Automating Cloud Infrastructure with Checkov 2.0

The Prime View got to sit with Matt Johnson, Developer Advocate at Bridgecrew.io, recently acquired by Palo Alto Networks. We talked about the rise of DevSecOps and the latest updates to the popular open-source project Checkov 2.0.

Listen & Watch to the Interview Episode

Matt, in your opinion, why we are seeing a rise in DevSecOps?

Looking at where we are with DevOps, DevSecOps is a natural progression. You cannot realize the value of the productivity gains and the automation with DevOps if you still have a manual process somewhere in the chain before things are all ticked off and ready to go to production. DevOps allows us to deploy hundreds or 1000s of times a day into production, but if security is still a manual step that involves something to come out of that automation pipeline, you’re not going to gain the benefits you were hoping for from your DevOps pipeline.

How exactly Bridgecrew helps developers automate security?

The idea behind everything we do at Bridgecrew is “security where code happens”. If there is no API to make security just another first-class citizen of their existing CI/CD pipelines, that something manual. And at each stage, Bridgecrew aims to bring virtual security team members to aid and add security features to the existing workflow. We automatically annotate pull requests with comments before the CI pipeline is triggered.

The quickest, non-complicated place to fix an issue is before it gets saved, before it ends up in any git commit.

We’re trying to shift further and further left to make sure that the same policies, the same information that will trigger a pipeline failure or trigger a pull request failure, is actually surfaced to the development team as they’re writing Terraform or Kubernetes manifests. 

Can you tell us about the open-source project Checkov? What were your motives to proceed with an open-source approach, instead of keeping it proprietary?

An open-source tool gives you a certain level of trust. If you are consuming something that is a critical part of your pipeline, a critical part of your security infrastructure, you’d want to know the core components of that and what they are doing.

The days of black-box security are behind us – we pull data sources from all over the place because the more context we have, around a given scenario, the more useful security decisions we can make.

Checkov is open-source because it allows people to go and have a look through what we’re doing. It’s open-source because we have a vast group of developers and collaborators that have given us ideas through contributions and through making edits to suit their own needs, which makes the tools better, and gives us a real insight into how people are trying to use this tool to solve problems in the wild. 

I hear there are major updates and Bridgecrew is announcing Checkov 2.0. Can you tell our listeners what they can expect from this major update?

The main change is that we’ve implemented a graph database for Terraform resources. We’ve implemented it in a way that, as an end-user of Checkov, you don’t need to think about it or know about it. But the benefits are powerful.

Checkov 2.0 allows us not just to write policies against an individual resource – we can write policies that relate to the connections between multiple resources. Now instead of asking, “Alert me if there are any security groups with an open Internet access rule”, I can now say, “Alert me to any VMs, which have public facing connectivity and are connected to a security group with open rules.”

All the existing Checkov policies still run in the same way. We’ve done extensive testing across 10s of 1000s of Terraform repos publicly to make sure the outputs between Checkov 1.0 and Checkov 2.0 have to remain the same for the existing policies. We’re excited to see what the community does with this new rule language. 

What if a company like Terraform decides to include features of misconfiguration detection, compliance auditing into their products? Do you think it’s a risk for Bridgecrew business and how you can mitigate it?

My honest opinion is that it’s a better-together story. We already do quite a lot of work with Hashicorp Terraform as partners. We have a Bridgecrew integration and did a webinar with Hashicorp to show how you could fit Bridgecrew scanning into an automated part of your Terraform cloud pipeline and pull the results back into the Terraform security reports. They may have their security scanning tools, but security is all about as much context as possible. 

Recently, Palo Alto Networks acquired Bridgecrew. Can you envision how this acquisition will impact the product development and innovations in the cloud security domain?

I’m seeing a fundamental understanding and commitment to getting open-source tools further and further into the developers’ hands, commitment to improving ID integrations. Despite being a large organization, Palo Alto Networks is still very much functioning as a startup – everything is very flat and execution-focused. 

Checkov Highlights

Checkov has been downloaded over a million times since the project launched in December 2019, and today adds over 200 new policies, making it the most robust open-source IaC scanner available. 

● Checkov 2.0’s new graph-based framework enables dependency-aware infrastructure as code (IaC) scanning in complex, distributed environments.

Matt, thanks for the in-depth conversation and hope Checkov 2.0 will get many new adopters in the dev community.

Stay tuned for more great interviews coming your way!