/) in order to scan the cloud infrastructure\nconfigurations to find misconfigurations before they're\ndeployed.\n\nWithout Checkov, you may be introducing severe security risks\ninto your projects. Examples include, creating S3 buckets that are\npublicly accessible and Lambda functions that allow unauthenticated\naccess. Misconfigurations such are these are never tested or\ninspected as there are no guardrails.\n\n\u003e [!NOTE]\n\u003e This plugin has only been tested with the AWS provider and will\n\u003e not work if you are deploying to other providers e.g. GCP.\n\n## Installation\n\nInstall using NPM by using the following command\n\n```sh\nnpm install --save-dev @mridang/serverless-checkov-plugin\n```\n\nAnd then add the plugin to your `serverless.yml` file:\n\n```yaml\nplugins:\n - @mridang/serverless-checkov-plugin\n```\n\nA thorough guide on installing plugins can be found at\nhttps://www.serverless.com/framework/docs-guides-plugins\n\n## Usage\n\nThere isn't anything specific to be done once the plugin is installed.\nWhen you trigger a deployment (which in turn packages the function),\nor, when you explicitly package the function, the plugin runs\nthe resultant Cloudformation template through Checkov using the\nprovided Docker container.\n\nBelow is what you can expect when packaging the application.\n\n```\n$ sls package\n\nPackaging aws-node-project for stage dev (us-east-1)\nWarning: cloudformation scan results:\n\nPassed checks: 3, Failed checks: 6, Skipped checks: 0\n\nCheck: CKV_AWS_55: \"Ensure S3 bucket has ignore public ACLs enabled\"\n FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket\n File: /tmp/sls/cloudformation-template-create-stack.json:5-18\n Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-21\n\n 5 | \"ServerlessDeploymentBucket\": {\n 6 | \"Type\": \"AWS::S3::Bucket\",\n 7 | \"Properties\": {\n 8 | \"BucketEncryption\": {\n 9 | \"ServerSideEncryptionConfiguration\": [\n 10 | {\n 11 | \"ServerSideEncryptionByDefault\": {\n 12 | \"SSEAlgorithm\": \"AES256\"\n 13 | }\n 14 | }\n 15 | ]\n 16 | }\n 17 | }\n 18 | },\n\nCheck: CKV_AWS_18: \"Ensure the S3 bucket has access logging enabled\"\n FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket\n File: /tmp/sls/cloudformation-template-create-stack.json:5-18\n Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging\n\n 5 | \"ServerlessDeploymentBucket\": {\n 6 | \"Type\": \"AWS::S3::Bucket\",\n 7 | \"Properties\": {\n 8 | \"BucketEncryption\": {\n 9 | \"ServerSideEncryptionConfiguration\": [\n 10 | {\n 11 | \"ServerSideEncryptionByDefault\": {\n 12 | \"SSEAlgorithm\": \"AES256\"\n 13 | }\n 14 | }\n 15 | ]\n 16 | }\n 17 | }\n 18 | },\n\nCheck: CKV_AWS_21: \"Ensure the S3 bucket has versioning enabled\"\n FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket\n File: /tmp/sls/cloudformation-template-create-stack.json:5-18\n Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning\n\n 5 | \"ServerlessDeploymentBucket\": {\n 6 | \"Type\": \"AWS::S3::Bucket\",\n 7 | \"Properties\": {\n 8 | \"BucketEncryption\": {\n 9 | \"ServerSideEncryptionConfiguration\": [\n 10 | {\n 11 | \"ServerSideEncryptionByDefault\": {\n 12 | \"SSEAlgorithm\": \"AES256\"\n 13 | }\n 14 | }\n 15 | ]\n 16 | }\n 17 | }\n 18 | },\n\nCheck: CKV_AWS_54: \"Ensure S3 bucket has block public policy enabled\"\n FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket\n File: /tmp/sls/cloudformation-template-create-stack.json:5-18\n Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-20\n\n 5 | \"ServerlessDeploymentBucket\": {\n 6 | \"Type\": \"AWS::S3::Bucket\",\n 7 | \"Properties\": {\n 8 | \"BucketEncryption\": {\n 9 | \"ServerSideEncryptionConfiguration\": [\n 10 | {\n 11 | \"ServerSideEncryptionByDefault\": {\n 12 | \"SSEAlgorithm\": \"AES256\"\n 13 | }\n 14 | }\n 15 | ]\n 16 | }\n 17 | }\n 18 | },\n\nCheck: CKV_AWS_56: \"Ensure S3 bucket has RestrictPublicBuckets enabled\"\n FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket\n File: /tmp/sls/cloudformation-template-create-stack.json:5-18\n Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-22\n\n 5 | \"ServerlessDeploymentBucket\": {\n 6 | \"Type\": \"AWS::S3::Bucket\",\n 7 | \"Properties\": {\n 8 | \"BucketEncryption\": {\n 9 | \"ServerSideEncryptionConfiguration\": [\n 10 | {\n 11 | \"ServerSideEncryptionByDefault\": {\n 12 | \"SSEAlgorithm\": \"AES256\"\n 13 | }\n 14 | }\n 15 | ]\n 16 | }\n 17 | }\n 18 | },\n\nCheck: CKV_AWS_53: \"Ensure S3 bucket has block public ACLs enabled\"\n FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket\n File: /tmp/sls/cloudformation-template-create-stack.json:5-18\n Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-19\n\n 5 | \"ServerlessDeploymentBucket\": {\n 6 | \"Type\": \"AWS::S3::Bucket\",\n 7 | \"Properties\": {\n 8 | \"BucketEncryption\": {\n 9 | \"ServerSideEncryptionConfiguration\": [\n 10 | {\n 11 | \"ServerSideEncryptionByDefault\": {\n 12 | \"SSEAlgorithm\": \"AES256\"\n 13 | }\n 14 | }\n 15 | ]\n 16 | }\n 17 | }\n 18 | },\n\n\n\n✔ Checkov analysis completed successfully.\n\n✔ Service packaged (12s)\n```\n\n## Contributing\n\nIf you have suggestions for how this app could be improved, or\nwant to report a bug, open an issue - we'd love all and any\ncontributions.\n\n## License\n\nApache License 2.0 © 2024 Mridang Agarwalla\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmridang%2Fserverless-checkov-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmridang%2Fserverless-checkov-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmridang%2Fserverless-checkov-plugin/lists"}