Bridgecrew CLI
Introduction
In addition to the automatic scans run periodically by Bridgecrew, you can run scans from a command line. This allows you to:
- Skip particular checks on Terraform Definition Blocks you choose
- Skip particular checks on all resources
- Run only specific checks
Installation
## Standard installation
pip install bridgecrew
## Installation on Linux / Mac distros where `python` references python2
## (this is usually the case - run `python --version` to verify)
pip3 install bridgecrew
## Installation on Alpine
pip3 install --upgrade pip && pip3 install --upgrade setuptools
pip3 install bridgecrew
## Installation on Windows (ensure you add the cmd file to your path)
pip install bridgecrew
echo %PATH%
cd C:\\Users\\<my_username>\\AppData\\Local\\Microsoft\\WindowsApps
curl -o bridgecrew.cmd https://raw.githubusercontent.com/bridgecrewio/bridgecrew/master/bin/bridgecrew.cmd
Running Scans by CLI
After you get a Bridgecrew API Token, run Bridgecrew as follows:
bridgecrew -d <directory> --bc-api-key <key> --repo-id <repo_id> --branch <branch>
Or by using the -f
file flag:
bridgecrew -f <file_1> <file_2> ... <file_n> --bc-api-key <key> --repo-id <repo_id> --branch <branch>
Arguments
<key>
- Bridgecrew issued API key (for more details, see Get API Token)<repo_id>
- Identifying string of the scanned repository, following the standard Git repository naming scheme:<owner>/<name>
<branch>
- Branch name to be persisted on platform, defaults to the master branch.
Note
The scanned directory (supplied with
-d
flag) must be checked-out from the given branch name.
Skip Check per Terraform Definition Block
To skip a check on a given Terraform definition block, add the following comment pattern in the scope of that file.
bridgecrew:skip=<check_id>:<suppression_comment>
<check_id>
is one of the available check scanners (see AWS Policy Index).<suppression_comment>
is an optional suppression reason to be included in the output
Example
The comment in the example below will cause the scan to skip the check BC_AWS_IAM_1 on foo-bucket.
resource "aws_s3_bucket" "foo-bucket" {
region = var.region
#bridgecrew:skip=CKV_AWS_20:The bucket is a public static content host
bucket = local.bucket_name
force_destroy = true
acl = "public-read"
}
Advanced parameters
Parameter | Description | Required | Type |
---|---|---|---|
api-key | Environment variable name of the Bridgecrew API key from Bridgecrew app | Yes | Secret parameter |
directory | IaC root directory to scan | No | Input parameter |
soft-fail | Runs checks without failing build | No | Input parameter |
check | Filter scan to run only on a specific check identifier, You can specify multiple checks separated by comma delimiter | No | Input parameter |
skip-check | Filter scan to run on all check but a specific check identifier(blacklist), You can specify multiple checks separated by comma delimiter | No | Input parameter |
quiet | Display only failed checks | No | Input parameter |
Skip Check Globally
To globally skip a certain check or checks during a scan include the SKIP_CHECK flag in the command line. Use a comma delimiter to list multiple checks.
--skip-check SKIP_CHECK
Run Only Specific Checks
If you do not want to run the full set of Bridgecrew checks, you can indicate specific checks to run in the command line. Use a comma delimiter to list multiple checks.
-c CHECK, --check CHECK
Note
For a list of all check IDs, run:
bridgecrew --list
Updated about 2 years ago