Feature | New security & cost analysis in the CI PR automated process

[exequielrafaela]

What?

Test and integrate via dockerized Makefile cmds (https://github.com/binbashar/le-tf-infra-aws/blob/master/%40bin/makefiles/terraform12/Makefile.terraform12-cont) new security analysis in the CI PR automated process

Possible tools:

🔒 Infra Security

• ✅ https://github.com/liamg/tfsec (DONE)
  • https://github.com/binbashar/le-tf-infra-aws/security/code-scanning
• ✅ https://github.com/awslabs/git-secrets (DONE)
  • https://www.gitguardian.com/
  • https://github.com/binbashar/le-tf-infra-aws/security/secret-scanning

💰 Cost

• ✅ https://github.com/infracost/infracost (DONE)
  • ref architecture partially implement it

🤖 Terraform Policy as Code Enginer

• https://github.com/bridgecrewio/checkov

Why?

• Makefile + CI Static analysis of your terraform templates to spot potential security issues.
• Checks for sensitive data inclusion in AWS provider.
• Checks for violations of AWS security best practice recommendations.
• Scans modules (currently only local modules are supported).
• Evaluates expressions as well as literal values.
• Compliance: Ensure the implemented code is following security standards, your own custom standards
• Behavior driven development: We have BDD for nearly everything, why not for IaC ?
• Portable: just install it from pip or run it via docker.
• pre-deploy: it validates your code before it is deployed
• Easy to integrate: it can run in your pipeline (or in git hooks) to ensure all deployments are validated.
• Segregation of duty: you can keep your tests in a different repository where a separate team is responsible.
• Built-in policies cover security and compliance best practices for AWS.
• Scans for AWS credentials in EC2 Userdata, Lambda environment variables and Terrafrom providers
• Policies support evaluation of variables to their optional default value.
• Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures.
• Have cloud cost estimates for Terraform projects. It helps developers, devops and others to quickly see the cost breakdown and compare different options upfront.

Read More

• https://revolgy.com/blog/complete-guide-for-picking-the-right-tool-for-terraform-security-code-analysis/

Other References

• https://github.com/Skyscanner/whispers
• https://github.com/zricethezav/gitleaks
• https://github.com/Cigna/confectionery
• https://github.com/eerkunt/terraform-compliance
• https://airiam.io/
• https://bridgecrew.io/blog/announcing-yor-open-source-iac-tag-trace-cloud-resources/

[exequielrafaela]

@diego-ojeda-binbash I'll create a new issue for:

🤖 Terraform Policy as Code Engine => https://github.com/bridgecrewio/checkov

And I'll close this one 🤝 ✅

[exequielrafaela]

@eze-godoy https://binbashar.slack.com/archives/GG0PJ78J3/p1704206648284529

[exequielrafaela]

@eze-godoy ,

Regarding the integration of Checkov as discussed, in case a project request it we can start with a minimal setup in one of the layers to iterate in the future as project-specific security needs evolve. In the time being we'll close this issue.

---

Here’s a brief plan in case the need arises:

1. Initial Integration: Let's incorporate a basic Checkov scan into our GitHub Actions, focusing on high-priority security rules based on the implementation we've already done:

   • https://github.com/binbashar/terraform-aws-tfstate-backend/blob/master/.github/workflows/ci.yaml
   • https://github.com/binbashar/terraform-aws-tfstate-backend/blob/master/.checkov.yml

2. Iterative Enhancement: We will assess the initial results and refine the setup in future iterations, expanding the ruleset and integration points based on our findings and requirements.

3. Documentation and Tracking: Update the README.md CI documentation to reflect the Checkov integration steps and results interpretation.