When Palo Alto Networks (PANW) acquired Bridgecrew, the aim was to enable “shift left” security, with Prisma Cloud becoming the first cloud security platform to deliver security across the full application lifecycle. Now, with the release of Smart Fixes, it’s easier to see why PANW paid about $156 million for Bridgecrew.
Bridgecrew’s main product is the open source, static code analysis Infrastructure as Code (IaC) scanner, Checkov. With it, you scan cloud infrastructure provisioned by Terraform, Terraform plan, Cloudformation, AWS SAM, Kubernetes, Dockerfile, Serverless, or ARM Templates. It then detects security and compliance misconfigurations using a graph-based approach.
Finding IaC Policy Violations
Smart Fixes takes this forward to the next step by integrating with the Bridgecrew cloud security platform. There, it looks for IaC policy violations in your cloud code. It then offers suggestions for fixes.
It does this by automatically tracking previous code changes that fixed a policy violation. If Smart Fixes finds that these same code repairs happen, again and again, it will start suggesting these repairs any time it finds other such violations. Smart Fixes’ algorithm gets out of your way by only making suggestions when a code change occurs over three times.
Or, as Tohar Zand, PANW Product Manager put it, “At Bridgecrew, we believe that security needs to follow the SRE best practice of automating away toil or unnecessary manual tasks. This helps improve code quality, removes human error, and increases productivity.”
Built-in Fix Suggestions
How? Bridgecrew argues that “One of the biggest drains on productivity is breaking out of a flow to manually research how to fix a problem.” They’ll get no argument from me on that score.
Then, given that many developers know little about security, Bridgecrew builds-in hundreds of fix suggestions into its IDE plugins, as pull request comments, and in its integrated GitHub platform. The point is you can find the solution to a policy violation without leaving your tools.
That’s good as far as it goes. Smart Fixes take it one step further. Instead of providing general fixes, it watches over your programming to spot your development team’s common problems and automatically provides the fix. For example, if you consistently mis-key the IP addresses for SSH from your bastion hosts or the same encryption key to encrypt databases, it will pull up the correct addresses or encryption keys. Having made more than my fair share of typos, I appreciate this service.
Automatically Track Code Changes
Specifically, it automatically tracks code changes — such as adds, removes, and changes — that fixes a policy violation. If the same change occurs over three times and is deployed more often than 20% of the time, Smart Fixes will suggest that change when it appears again. In other words, you create your own “Smart Fixes” with no manual intervention.
When you apply a Smart Fix, Bridgecrew opens a pull request to your version control system (VCS). Then, you can make any additional reviews before committing and ultimately deploying the code changes to your project.
Smart Fixes Availability
For now, Smart Fixes is only available now on Bridgecrew’s Projects page. It will soon be available in Bridgecrew’s other integrations. Additionally, PANW will add Smart Fixes to multiple repos and complex remediation Smart Fixes (remediations that require multiple resource changes) in the coming weeks.
This sounds promising to me. And, given Chekov’s success, over 4-million downloads and counting, I’d check it out. Smart Fixes’ code, however, isn’t available at this time. Eventually, it will be open sourced. For now, to use it you’ll need to subscribe to either Bridgecrew Standard, $99 a month, or Bridgecrew Premium, $999 a month. You can also kick Bridgecrew and Smart Fixes’ tires for free for two weeks.