Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include a misconfigurations detector in Nephio #808

Open
VedRatan opened this issue Sep 17, 2024 · 1 comment
Open

Include a misconfigurations detector in Nephio #808

VedRatan opened this issue Sep 17, 2024 · 1 comment

Comments

@VedRatan
Copy link
Contributor

VedRatan commented Sep 17, 2024

Checkov

Checkov is a powerful open-source static analysis tool designed for identifying misconfigurations and security vulnerabilities in infrastructure-as-code (IaC) templates. It supports various IaC frameworks like Terraform, Kubernetes, and CloudFormation, allowing developers to catch potential issues early in the development cycle.

Importance of detecting misconfigurations

Detecting misconfigurations and security concerns with Checkov is crucial because even minor errors in configuration can lead to significant security risks, such as unauthorized access or data breaches. By using Checkov, we can automate the detection of these issues, ensuring that infrastructure is secure and compliant with best practices before deployment. This proactive approach helps in reducing the attack surface, improving overall security posture, and saving time and resources by addressing vulnerabilities early in the development process.

Below are the findings after scanning Nephio cluster

checkov-cluster.txt

Below are the findings after scanning a Catalog repo

checkov-catalog.txt

Analysis

  • Here we see that there are multiple configurations best-practices and security-best practices that resources are failing currently.
  • There are some default common misconfiguration and security detection policies pre-defined in checkov which are being applied against each of the resources present in the cluster.
  • Same is the case for pre-scan (scanning manifest only).
  • For instance when we scanned cluster with checkov job here are the findings:
    Passed checks: 3981, Failed checks: 473, Skipped checks: 4
  • For catalog-repo scanning here are the result:
    Passed checks: 5016, Failed checks: 1024, Skipped checks: 0
  • There are total of 1024 findings that are discovered in catalog repo violating the default checkov policies and out of which 87 are of high risk factor, 108 are of medium risk factor, 774 are of low risk factor and 55 are of risk factor which is currently not available in checkov
  • For all the failed check there is some fix suggested by checkov which will be helpful for the user to fix the misconfigurations and security concerns.

We can include checkov to prevent any security misconfigurations and prevent the workloads to behave incorrectly beforehand by detecting these misconfigurations, and fixing them beforehand, here checkov can help us, as it also gives us the recommendations to mitigate the misconfigurations and security issues.

@nyrahul
Copy link
Contributor

nyrahul commented Jan 7, 2025

Hey @VedRatan , you had done a prioritization task for checkov and shared an xls. We couldn't find it. Do you have it? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants