Add Checkov to Prisma Cloud Code Security
Integrating Prisma Cloud with Checkov makes it possible for Prisma Cloud Code Security to scan your infrastructure as code files (Terraform and CloudFormation), display Incidents on the Console and, optionally, cause a build to fail.
For more details, see Checkov
As a prerequisite, you must be sure you can access the Prisma Cloud IP addresses and hostname for Code Security. If the Prisma Cloud IP addresses are blocked, add them to an allow list and enable access to the Prisma Cloud IP addresses and hosts.
- SelectSettings > Repositories > Add repository > Checkov.
- Install Checkov by choosing Python (pip) or Python3 (pip3) and copy the corresponding command to your command line, then selectNext.Checkov requires Python version 3.8 - 3.10.
- Enter details ofDirectory, andRepository IDto scan, and selectNext.You can optionally choose to add the Branch details. If a target branch is not specified, the Code Security scans the master branch.You can use the wizard to generate a command to run in your CLI tool for Checkov’s most common use-case.
- Copy the provided command to your command line and trigger Checkov, then selectDone.Your configured Checkov repositories will appear on theRepositoriespage. On your next Checkov scan, the scan results will include the new configured repositories. AccessCode Securityto view the scanned results.
General Patterns for Using Checkov
When using Checkov in a pipeline or locally, here are some useful commands to get started:
- -d <directory> or -f <filepath> to indicate the directory or files to be scanned.
- --prisma-api-url <Prisma Stack API URL> or PRISMA_API_URL=<Prisma Stack API URL> as an environment variable to indicate the API URL for your stack. The URL can be found here or in the Checkov wizard.
- --bc-api-key <PRISMA_ACCESS_KEY::PRISMA_SECRET_KEY> or BC_API_KEY=<PRISMA_ACCESS_KEY::PRISMA_SECRET_KEY> as an environment variable for your Prisma Cloud credentials.
For more CLI commands, refer to the CLI reference.
The following example shows you how configure Chekhov to scan the root directory, synchronize results with the tenant in the App2 stack, give it the repository ID org/repo and use the Enforcement rule settings from the platform for thresholds:
export PRISMA_API_URL=https://api2.prismacloud.io export BC_API_KEY=prismaaccesskey::prismasecretkey checkov -d . --repo-id org/repo --use-enforcement-rules
For Windows, use:
set PRISMA_API_URL=https://api2.prismacloud.io set BC_API_KEY=prismaaccesskey::prismasecretkey checkov -d . --repo-id org/repo --use-enforcement-rules
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.