Skip to content

lab-03.md

Latest commit

 

History

History
144 lines (98 loc) · 6 KB

lab-03.md

File metadata and controls

144 lines (98 loc) · 6 KB
permalink /labs/lab-03
title Lab 03 - Checkov: Static Policy Scanning
description Run Checkov against Bicep templates to detect security and cost governance violations.

Overview
Duration 30 minutes
Level Intermediate
Prerequisites Lab 01

Learning Objectives

By the end of this lab, you will be able to:

  • Run Checkov against Bicep templates using the CLI
  • Interpret Checkov output including passed, failed, and skipped checks
  • Export Checkov results in SARIF format for GitHub Security Tab integration
  • Compare Checkov findings with PSRule findings for the same template

Exercises

Exercise 3.1: Run Checkov on App 001

You will scan the missing-tags app with Checkov and generate SARIF output.

  1. Create the reports directory if it does not exist:

    mkdir -p reports

  2. Run Checkov against app 001 with both console and SARIF output:

    checkov -d finops-demo-app-001/infra/ --output cli --output sarif --output-file-path console,reports/

    This produces CLI output on screen and writes a SARIF file to the reports/ directory.

  3. Review the CLI output. Checkov summarises results in three categories:

    • Passed — checks the template satisfies
    • Failed — checks the template violates
    • Skipped — checks excluded by configuration

  4. Note the check IDs for any failed findings. Checkov uses IDs in the format CKV_AZURE_* (for example, CKV_AZURE_18 for storage account network rules).

Checkov scan output for app 001

Tip

Checkov scans for both security and best practice violations. You will see checks related to HTTPS enforcement, TLS version, access keys, and network configuration — not only cost governance. This broader coverage complements PSRule's Azure-specific focus.

Exercise 3.2: Review Checkov Findings

You will analyse the Checkov results to understand what each finding means.

  1. Open the SARIF file generated by Checkov in the reports/ directory.

  2. Look at the results array. Each entry contains:

    • ruleId — the Checkov check ID (for example, CKV_AZURE_18)
    • level — severity of the finding
    • message.text — description of the failed check
    • locations — file path and resource reference

  3. Categorise the findings into groups:

    Category Example Check IDs Description
    Network Security CKV_AZURE_18, CKV_AZURE_59 Storage account network rules, HTTPS only
    Encryption CKV_AZURE_33, CKV_AZURE_43 Encryption at rest, TLS version
    Access Control CKV_AZURE_36 Shared access key disabled
    Monitoring CKV_AZURE_65 App Service detailed error messages

  4. Notice that Checkov does not explicitly check for the 7 governance tags the way PSRule does. This is a key difference between the tools.

Checkov SARIF output

Important

Checkov check IDs and descriptions may vary between versions. Use checkov --list to see all available checks for the arm framework.

Exercise 3.3: Run Checkov on App 005

You will scan the redundant/expensive resources app and look for additional findings.

  1. Run Checkov against app 005:

    checkov -d finops-demo-app-005/infra/ --output cli --output sarif --output-file-path console,reports/

  2. Compare the output with the app 001 scan. App 005 has:

    • 2 App Service Plans deployed to non-approved regions (westus and westeurope)
    • GRS (geo-redundant) storage for a development workload
    • All 7 governance tags present

  3. Check whether Checkov flags:

    • The duplicate App Service Plans
    • The GRS storage tier as overly expensive
    • Any region-related violations

  4. Note which violations Checkov does detect versus those it misses. This gap motivates using multiple scanner tools.

Checkov scan output for app 005

Exercise 3.4: Compare with PSRule

You will create a side-by-side comparison to understand the strengths of each tool.

  1. If you completed Lab 02, open the PSRule SARIF results for apps 001 and 005.

  2. If you have not completed Lab 02, run PSRule now (refer to Lab 02, Exercise 2.2 for the command).

  3. Build a comparison table based on your findings:

    Aspect PSRule Checkov
    Focus Area Azure best practices, tagging, naming Security, compliance, CIS benchmarks
    Tag Checks Explicit Azure.Resource.UseTags rule No dedicated tag governance check
    Region Checks AZURE_RESOURCE_ALLOWED_LOCATIONS config Limited region awareness
    SKU Checks Some rules for sizing best practices Checks for specific service configurations
    Output Format SARIF, CSV, JSON SARIF, JSON, JUnit, CSV
    Language Support Bicep (via expansion), ARM JSON ARM JSON, Bicep, Terraform
    Custom Rules PowerShell-based custom rules Python-based custom checks

  4. Summarise your key insight: PSRule excels at Azure-specific governance (tags, regions, naming) while Checkov excels at security and compliance (encryption, network rules, CIS benchmarks). Using both tools together provides comprehensive coverage.

Checkov vs PSRule comparison

Tip

In a production FinOps scanning pipeline, you run all scanner tools in parallel and merge the SARIF results. Labs 06 and 07 cover this exact pattern using GitHub Actions.

Verification Checkpoint

Before proceeding, verify:

  • Checkov scan completed successfully against at least 2 demo apps
  • SARIF output generated from Checkov in the reports/ directory
  • Can explain at least 3 Checkov check IDs and what they detect
  • Documented the overlap and gaps between Checkov and PSRule

Next Steps

Proceed to Lab 04 — Cloud Custodian: Runtime Resource Scanning.