Bridgecrew’s Checkov Extension: ‘Far-Left’ Automated Security
Bridgecrew, the DevSecOps company that Palo Alto Networks recently agreed to acquire, has expanded its Checkov security tool to scan code and applications from the very beginning of the development cycle.
With its new Visual Studio Code (VS Code) extension, Checkov will automatically prompt the developer if code does not meet policy requirements, is misconfigured or demonstrates other security anomalies, the company claims. Bridgecrew says these automated notifications reach developers at the “earliest possible moment,” while they are writing code on their own machines before it is uploaded to git, for example.
In this way, the VS Code extension alleviates many bottlenecks and points of friction that happen downstream from the point a developer is coding, said Barak Schoster, chief technology officer and co-founder of Bridgecrew.
“Assuming you do have Infrastructure-as-Code scanning and/or cloud security monitoring in place upstream — such as pull requests, CI/CD and runtime — infrastructure misconfigurations and policy violations eventually make their way back to the developer one way or another. So, the question becomes: How do developers want to spend their time?,” asked Schoster. “I can tell you that it’s not re-running builds after they fail or combing through JIRA tickets and log files. So, in a way, this is a productivity solution as much as it is a security one.”
Without the extension, the scan stops at the pre-commit phase while the extension offers scanning “directly at the time of code in the IDE,” said Schoster.
Bridgecrew’s Checkov code scanning can thus be embedded into pull request checks, the test-and-build phases of CI/CD pipelines and can also scan locally at the pre-commit, Schoster said. “That is as ‘far left’ that Checkov can go,” Schoster said. “At pre-commit, code is still on a local workstation and has not yet been integrated into a shared repository, but scanning at this phase requires manual, ad hoc triggering of scans within the command line.”
Far Right Updates Too
New vulnerabilities surface and other factors arise, of course, so that bad code might in some cases get deployed after being properly scanned at the beginning of the production cycle. While describing the VS Code extension as “sort of like the last missing puzzle piece in Bridgecrew’s platform and suite of dev tools” and in the context of IaC, the extension continues to scan the same code as it gets compiled further in the development cycle, Schoster said. “The scan can thus reference other modules and templates that may contain errors that weren’t caught earlier.”
Bad code found during the application-deployment stage costs between five and 100 times more to remedy than when detected during the maintenance phase.
“Checkov scans only as far ‘right’ as your CI/CD pipeline allows — with customization. Bridgecrew’s SaaS platform, on the other hand, monitors and scans code in cloud environments that are already running in production which is as ‘far right’ as you can get,” said Schoster. “That’s why it’s important to have testing at each point that makes sense for your infrastructure development processes — whether you’re using all open source, such as Checkov and runtime tools like Prowler, or Bridgecrew’s all-in-one platform that does both IaC scanning and cloud monitoring.
According to a The Systems Sciences Institute at IBM report that Bridgecrew cited, the cost of fixing a bug in code increases in proportion to how far to the right in the production pipeline that the bug was detected. Bad code found during the application-deployment stage, for example, costs between 5 and 100 times more to remedy than when detected during the maintenance phase, compared to when the bug is fixed during the development stage.
“Simply put, bugs get more expensive and time-consuming to triage and fix the further along in the development lifecycle in which they are identified. The idea behind the new VS Code extension is to automate fixes and policy violations directly within the developer’s IDE, before they integrate that code into a shared repository or deploy it,” said Schoster. “In modern, distributed environments, this doesn’t mean new issues won’t come up later on in the development lifecycle, which is why we have solutions throughout the entire SDLC. But the idea here is that the earlier you can identify and remedy issues, the less time — as a developer and money as an org — you waste.”
Bridgecrew communicated the following features that the extension offers:
- 500 built-in policies covering security and compliance best practices for Amazon Web Services, Azure and Google Cloud.
- HashiCorp‘s Terraform, as well as Terraform Plan, CloudFormation, Kubernetes, Helm, Serverless and ARM template scanning.
- Detection of AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
- In Terraform, checks support evaluation of arguments expressed in variables and remote modules to their actual values.
- Links to policy descriptions, including instructions for fixing known misconfigurations.
- Fix suggestions for commonly misconfigured Terraform and CloudFormation attributes.
Amazon Web Services, Bridgecrew, HashiCorp and Palo Alto Networks are sponsors of The New Stack.