Skip to content

anitguru/checkov-pipeline-demo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Maintained by An IT Guru

Checkov Pipeline Demo

This repository showcases how to integrate checkov within a CI pipeline using GitHub Actions.

Setup

  1. Define Action Secrets for the following:
    • DOCKER_HUB_ACCESS_TOKEN
    • DOCKER_HUB_USERNAME
    • REPO_NAME

Demo Steps

  1. Initiate a new release in this repository via CLI, UI, or manually trigger a build.
  2. Navigate to Actions to observe the CI process in action.
  3. Inspect the checkov output.
  4. Explore the Security tab to see how findings integrate seamlessly.
  5. Cleanup: Ensure you delete the newly created release and any associated tags.

Checkov in the Application Lifecycle

Checkov can be employed during either the build or deploy phases. In the current configuration, checkov analyzes the Dockerfile and will soft-fail (warn) before the build if it does not satisfy security criteria. However, by removing the soft-fail option, it can be configured to hard-fail (halt the build). The scan outcomes are displayed within the runner console, and findings are documented in the Github Security tab: See Findings.

Shifting Even Further Left: Checkov Plugin for Microsoft VS Code

For developers aiming to integrate security earlier in the development process, consider the Checkov plugin for Microsoft VS Code.

code-to-cloud-shifting-left.mp4

About

No description, website, or topics provided.

Resources

License

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published