Bridgecrew CLI

Introduction

In addition to the automatic scans run periodically by Bridgecrew, you can run scans from a command line. This allows you to:

  • Skip particular checks on Terraform Definition Blocks you choose
  • Skip particular checks on all resources
  • Run only specific checks

Installation

## Standard installation
pip install bridgecrew

## Installation on Linux / Mac distros where `python` references python2
## (this is usually the case - run `python --version` to verify)
pip3 install bridgecrew

## Installation on Alpine
pip3 install --upgrade pip && pip3 install --upgrade setuptools
pip3 install bridgecrew


## Installation on Windows (ensure you add the cmd file to your path)
pip install bridgecrew
echo %PATH%
cd C:\\Users\\<my_username>\\AppData\\Local\\Microsoft\\WindowsApps
curl -o bridgecrew.cmd https://raw.githubusercontent.com/bridgecrewio/bridgecrew/master/bin/bridgecrew.cmd

Running Scans by CLI

After you get a Bridgecrew API Token, run Bridgecrew as follows:

bridgecrew -d <directory> --bc-api-key <key> --repo-id <repo_id> --branch <branch>

Or by using the -f file flag:

bridgecrew -f <file_1> <file_2> ... <file_n> --bc-api-key <key> --repo-id <repo_id> --branch <branch>

Arguments

  • <key> - Bridgecrew issued API key (for more details, see Get API Token)
  • <repo_id> - Identifying string of the scanned repository, following the standard Git repository naming scheme: <owner>/<name>
  • <branch> - Branch name to be persisted on platform, defaults to the master branch.

📘

Note

The scanned directory (supplied with -d flag) must be checked-out from the given branch name.

Skip Check per Terraform Definition Block

To skip a check on a given Terraform definition block, add the following comment pattern in the scope of that file.

bridgecrew:skip=<check_id>:<suppression_comment>
  • <check_id> is one of the available check scanners (see AWS Policy Index).
  • <suppression_comment> is an optional suppression reason to be included in the output

Example

The comment in the example below will cause the scan to skip the check BC_AWS_IAM_1 on foo-bucket.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #bridgecrew:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}

Advanced parameters

ParameterDescriptionRequiredType
api-keyEnvironment variable name of the Bridgecrew API key from Bridgecrew appYesSecret parameter
directoryIaC root directory to scanNoInput parameter
soft-failRuns checks without failing buildNoInput parameter
checkFilter scan to run only on a specific check identifier, You can specify multiple checks separated by comma delimiterNoInput parameter
skip-checkFilter scan to run on all check but a specific check identifier(blacklist), You can specify multiple checks separated by comma delimiterNoInput parameter
quietDisplay only failed checksNoInput parameter

Skip Check Globally

To globally skip a certain check or checks during a scan include the SKIP_CHECK flag in the command line. Use a comma delimiter to list multiple checks.

--skip-check SKIP_CHECK

Run Only Specific Checks

If you do not want to run the full set of Bridgecrew checks, you can indicate specific checks to run in the command line. Use a comma delimiter to list multiple checks.

-c CHECK, --check CHECK

📘

Note

For a list of all check IDs, run:
bridgecrew --list