Checkov

Checkov scans the CloudFormation template for security group definitions.

Checkov identifies security group rules that allow inbound traffic from 0.0.0.0/0 (all sources).

Checkov reports the overly permissive security group rules.

The developer updates the security group rules to restrict traffic to specific IP addresses or CIDR blocks.

Checkov scans the Kubernetes deployment manifests for resource limit definitions.

Checkov identifies deployments that do not have CPU and memory limits specified.

Checkov reports the missing resource limits.

The developer adds resource limits to the Kubernetes deployment manifests.

Checkov scans the Terraform modules for S3 bucket definitions.

Checkov identifies S3 buckets that do not have encryption enabled.

Checkov reports the missing encryption.

The developer updates the Terraform modules to enable encryption for S3 buckets.

Checkov scans the ARM templates for storage account definitions.

Checkov identifies storage accounts that are not located within the EU region.

Checkov reports the non-compliant storage accounts.

The developer updates the ARM templates to ensure that storage accounts are located within the EU region.

Checkov scans Kubernetes manifests for specified Docker image names and tags.

Checkov queries vulnerability databases to identify known vulnerabilities in the images.

Checkov reports images with identified vulnerabilities.

The operations team replaces the vulnerable images with patched versions.

Checkov scans Terraform configuration files for potential hardcoded secrets.

Checkov uses pattern matching to identify strings that resemble passwords, API keys, or other sensitive information.

Checkov reports any identified hardcoded secrets.

The developer removes the hardcoded secrets and replaces them with secure alternatives, such as environment variables or secret management tools.