Feat/checkov terraform policy#26
Open
RachanaB5 wants to merge 3 commits intoc2siorg:mainfrom
Open
Conversation
- Add modular aws-honeypot (VPC, Cowrie on 2222, SSM, optional flow logs) - Add per-region env tfvars, deploy/validate scripts, backend example - Document open work in docs/ISSUES.md (c2siorg#4 remote state, c2siorg#5 multi-cloud, etc.) - CI workflow for terraform fmt and validate Closes contributor-tracked items 1-3 in docs/ISSUES.md Made-with: Cursor
Keeps issue tracking on GitHub only; README no longer references docs/. Made-with: Cursor
- Add .checkov.yaml; run Checkov in GitHub Actions before terraform fmt/validate - Harden module: IMDS/detailed monitoring/EBS opt, scoped flow log IAM policy, locked default SG, egress/ingress descriptions, safer admin_ssh_cidr default - Document skips for honeypot-specific rules; update validate.sh and README Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
This PR introduces policy-as-code enforcement using Checkov into the Terraform workflow, ensuring that infrastructure changes are continuously validated against security best practices in CI.
In addition to integration, this PR remediates existing misconfigurations and establishes safer defaults, while preserving flexibility for honeypot-specific requirements.
Closes #25
Goals
Key Changes
1. Checkov Integration (CI + Local)
.checkov.yaml:terraform/directorysoft-fail: falseensures CI fails on policy violations.github/workflows/terraform.yml:checkov --config .checkov.yamlterraform fmtterraform initterraform validate2. Developer Experience (Local Validation)
scripts/validate.sh:This allows contributors to replicate CI checks locally.
3. Documentation Improvements
README.md:# checkov:skip=...Security and Infrastructure Improvements
Secure Defaults
admin_ssh_cidrset to127.0.0.1/32Prevents unintended public SSH exposure
EC2 Hardening
monitoring = trueebs_optimized = trueImproves observability and performance baseline
VPC and Networking
aws_default_security_groupControlled Exceptions (Honeypot Context)
Some Checkov rules are intentionally skipped due to honeypot design:
All skips are:
IAM Policy Hardening (Flow Logs)
"Resource": "*"CreateLogGrouppermissionFollows the principle of least privilege
CloudWatch Logging
These are identified as potential future improvements
Impact
Before
After
How to Test