Add Checkov to Prisma Cloud Code Security

Integrating Prisma Cloud with Checkov makes it possible for Prisma Cloud Code Security to scan your infrastructure as code files like Terraform and CloudFormation, display errors on the console while causing the build to fail in case of any identified misconfigurations. To know more see Checkov. As a prerequisite, ensure Prisma Cloud IP addresses are on the allow list for Code Security. For more details see enable access to the Prisma Cloud IP addresses and hosts.
  1. Install Checkov using CLI that Prima Cloud console provides.
    1. Select
      Settings > Repositories > Add repository
      and then select
      Checkov
      .
    2. Select a program to install Checkov and then copy the command to your Command Line to run a Checkov installation.
      You can choose between Python (pip), Python3 (pip3) and Homebrew (if you are on Mac OS). For additional alternatives to install Checkov, see here.
      Checkov requires Python version 3.8 - 3.10.
    3. Select
      Next
      .
  2. Configure directory and repository for scan.
    1. Add
      Directory
      and
      Repository ID
      to scan and then select
      Next
      .
      Optionally, you can choose to add a specific
      Branch
      of a repository that hosts the directory. If a branch is not specified, then Code Security scans the master branch of the repository.
  3. Trigger a Checkov run from the CLI.
    1. Copy and paste the command to your command line and trigger a Checkov run, and then select
      Done
      .
      Your configured Checkov repositories will appear on the
      Repositories
      in
      CI/CD Systems
      view.
      On your next Checkov scan, view the scan results on
      Code Security > Projects
      in
      CI/CD Runs
      view.

General Patterns for Using Checkov

When using Checkov in a pipeline or locally, here are some useful commands to get started.
Command
Description
Specifies the directory or files to be scanned.
An environment variable to indicate the API URL for your stack. See here for the URL or in the Checkov wizard.
An environment variable for your Prisma Cloud credentials.
For more Checkov CLI commands, see CLI reference.
In this example you see the Checkov configuration to scan the root directory, synchronize results with the tenant in the App2 stack, repository ID org/repo --repo-id org/repo using Enforcement to set the thresholds.
export PRISMA_API_URL=https://api2.prismacloud.io export BC_API_KEY=prismaaccesskey::prismasecretkey checkov -d . --repo-id org/repo --use-enforcement-rules
For Windows, use:
set PRISMA_API_URL=https://api2.prismacloud.io set BC_API_KEY=prismaaccesskey::prismasecretkey checkov -d . --repo-id org/repo --use-enforcement-rules

Recommended For You