checkov
OPA (Open Policy Agent)
Our great sponsors
checkov | OPA (Open Policy Agent) | |
---|---|---|
54 | 90 | |
6,492 | 9,104 | |
1.9% | 2.0% | |
9.9 | 9.6 | |
5 days ago | 7 days ago | |
Python | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
checkov
-
A Deep Dive Into Terraform Static Code Analysis Tools: Features and Comparisons
Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0
-
Top Terraform Tools to Know in 2024
Checkov is another great tool that examines your Terraform files (.tf), parsing the configurations and evaluating them against a comprehensive set of predefined policies. It scans Terraform-managed infrastructure and detects misconfigurations that could lead to security issues or non-compliance with best practices and regulations.
-
A list of SaaS, PaaS and IaaS offerings that have free tiers of interest to devops and infradev
Bridgecrew — Infrastructure as code (IaC) security powered by the open source tool - Checkov. The core Bridgecrew platform is free for up to 50 IaC resources.
-
10 Ways for Kubernetes Declarative Configuration Management
Kustomize: It provides a solution to customize the Kubernetes resource base configuration and differential configuration without template and DSL. It does not solve the constraint problem itself, but needs to cooperate with a large number of additional tools to check constraints, such as Kube-linter, Checkov and kubescape.
-
Top 10 terraform tools you should know about.
Checkov is a versatile static code analysis tool designed for infrastructure as code (IaC) and software composition analysis (SCA). It supports a wide range of technologies, including Terraform, CloudFormation, Kubernetes, Docker, and others, to detect security and compliance issues through graph-based scanning. Checkov also performs SCA scans, identifying vulnerabilities in open source packages and images by checking for Common Vulnerabilities and Exposures (CVEs). Additionally, it is integrated into Prisma Cloud Application Security, a platform that helps developers secure cloud resources and infrastructure-as-code files, enabling the identification, rectification, and prevention of misconfigurations throughout the development lifecycle.
-
Understanding Container Security
For your Dockerfiles, you can also scan them. There are lots of tools that can check your Dockerfiles. They will validate if Dockerfile is compliant with Docker best practices such as not using root user, making sure a health check exists, and not exposing the SSH port. You can use Snyk and Checkov.
-
Apim + function app & event grid
You could try https://www.checkov.io/
-
Terraform Security Best Practices
We use https://www.checkov.io/ for this, it's very simple to get started with and works really well as PR quality gate
-
How long have you guys actually had the title “platform engineer”? What other titles did you have before that, if any?
Once there is a CI pipeline for delivering infra changes you can add static code analysis tools (checkov) and even start testing changes (terratest)
-
What are the best static analysis security testing tools for Terraform and infrastructure as code?
I just had a brief chat with one of the developers of Checkov and it sounds nice (and open source). I haven't had a chance to play with it, but if you want to it's at https://www.checkov.io/
OPA (Open Policy Agent)
-
SAP BTP, Terraform and Open Policy Agent
How can we handle this? Are there any mechanisms to prevent or at least to some extent safeguard this kind of issues without falling back to a manual workflow? There is. One huge advantage of sticking to (de-facto) standards like Terraform is that first we are probably not the first ones to come up with this question and second there is a huge ecosystem around Terraform that might help us with such challenges. And for this specific scenario the solution is the Open Policy Agent. Let us take a closer look how the solution could look like.
-
Top Terraform Tools to Know in 2024
A popular Policy-as-Code tool for Terraform is OPA, everyone's favorite versatile open-source policy engine that enforces security and compliance policies across your cloud-native stack, making it easier to manage and maintain consistent policy enforcement in complex, multi-service environments.
- Open Policy Agent
-
Build and Push to GAR and Deploy to GKE - End-to-End CI/CD Pipeline
Harness Policy As Code uses Open Policy Agent (OPA) as the central service to store and enforce policies for the different entities and processes across the Harness platform. In this section, you will define a policy that will deny a pipeline execution if there is no approval step defined in a deployment stage.
-
10 Ways for Kubernetes Declarative Configuration Management
OPA: While OPA is an open-source, general-purpose policy engine capable of enforcing unified and context-aware policies throughout the stack, it can also accept and output data in formats such as JSON, effectively functioning as a tool for generating or modifying configurations. Although it does not provide out-of-the-box schema definition support, it allows the integration of JsonSchema definitions.
-
Securing CI/CD Images with Cosign and OPA
In essence, container image signing involves adding a digital stamp to an image, affirming its authenticity. This digital assurance guarantees that the image is unchanged from creation to deployment. In this blog, I'll explain how to sign container images for Kubernetes using Cosign and the Open Policy Agent. I will also share a tutorial that demonstrates these concepts.
-
OPA vs. Google Zanzibar: A Brief Comparison
In this post we will explores two powerful solutions for addressing this issue: the Open Policy Language (OPA) and Google’s Zanzibar.
-
Rego for beginners: Introduction to Rego
Rego is a declarative query language from the makers of the Open Policy Agent (OPA) framework. The Cloud Native Computing Foundation (CNCF) accepted OPA as an incubation-level hosted project in April 2019, and OPA graduated from incubating status in 2021.
-
Are "Infrastructure as Code" limited to "Infrastructure" only?
Now there are more subdivided practice: * Policy as Code: Sentinel, OPA * Database as Code: bytebase * AppConfiguration as Code: KusionStack, Acorn * ...... (Welcome to add more)
-
OPA (Open Policy Agent) VS topaz - a user suggested alternative
2 projects | 25 Jul 2023
What are some alternatives?
tfsec - Security scanner for your Terraform code [Moved to: https://github.com/aquasecurity/tfsec]
casbin - An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN
trivy - Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
Keycloak - Open Source Identity and Access Management For Modern Applications and Services
tflint - A Pluggable Terraform Linter
Ory Keto - Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
terrascan - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
cerbos - Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage by writing context-aware access control policies for your application resources.
kics - Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
spicedb - Open Source, Google Zanzibar-inspired permissions database to enable fine-grained access control for customer applications
terraform-security-scan - Run a security scan on your terraform with the very nice https://github.com/aquasecurity/tfsec
oso - Oso is a batteries-included framework for building authorization in your application.