Connect to Bridgecrew CLI

Introduction

In addition to the automatic scans run periodically by Bridgecrew, you can run scans from a command line. This allows you to:

  • Skip particular checks on Terraform Definition Blocks you choose
  • Skip particular checks on all resources
  • Run only specific checks

Installation

## Standard installation
pip install bridgecrew

## Installation on Linux / Mac distros where `python` references python2
## (this is usually the case - run `python --version` to verify)
pip3 install bridgecrew

## Installation on Alpine
pip3 install --upgrade pip && pip3 install --upgrade setuptools\npip3 install bridgecrew

## Installation using homebrew (MacOS only)
brew tap bridgecrewio/bridgecrew https://github.com/bridgecrewio/bridgecrew\nbrew update\nbrew install bridgecrew

## Installation on Windows (ensure you add the cmd file to your path)
pip install bridgecrew\n
echo %PATH%\n
cd C:\\Users\\<my_username>\\AppData\\Local\\Microsoft\\WindowsApps\n
curl -o bridgecrew.cmd https://raw.githubusercontent.com/bridgecrewio/bridgecrew/master/bin/bridgecrew.cmd

Running Scans by CLI

After you get a Bridgecrew API Token, run Bridgecrew as follows:

- bridgecrew -d <directory> --bc-api-key <key> --repo-id <repo_id> --branch <branch>

Or by using the -f file flag:

- bridgecrew -f <file_1> <file_2> ... <file_n> --bc-api-key <key> --repo-id <repo_id> --branch <branch>

Arguments

  • <key> - Bridgecrew issued API key (for more details, see Get API Token)
  • <repo_id> - Identifying string of the scanned repository, following the standard Git repository naming scheme: <owner>/<name>
  • <branch> - Branch name to be persisted on platform, defaults to the master branch.

📘

Note

The scanned directory (supplied with -d flag) must be checked-out from the given branch name.

Skip Check per Terraform Definition Block

To skip a check on a given Terraform definition block, add the following comment pattern in the scope of that file.

bridgecrew:skip=<check_id>:<suppression_comment>
  • <check_id> is one of the available check scanners (see AWS Policy Index).
  • <suppression_comment> is an optional suppression reason to be included in the output

Example

The comment in the example below will cause the scan to skip the check BC_AWS_IAM_1 on foo-bucket.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #bridgecrew:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"
}

Advanced parameters

ParameterDescriptionRequiredType
api-keyEnvironment variable name of the Bridgecrew API key from Bridgecrew appYesSecret parameter
directoryIaC root directory to scanNoInput parameter
soft-failRuns checks without failing buildNoInput parameter
checkFilter scan to run only on a specific check identifier, You can specify multiple checks separated by comma delimiterNoInput parameter
skip-checkFilter scan to run on all check but a specific check identifier(blacklist), You can specify multiple checks separated by comma delimiterNoInput parameter
quietDisplay only failed checksNoInput parameter

Skip Check Globally

To globally skip a certain check or checks during a scan include the SKIP_CHECK flag in the command line. Use a comma delimiter to list multiple checks.

--skip-check SKIP_CHECK

Run Only Specific Checks

If you do not want to run the full set of Bridgecrew checks, you can indicate specific checks to run in the command line. Use a comma delimiter to list multiple checks.

-c CHECK, --check CHECK

📘

Note

For a list of all check IDs, run:
bridgecrew --list

Updated about 16 hours ago



Connect to Bridgecrew CLI


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.