inframap VS checkov

Like Blast Radius, InfraMap generates visual graphs of your infrastructure based on Terraform state or configurations, offering a visual overview of your infrastructure, which is especially helpful for large and complex environments.

We also contribute to the open-source community with projects like InfraMap, that generate your infra diagram on the fly based on your tfstate or the most famous TerraCognita, a reverse Terraform.

Pretty cool. The biggest thing I think is missing from many popular diagramming tools is the ability to easily diff the architecture across changes. Although that can already be done with graphviz source files.

However, these days I prefer to just have diagrams generated from the source code itself, like:

- https://github.com/cycloidio/inframap

- https://graphviz.org/Gallery/directed/bazel.html

In order to make a compelling use case out of having to maintain a parallel definition like this, I think it needs to be able to contribute to analysis like formal verification or, despite them stating that it's not a goal, being able to create the described architecture. Or even generate something like a terraform plan. Otherwise it falls victim to the same problem as any other method of creating diagrams, that of them falling out of sync with the system.

They are a long way there already by providing a way to use a programming language backed by a large ecosystem of other tools that can be used to work with e.g. terraform, like python/go.

I used https://github.com/cycloidio/inframap last week, was a good experience for me

Inframap reads your tfstate or HCL to generate a graph specific for each provider, showing only the resources that are most important/relevant.

Also if you want to easily visualize your HCL or TFState we did https://github.com/cycloidio/inframap which will allow you to visualize those in a more easy/readable way than just JSON.

1. Checkov: https://github.com/bridgecrewio/checkov Checkov is a static code analysis tool that helps developers prevent cloud misconfigurations during the development phase by scanning Terraform, CloudFormation, Kubernetes, and more.

Checkov Owner/Maintainer: Prisma Cloud by Palo Alto Networks (acquired in 2021) Age: First released on GitHub on March 31st, 2021 License: Apache License 2.0

‍Checkov is another great tool that examines your Terraform files (.tf), parsing the configurations and evaluating them against a comprehensive set of predefined policies. It scans Terraform-managed infrastructure and detects misconfigurations that could lead to security issues or non-compliance with best practices and regulations.

Bridgecrew — Infrastructure as code (IaC) security powered by the open source tool - Checkov. The core Bridgecrew platform is free for up to 50 IaC resources.

Kustomize: It provides a solution to customize the Kubernetes resource base configuration and differential configuration without template and DSL. It does not solve the constraint problem itself, but needs to cooperate with a large number of additional tools to check constraints, such as Kube-linter, Checkov and kubescape.

Checkov is a versatile static code analysis tool designed for infrastructure as code (IaC) and software composition analysis (SCA). It supports a wide range of technologies, including Terraform, CloudFormation, Kubernetes, Docker, and others, to detect security and compliance issues through graph-based scanning. Checkov also performs SCA scans, identifying vulnerabilities in open source packages and images by checking for Common Vulnerabilities and Exposures (CVEs). Additionally, it is integrated into Prisma Cloud Application Security, a platform that helps developers secure cloud resources and infrastructure-as-code files, enabling the identification, rectification, and prevention of misconfigurations throughout the development lifecycle.

For your Dockerfiles, you can also scan them. There are lots of tools that can check your Dockerfiles. They will validate if Dockerfile is compliant with Docker best practices such as not using root user, making sure a health check exists, and not exposing the SSH port. You can use Snyk and Checkov.

You could try https://www.checkov.io/

We use https://www.checkov.io/ for this, it's very simple to get started with and works really well as PR quality gate

Once there is a CI pipeline for delivering infra changes you can add static code analysis tools (checkov) and even start testing changes (terratest)