← Back to Engineering Blog
πŸ—“οΈ Jul 22, 2024 ⏱️ 2 min read

Policy as Code: Blocking Non-Compliant Terraform PRs at the CI/CD Pipeline Gate

How embedding Checkov static security analysis in GitHub Actions PR pipelines prevented non-compliant cloud infrastructure from reaching production.

πŸŽ™οΈ Listen to Article READY
AI Audio Synthesis Narrator
Share Post:

β€œDiscovering an unencrypted S3 bucket or open RDP port in production costs $50,000 in incident response. Catching it in a GitHub Actions Pull Request costs $0.”

While building the Azure Landing Zone DevSecOps Factory at Kyndryl, developers frequently submitted Terraform PRs containing public storage accounts or missing customer-managed encryption keys.


Architecture: Shift-Left Security with Checkov Policy as Code

We integrated Checkov static policy analysis directly into our GitHub Actions CI/CD pipeline as a mandatory status check.

  • Static IaC Scanning: Every git push or Pull Request automatically runs Checkov against the proposed .tf plan files.
  • Hard Automated Blocks: If Checkov detects critical violations (e.g. CKV_AZURE_3 - Storage Account public access enabled), the PR build fails automatically and comments the exact line number on the GitHub PR.

[!NOTE] Define custom Checkov policies in YAML to enforce enterprise-specific naming conventions and mandatory tag requirements (Environment, CostCenter, Owner).

# # GitHub Actions Workflow Task: Checkov Static IaC Security Scan
- name: Run Checkov Static Security Scan
  uses: bridgecrewio/checkov-action@master
  with:
    framework: terraform
    output_format: cli
    soft_fail: false # Hard fail PR on critical security violations

The Verdict

Key Takeaway

Embed Checkov Static Security Scanning as a Mandatory CI/CD Pipeline Gate.

Shifting security left with Checkov Policy as Code blocks 100% of non-compliant Terraform configurations before cloud resources are ever provisioned.

SKS

Sachin Kumar Sharma

Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp

Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.