IAC Static Analysis with Bridgecrew

Infrastructure as Code (IaC) refers to managing infrastructure programmatically and with code, rather than manually and ad hoc. IaC tools such as Terraform empower developers to build robust and scalable infrastructure declaratively. They automate much of the under-the-hood work that may formerly have required far more time and resources to undertake. 

The increased power to provision infrastructure resources with code has also come with drawbacks- namely, expanded possibilities for misconfiguration. Misconfigurations can range from small to severe, potentially putting an organization at risk for data breaches or failure of compliance with regulations. Whether those misconfigurations occur in the name of rapid deployment, or are merely an oversight due to a complex setup process, the resulting security vulnerabilities may leave resources exposed and put an organization’s data at risk. A recent report from Verizon identified misconfigurations in cloud resources as one the top cause of incidents and breaches. 

Whether developers are or aren’t aware of these risks, it’s not realistic to expect users of IaC tools to possess comprehensive knowledge of all possible configuration issues they may face when building or maintaining their system. Recent research from Bridgecrew shows that nearly one in two infrastructure-as-code modules contains misconfigurations.

One common issue affecting IaC systems is the use of default configurations offered by cloud providers in production. In pursuit of a smoother user experience and a more forgiving learning curve, cloud providers and SaaS providers offer default IaC configurations for their platforms. While this helps developers iterate and deploy faster, these configurations do not always adhere to production best practices. 

“What we see is when users are using these default configurations and bring it into their production environments, they forget that sometimes these default configurations’ purpose was to get you up and running very fast and not necessarily to a point where you can basically build the most secure system.”

-Guy Eisenkot, Engineer at Bridgecrew

While security and access policies represent highly visible areas of concern, Bridgecrew’s tools can test for issues across several categories. The scope of issues originating in improperly formed IaC code spans a variety of use cases. Bridgecrew’s analysis of misconfigurations found in code in the Terraform Registry indicates that the most common issues relate to Backup and Recovery, Audit Logging, and Encryption. Each of these domains is critical to creating and maintaining robust, compliant, and adequately governed cloud-based software. 

Bridgecrew addresses those risks and misconfigurations by both monitoring cloud resources in runtime and by shifting cloud security left—to the IaC level in buildtime. Their platform provides scanning or static analysis of cloud provisioning frameworks such as Terraform, Kubernetes, CloudFormation, ARM templates, and Serverless technologies. “Static analysis” refers to a variety of analytic techniques to identify issues with “static” code- that is, it can evaluate potential issues without executing the code. When a developer uses code to provision infrastructure, a similar process can be performed to check for known compliance and security policy violations.

“We start seeing that when cloud misconfigs are fixed in runtime—for example, changing a publicly exposed S3 bucket to private—it’s highly likely (about a 70% chance) that it’ll resurface in the near future. The problem is that when clouds are orchestrated by inherently misconfigured code, they’ll continue to be configured incorrectly in production.”

Integrating IaC and static analysis tools into an organization’s everyday workflow can help prevent these issues before the code gets into runtime, and can cut down on cloud drift-related vulnerabilities. Integrating IaC checks into, for example, pull request checks or within a Jenkins build job helps prevent misconfigurations from being deployed in the first place.

Bridgecrew identifies current issues in production cloud resources and infrastructure configuration and presents these issues as “incidents” on a user dashboard. Bridgecrew integrates with source code repositories and is built to scan IaC files as part of a CI/CD workflow. When incidents are identified, Bridgecrew offers options to fix the issue, including opening pull requests for code level issues, or automated fixes through “Playbooks”- a known series of steps to fix common cloud security issues in runtime. This approach, which they call security-as-code, enables developers to implement fixes right back into their workflow, saving them time triaging, investigating, and remediating issues.

In addition to their SaaS platform, Bridgecrew invests heavily in open source projects—namely with their IaC scanner Checkov. Checkov can be run from the command line, or integrated as part of a CI/CD workflow (for example, in Jenkins or CircleCI). 

Bridgecrew’s team released Checkov with a set of known checks the tool could scan for and continues to add more. As an open-source tool, Checkov has grown and evolved as other developers have contributed their issues, and Bridgecrew encourages Checkov users to contribute to its robust community with over 600k downloads to date.

“…we believe that everybody, everybody should have the access to good visibility around their configuration and configuration errors. In that sense, open-sourcing Chekhov was a no-brainer.”

Guy Eisenkot, Engineer at Bridgecrew

Infrastructure-as-code tools empower developers to solve problems traditionally in the domain of hardware or network security specialists. The Bridgecrew platform and Checkov help developers ensure that their infrastructure is secure, compliant, and well-governed. The growth of the Checkov open-source community is indicative of the value that shared knowledge about IaC best practices provides to developers, whether they are building small-scale projects, growing a startup, or innovating within large-scale corporations.

For more on Bridgecrew and Checkov, be sure to check out our interview with Guy Eisenkot of Bridgcrew, or try Bridgecrew out for yourself at bridgecrew.io. For more on Infrastructure as Code concepts and tools, check out our archives of IaC-related episodes at softwareengineeringdaily.com.

Danny Seymour

Santa Fe, New Mexico
Education: MBA, Finance and Public Policy, University of New Mexico

Danny is a Santa Fe-based developer who works as a Junior Consultant at Rural Sourcing.

Software Weekly

Software Weekly

Subscribe to Software Weekly, a curated weekly newsletter featuring the best and newest from the software engineering community.