https://github.com/mridang/serverless-checkov-plugin
A plugin for the Serverless framework to integrate Checkov into the pipeline
https://github.com/mridang/serverless-checkov-plugin
aws checkov cloudformation iac serverless serverless-framework serverless-plugin
Last synced: 9 months ago
JSON representation
A plugin for the Serverless framework to integrate Checkov into the pipeline
- Host: GitHub
- URL: https://github.com/mridang/serverless-checkov-plugin
- Owner: mridang
- License: apache-2.0
- Created: 2024-04-24T05:57:00.000Z (almost 2 years ago)
- Default Branch: master
- Last Pushed: 2024-09-17T06:53:34.000Z (over 1 year ago)
- Last Synced: 2024-09-17T09:25:47.725Z (over 1 year ago)
- Topics: aws, checkov, cloudformation, iac, serverless, serverless-framework, serverless-plugin
- Language: TypeScript
- Homepage: https://www.npmjs.com/package/@mridang/serverless-checkov-plugin
- Size: 1.44 MB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
A plugin for the Serverless framework to inspect the underlying
stack using [Checkov](https://www.checkov.io/) in order to scan the cloud infrastructure
configurations to find misconfigurations before they're
deployed.
Without Checkov, you may be introducing severe security risks
into your projects. Examples include, creating S3 buckets that are
publicly accessible and Lambda functions that allow unauthenticated
access. Misconfigurations such are these are never tested or
inspected as there are no guardrails.
> [!NOTE]
> This plugin has only been tested with the AWS provider and will
> not work if you are deploying to other providers e.g. GCP.
## Installation
Install using NPM by using the following command
```sh
npm install --save-dev @mridang/serverless-checkov-plugin
```
And then add the plugin to your `serverless.yml` file:
```yaml
plugins:
- @mridang/serverless-checkov-plugin
```
A thorough guide on installing plugins can be found at
https://www.serverless.com/framework/docs-guides-plugins
## Usage
There isn't anything specific to be done once the plugin is installed.
When you trigger a deployment (which in turn packages the function),
or, when you explicitly package the function, the plugin runs
the resultant Cloudformation template through Checkov using the
provided Docker container.
Below is what you can expect when packaging the application.
```
$ sls package
Packaging aws-node-project for stage dev (us-east-1)
Warning: cloudformation scan results:
Passed checks: 3, Failed checks: 6, Skipped checks: 0
Check: CKV_AWS_55: "Ensure S3 bucket has ignore public ACLs enabled"
FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket
File: /tmp/sls/cloudformation-template-create-stack.json:5-18
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-21
5 | "ServerlessDeploymentBucket": {
6 | "Type": "AWS::S3::Bucket",
7 | "Properties": {
8 | "BucketEncryption": {
9 | "ServerSideEncryptionConfiguration": [
10 | {
11 | "ServerSideEncryptionByDefault": {
12 | "SSEAlgorithm": "AES256"
13 | }
14 | }
15 | ]
16 | }
17 | }
18 | },
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket
File: /tmp/sls/cloudformation-template-create-stack.json:5-18
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging
5 | "ServerlessDeploymentBucket": {
6 | "Type": "AWS::S3::Bucket",
7 | "Properties": {
8 | "BucketEncryption": {
9 | "ServerSideEncryptionConfiguration": [
10 | {
11 | "ServerSideEncryptionByDefault": {
12 | "SSEAlgorithm": "AES256"
13 | }
14 | }
15 | ]
16 | }
17 | }
18 | },
Check: CKV_AWS_21: "Ensure the S3 bucket has versioning enabled"
FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket
File: /tmp/sls/cloudformation-template-create-stack.json:5-18
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning
5 | "ServerlessDeploymentBucket": {
6 | "Type": "AWS::S3::Bucket",
7 | "Properties": {
8 | "BucketEncryption": {
9 | "ServerSideEncryptionConfiguration": [
10 | {
11 | "ServerSideEncryptionByDefault": {
12 | "SSEAlgorithm": "AES256"
13 | }
14 | }
15 | ]
16 | }
17 | }
18 | },
Check: CKV_AWS_54: "Ensure S3 bucket has block public policy enabled"
FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket
File: /tmp/sls/cloudformation-template-create-stack.json:5-18
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-20
5 | "ServerlessDeploymentBucket": {
6 | "Type": "AWS::S3::Bucket",
7 | "Properties": {
8 | "BucketEncryption": {
9 | "ServerSideEncryptionConfiguration": [
10 | {
11 | "ServerSideEncryptionByDefault": {
12 | "SSEAlgorithm": "AES256"
13 | }
14 | }
15 | ]
16 | }
17 | }
18 | },
Check: CKV_AWS_56: "Ensure S3 bucket has RestrictPublicBuckets enabled"
FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket
File: /tmp/sls/cloudformation-template-create-stack.json:5-18
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-22
5 | "ServerlessDeploymentBucket": {
6 | "Type": "AWS::S3::Bucket",
7 | "Properties": {
8 | "BucketEncryption": {
9 | "ServerSideEncryptionConfiguration": [
10 | {
11 | "ServerSideEncryptionByDefault": {
12 | "SSEAlgorithm": "AES256"
13 | }
14 | }
15 | ]
16 | }
17 | }
18 | },
Check: CKV_AWS_53: "Ensure S3 bucket has block public ACLs enabled"
FAILED for resource: AWS::S3::Bucket.ServerlessDeploymentBucket
File: /tmp/sls/cloudformation-template-create-stack.json:5-18
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/bc-aws-s3-19
5 | "ServerlessDeploymentBucket": {
6 | "Type": "AWS::S3::Bucket",
7 | "Properties": {
8 | "BucketEncryption": {
9 | "ServerSideEncryptionConfiguration": [
10 | {
11 | "ServerSideEncryptionByDefault": {
12 | "SSEAlgorithm": "AES256"
13 | }
14 | }
15 | ]
16 | }
17 | }
18 | },
✔ Checkov analysis completed successfully.
✔ Service packaged (12s)
```
## Contributing
If you have suggestions for how this app could be improved, or
want to report a bug, open an issue - we'd love all and any
contributions.
## License
Apache License 2.0 © 2024 Mridang Agarwalla