checkov VS terratest

Checkov https://www.checkov.io A static analysis tool to scan infrastructure code for misconfigs, secrets, and best practice violations.

PR #6647

Checkov infrastructure-as-code misconfig detection

Link do repo

Link: https://github.com/bridgecrewio/checkov

Checkov: static analysis for IaC

Prior to deploying kubernetes manifest files to EKS Cluster, supplementary steps need to be added to prevent security and misconfiguration issue by using both *Checkov *and Trivy . Also, we will use seperate ArgoCD account from admin user that we’ve used in the previous lab. This will follow ArgoCD RBAC rule to secure ArgoCD and EKS cluster ultimately.

The workflow also includes a step for infrastructure code scan to scan Terraform code. This uses Checkov action against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.

1. Checkov: https://github.com/bridgecrewio/checkov Checkov is a static code analysis tool that helps developers prevent cloud misconfigurations during the development phase by scanning Terraform, CloudFormation, Kubernetes, and more.

Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0

Terraform provides a built-in testing framework to validate your project. The testing framework supports both unit and integration tests. It handles unit tests by creating a deployment plan and running the tests against that plan. While Terraform's testing framework allows you to validate basic properties, you may need to write more advanced tests to verify your virtual machines are set up correctly. You can create advanced tests using open source testing tools like Terratest and Kitchen-Terraform.

Before using a module in production, make sure to test it in isolated environments. You can use tools like Terratest to write automated tests for your modules. This ensures they work as expected in different scenarios.

The Terratest Go library leverages this to define a variety of test cases used to test Docker images, cloud infrastructure defined for AWS, Azure, GCP, Kubernetes, and many more.

Terratest is a Go library that provides tools and patterns for testing infrastructure, with first-class support for Terraform, Packer, Docker, Kubernetes, and more. It's used to write automated tests for your infrastructure code.

I think I found it. This is the one right? https://github.com/gruntwork-io/terratest/

What it does in parallel is basically init/plan/show using terratest on every subdirectory on your repository tree or provided paths. The output is either a JSON summary or a custom made Junit XML test file you can ingest into your tests reader. It took it around 8 minutes to map the entirety of our bloated repository.

You could deploy to a separate account (usually dev first), you can use terratest, you could try something like LocalStack. I dare say there’s other methods.

Was wondering if anyone has tried https://github.com/gruntwork-io/terratest to test their infrastructure. I like it because I can write golang tests! Thats a big plus for me.

Once there is a CI pipeline for delivering infra changes you can add static code analysis tools (checkov) and even start testing changes (terratest)