How to setup code scanning software locally
Introduction
Currently, we use Checkov and Trivy for static code analysis, which is performed via GitHub Actions and use of a Terraform module. There has been a request to enable running these programs locally so that issues can be identified before pushing a pull request to the repository. This document provides instructions on how to install the software and run it with the correct parameters.
How to setup Checkov locally
There are two ways to install checkov you can use homebrew to install, or you can use python to install the most common way is to use python.
To install using python please use the bellow commands
pip install checkov
or
pip3 install checkov
To install using brew run the bellow commands
brew install checkov
Running Checkov
To run checkov from the command line you will have to setup some variables first and populate them with the necessary information but the basic checkov command looks like the following
checkov --quiet -d "$terraform_working_dir" --skip-check "${INPUT_CHECKOV_EXCLUDE}" --download-external-modules "${INPUT_CHECKOV_EXTERNAL_MODULES}"
If you look at the repository that you want to run the command for you will find in most cases that the variable ${INPUT_CHECKOV_EXCLUDE} will be set to the following input CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39, But feel free to add any other that you want to exclude to this input
The $terraform_working_dir is basically the folder that you want to scan within the repository the last variable ${INPUT_CHECKOV_EXTERNAL_MODULES} can be set tp false as this is what it is normally setup within the github actions run.
How to setup Trivy locally
Trivy is available in most common distribution channels. The full list of installation options is available in the Installation page. Here are a few popular examples:
- brew install trivy
- docker run aquasec/trivy
- Download binary from https://github.com/aquasecurity/trivy/releases/latest/
See Installation for more Trivy is integrated with many popular platforms and applications. The complete list of integrations is available in the Ecosystem page. Here are a few popular examples:
GitHub Actions Kubernetes operator VS Code plugin See Ecosystem for more Canary builds There are canary builds (Docker Hub, GitHub, ECR images and binaries) as generated every push to main branch.
Please be aware: canary builds might have critical bugs; it’s not recommended for use in production.
Running Trivy
Once trivy is installed you will need to change to the directory that you want to scan and run the following command
trivy fs --scanners vuln,misconfig,secret --exit-code 1 --ignorefile ./modernisation-platform/.trivyignore.yaml --skip-dirs '' --no-progress --severity HIGH,CRITICAL ./modernisation-platform
The above is an example that we can run on the modernisation platform repo you will need to change the following elements of the command to make it work for you.
- the first element is the –ignorefile this is the location of the local ignore file of that repo it is stored in the root of the repo folder
- the second element is the folder you want to scan if you want to scan the folder you’re in simply change the ./modernisation-platform to a ./ instead
You can also use the > to output to a file for easier reading.