: Add Checkov to Prisma Cloud Application Security

Add Checkov to Prisma Cloud Application Security

Table of Contents

Add Checkov to Prisma Cloud Application Security

Integrating Prisma Cloud with Checkov makes it possible for Prisma Cloud Application Security to scan your infrastructure as code files like Terraform and CloudFormation, display errors on the console while causing the build to fail in case of any identified misconfigurations. To know more see Checkov. As a prerequisite, ensure Prisma Cloud IP addresses are on the allow list for Application Security. For more details see enable access to the Prisma Cloud IP addresses and hosts.
  1. Install Checkov using CLI that Prima Cloud console provides.
    1. Select
      Settings > Repositories > Add repository
      and then select
    2. Select a program to install Checkov and then copy the command to your Command Line to run a Checkov installation.
      You can choose between Python (pip), Python3 (pip3) and Homebrew (if you are on Mac OS). For additional alternatives to install Checkov, see here.
      Checkov requires Python version 3.8 - 3.10.
    3. Select
  2. Configure directory and repository for scan.
    1. Add
      Repository ID
      to scan and then select
      Optionally, you can choose to add a specific
      of a repository that hosts the directory. If a branch is not specified, then Application Security scans the master branch of the repository.
  3. Trigger a Checkov run from the CLI.
    1. Copy and paste the command to your command line and trigger a Checkov run, and then select
      Your configured Checkov repositories will appear on the
      CI/CD Systems
      On your next Checkov scan, view the scan results on
      Application Security > Projects
      CI/CD Runs

General Patterns for Using Checkov

When using Checkov in a pipeline or locally, here are some useful commands to get started.
Specifies the directory or files to be scanned.
An environment variable to indicate the API URL for your stack. See here for the URL or in the Checkov wizard.
An environment variable for your Prisma Cloud credentials.
For more Checkov CLI commands, see CLI reference.
In this example you see the Checkov configuration to scan the root directory, synchronize results with the tenant in the App2 stack, repository ID org/repo --repo-id org/repo using Enforcement to set the thresholds.
export PRISMA_API_URL=https://api2.prismacloud.io export BC_API_KEY=prismaaccesskey::prismasecretkey checkov -d . --repo-id org/repo --use-enforcement-rules
For Windows, use:
set PRISMA_API_URL=https://api2.prismacloud.io set BC_API_KEY=prismaaccesskey::prismasecretkey checkov -d . --repo-id org/repo --use-enforcement-rules

Recommended For You