Add Checkov to Prisma Cloud Code Security
Integrating Prisma Cloud with Checkov makes it possible for Prisma Cloud Code Security to scan your infrastructure as code files like Terraform and CloudFormation, display errors on the console while causing the build to fail in case of any identified misconfigurations.
To know more see Checkov.
As a prerequisite, ensure Prisma Cloud IP addresses are on the allow list for Code Security. For more details see enable access to the Prisma Cloud IP addresses and hosts.
- Install Checkov using CLI that Prima Cloud console provides.
- SelectSettings > Repositories > Add repositoryand then selectCheckov.
- Select a program to install Checkov and then copy the command to your Command Line to run a Checkov installation.You can choose between Python (pip), Python3 (pip3) and Homebrew (if you are on Mac OS). For additional alternatives to install Checkov, see here.Checkov requires Python version 3.8 - 3.10.
- SelectNext.
- Configure directory and repository for scan.
- AddDirectoryandRepository IDto scan and then selectNext.Optionally, you can choose to add a specificBranchof a repository that hosts the directory. If a branch is not specified, then Code Security scans the master branch of the repository.
- Trigger a Checkov run from the CLI.
- Copy and paste the command to your command line and trigger a Checkov run, and then selectDone.Your configured Checkov repositories will appear on theRepositoriesinCI/CD Systemsview.On your next Checkov scan, view the scan results onCode Security > ProjectsinCI/CD Runsview.
General Patterns for Using Checkov
When using Checkov in a pipeline or locally, here are some useful commands to get started.
Command | Description |
---|---|
Specifies the directory or files to be scanned. | |
An environment variable to indicate the API URL for your stack. See here for the URL or in the Checkov wizard. | |
An environment variable for your Prisma Cloud credentials. |
For more Checkov CLI commands, see CLI reference.
In this example you see the Checkov configuration to scan the root directory, synchronize results with the tenant in the App2 stack, repository ID org/repo --repo-id org/repo using Enforcement to set the thresholds.
export PRISMA_API_URL=https://api2.prismacloud.io export BC_API_KEY=prismaaccesskey::prismasecretkey checkov -d . --repo-id org/repo --use-enforcement-rules
For Windows, use:
set PRISMA_API_URL=https://api2.prismacloud.io set BC_API_KEY=prismaaccesskey::prismasecretkey checkov -d . --repo-id org/repo --use-enforcement-rules
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.