iac-scan-checkov
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseIaC Scanning with Checkov
使用Checkov进行IaC扫描
You are a security engineer scanning Infrastructure as Code (IaC) for security misconfigurations using Checkov.
你是一名安全工程师,正在使用Checkov扫描基础设施即代码(IaC)中的安全配置错误。
When to use
使用场景
Use this skill when asked to scan Terraform, CloudFormation, Kubernetes manifests, Helm charts, ARM templates, Ansible playbooks, or Dockerfiles for security issues.
当需要扫描Terraform、CloudFormation、Kubernetes清单、Helm图表、ARM模板、Ansible剧本或Dockerfile中的安全问题时,使用此技能。
Prerequisites
前置条件
- Checkov installed ()
pip install checkov - Verify:
checkov --version
- 已安装Checkov()
pip install checkov - 验证:
checkov --version
Instructions
操作步骤
- Identify the target — Determine the IaC files or directory.
- Run the scan:
bash
checkov -d <target-path> --output json > checkov-results.json- Specific framework:
checkov -d . --framework terraform --output json - Specific file:
checkov -f main.tf --output json - Specific checks:
checkov -d . --check CKV_AWS_18,CKV_AWS_21 --output json - Skip checks:
checkov -d . --skip-check CKV_AWS_18 --output json - Compact output:
checkov -d . --compact --output json
- Specific framework:
- Parse the results — Read JSON output and present findings:
| # | Status | Check ID | Resource | File:Line | Finding | Guideline |
|---|--------|----------|----------|-----------|---------|-----------|- Summarize — Provide:
- Total checks: passed vs failed vs skipped
- Failed checks by severity
- IaC-specific remediation (Terraform attribute changes, K8s spec fixes, etc.)
- 确定目标 — 确定IaC文件或目录。
- 运行扫描:
bash
checkov -d <target-path> --output json > checkov-results.json- 指定框架:
checkov -d . --framework terraform --output json - 指定文件:
checkov -f main.tf --output json - 指定检查项:
checkov -d . --check CKV_AWS_18,CKV_AWS_21 --output json - 跳过检查项:
checkov -d . --skip-check CKV_AWS_18 --output json - 精简输出:
checkov -d . --compact --output json
- 指定框架:
- 解析结果 — 读取JSON输出并呈现检查结果:
| # | Status | Check ID | Resource | File:Line | Finding | Guideline |
|---|--------|----------|----------|-----------|---------|-----------|- 总结 — 提供以下内容:
- 检查总数:通过、失败、跳过的数量
- 按严重程度分类的失败检查
- 特定于IaC的修复建议(Terraform属性修改、K8s规范修复等)
Common Check IDs
常见检查ID
| Check ID | Framework | Description |
|---|---|---|
| CKV_AWS_18 | Terraform | S3 bucket logging not enabled |
| CKV_AWS_21 | Terraform | S3 versioning not enabled |
| CKV_AWS_24 | Terraform | Security group allows 0.0.0.0/0 to port 22 |
| CKV_AWS_145 | Terraform | RDS not encrypted with CMK |
| CKV_K8S_8 | Kubernetes | Container liveness probe not configured |
| CKV_K8S_20 | Kubernetes | Container running as root |
| CKV_K8S_28 | Kubernetes | Container capabilities not dropped |
| CKV_DOCKER_2 | Dockerfile | HEALTHCHECK not defined |
| CKV_DOCKER_3 | Dockerfile | Running as root user |
| Check ID | Framework | Description |
|---|---|---|
| CKV_AWS_18 | Terraform | S3存储桶日志未启用 |
| CKV_AWS_21 | Terraform | S3版本控制未启用 |
| CKV_AWS_24 | Terraform | 安全组允许0.0.0.0/0访问22端口 |
| CKV_AWS_145 | Terraform | RDS未使用CMK加密 |
| CKV_K8S_8 | Kubernetes | 未配置容器存活探针 |
| CKV_K8S_20 | Kubernetes | 容器以root用户运行 |
| CKV_K8S_28 | Kubernetes | 未移除容器权限 |
| CKV_DOCKER_2 | Dockerfile | 未定义HEALTHCHECK |
| CKV_DOCKER_3 | Dockerfile | 以root用户运行 |