Code scanning includes:
- Security scanning - password and API tokens committed to Git, vunerabilities in code patterns or CVEs in libraries
- Code Quality - there for SonarQube, Codacy, CodeClimate, Codefresh etc.
Checkov is an open source Infrastructure-as-Code scanner.
HariSekhon/GitHub Actions - checkov.yaml - GitHub Actions reusable workflow imported to my repos
GitHub Actions marketplace action - bridgecrewio/checkov-action
Bridgecrew Cloud dashboard:
- dashboard
- CIS benchmarks - Kubernetes, Docker, EKS, GKE etc
- auto-fix - raises Pull Requests with the fixes
- IDE integration - catches errors in your IDE using an API token to send the file contents up for scanning and tooltip pop-ups how to fix before commit - 1 step earlier than CI/CD committed
- policies to block builds based on criteria such as severity
- RRP $180 per credit - each credit covers 3 resources - essentially $60 RRP per resource (could get expensive as you scale a larger codebase)
- Discount: 1500 - 3000 credits = 25% discount
- Only resources in blocks are charged - modules are not charged
- Script to scan IaC to figure out how many resources you have to pay for
- Re-quote every few months if increased usage.
- Shame this the legacy purchase order up-front estimate model rather than a Pay-As-You-Go model like cloud vendors or GitHub.