“Policies that take into account interdependencies within IaC are critical to understanding the impact of misconfigurations,” said Rob Eden, senior engineer and Checkov contributor. “It’s not enough to know that a security group has ports open to the world; we need to know if that misconfiguration is in production or just a test environment in order to prioritize it appropriately. It’s awesome to have an open-source tool providing that level of context.”
Key additions in Checkov 2.0 include 250 new policies, Dockerfile scanning to secure container build tasks, and graph-based mapping.
RELATED CONTENT: 5 ways static code analysis can save you
Checkov first launched in 2019, and since then has helped developers identify misconfigurations in their IaC frameworks like Terraform, CloudFormation, Kubernetes, Azure Resource Manager (ARM), and Serverless Framework.
“This release is the most significant update to Checkov since it launched early last year,” said Matt Johnson, developer advocate at Bridgecrew. “Dependency awareness means developers have even more context earlier in the development lifecycle, helping companies around the world better secure their cloud infrastructure.”