ChatGPT and Checkov: Fix IaC Security Issues Fast

Jun 27, 2023
5 minutes

Infrastructure as code (IaC) offers a robust method for managing cloud resources. Developers use IaC to describe their infrastructure in code format, which can then undergo versioning, testing and deployment like any software code.

While IaC provides significant automation advantages, it's still code. Like any software code, IaC can harbor security vulnerabilities or misconfigurations, potentially leading to downtime or data breaches — and making it crucial to use an IaC scanning tool capable of identifying security issues in your IaC code.

One such open-source IaC scanning tool, Checkov, has gained popularity due to its ability to scan IaC code written in Terraform, Kubernetes, CloudFormation and other popular IaC languages.

To take its scanning capabilities a step further, Checkov has incorporated ChatGPT to suggest code fixes for potential issues found in IaC code.

Efficient IaC Security with ChatGPT and Checkov

ChatGPT, a natural language processing (NLP) tool, understands natural language and provides responses or suggestions based on its advanced language model. In the Checkov context, ChatGPT aids in analyzing potential issues found in IaC code and offers suggestions on how to fix them.

For example, if Checkov detects an insecure configuration in your IaC code — such as a security group that allows traffic from any IP address — it can provide a suggested code fix using ChatGPT. The suggested fix might involve adding a more restrictive security group rule that limits traffic to a specific IP range.

Developers can save significant time by using ChatGPT’s suggested code fixes, as it reduces the need to manually review and resolve potential issues. As a bonus, the suggestions from ChatGPT can reinforce optimal coding practices and help developers avoid similar mistakes in the future.

Getting Started with Checkov and ChatGPT

To start, you need to obtain an API key from the OpenAI platform. Begin by creating an OpenAI account and retrieving your API key from your settings. Note that only a limited free tier is available for testing this feature. After exceeding that limit, the standard pay-for-what-you-use pricing model becomes applicable, which we have found inexpensive at the time of writing.

Once you obtain your API key, you can update or install Checkov and run a simple checkov -h to see the new command line option.

Figure 1: Checkov’s new command line option enables you to enter an API key from OpenAI.

Checkov retrieves AI-generated guidelines for a maximum of five findings by default, to manage costs. You can modify the default behavior by setting the environment variable CKV_OPENAI_MAX_FINDINGS to a specific number, or to 0 to see all findings.

Keep in mind that modifying the default behavior can extend this process duration, as it takes approximately 5 to 10 seconds to retrieve each finding.

Now let’s look at a few examples to see how suggested code fixes work in practice.

Using ChatGPT and Checkov for Kubernetes Security

In this example, we want to check a default Kubernetes deployment manifest that uses NGINX.

Start by running the following command in the terminal:

checkov --openai-api-key $OPENAI_KEY -d . --frameworks kubernetes

Figure 2: After running the command above, the CLI’s output provides information about the number of requested suggested code fixes powered by ChatGPT.

Of the five enhanced guidelines, one of the examples was for CKV_K8S_43:

Figure 3: Checkov surfaces a potential issue in the manifest.

In this example, Checkov surfaces the security issue by providing the relevant code block and links to Checkov documentation to help you remediate the issue. But with the new connection to ChatGPT, Checkov provides additional guidance, as seen in figure 4.

Figure 4: ChatGPT provides a suggested fix to remediate the security issue identified by Checkov.

The AI-generated output stands out because it explains that referencing images with sha256 is more secure — plus it delves into the mutability of alternatives, how to determine the sha256 digest and the application method and location.

Checking an S3 Bucket Generated by ChatGPT

Instead of just using ChatGPT to check code we already wrote, we wanted to test how well ChatGPT could write secure code. In this next example, we use Checkov to identify issues with Terraform code written by ChatGPT.

When we ran this experiment, ChatGPT did a decent job of generating Terraform for the requested “secure S3 bucket.” The AI-generated code passed seven checks, but it still failed five checks.


Let’s review one of the failed checks: CKV_AWS_145:

Figure 5: Checkov fails a check on the S3 bucket.

In addition to Checkov’s usual guidance, ChatGPT’s suggestions included a code fix to remediate a failed check on an S3 bucket, as seen in figure 6.

Figure 6: ChatGPT provides a suggested code fix to remediate a failed check on an S3 bucket.

ChatGPT correctly pointed out that, in addition to server-side encryption, KMS provided additional security features, such as key rotation and access control. ChatGPT then followed its advice by creating a version of the code that included the suggested fixes.

While these examples show that ChatGPT can help produce a secure version of your code, you need to consider that ChatGPT must consume your code to provide fix suggestions. To protect your intellectual property, take precautions when using this feature on proprietary code.

The Future of ChatGPT and IaC Security

Checkov's integration with ChatGPT offers a promising step toward making IaC development more efficient and secure. As IaC scanning tools begin to incorporate NLP and other AI technologies, we can expect further improvements in the speed and accuracy of identifying and fixing issues in IaC code.

Level up Your IaC Security

Interested in learning more about efficient, simplified IaC security? Download the DevSecGuide to IaC Security and discover how you can shift your cloud security left.

Subscribe to Cloud Native Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.