← Back to Engineering Blog
πŸ—“οΈ Mar 19, 2024⏱️ 4 min read

Shift-Left Cloud Security: Blocking Rogue Ingress with Checkov & Terraform CI/CD

How we eliminated unreviewed security group exposure in enterprise Azure landing zones by integrating Checkov static analysis and Infracost PR gates directly into GitHub Actions.

πŸŽ™οΈ Listen to ArticleREADY
AI Audio Synthesis Narrator
Share Post:

β€œThe cheapest place to fix a cloud security vulnerability is in the Pull Request β€” before a single resource is provisioned.”

The Setup

In my current role as Associate Director, I oversee cloud architecture strategy across multi-region Azure Landing Zones. Enterprise teams push dozens of Terraform HCL pull requests weekly to update networking, virtual machines, and database infrastructure.

Peer code reviews were our sole line of defense against misconfigurations. As deployment velocity accelerated, human code reviews began missing subtle configuration errors embedded inside complex HCL modules.

Developers were moving fast, refactoring virtual networks, security groups, and storage accounts across environments. We needed a mechanism to guarantee security policies without slowing down sprint velocity.


The Mess

The breaking point arrived during a late-night deployment cycle. A developer attempting to debug a staging virtual machine temporarily added a wide-open 0.0.0.0/0 SSH ingress rule to a Network Security Group (NSG).

The PR was approved by a peer who missed the 0.0.0.0/0 CIDR block buried in a 400-line Terraform file. The code was merged and applied:

  • Automated cloud security scanners flagged the open port 22 exposure 6 hours later.
  • The security team paged the on-call engineer at 2:00 AM to revoke the NSG rule.
  • The incident revealed a critical flaw: manual peer reviews cannot reliably catch compliance violations in high-velocity DevSecOps environments.
[ALERT] 2024-03-18 02:14:02 UTC - Azure Defender Security Alert
Resource: /subscriptions/.../resourceGroups/rg-prod/providers/Microsoft.Network/networkSecurityGroups/nsg-core
Severity: HIGH
Description: Network Security Group rule 'allow-ssh-all' allows unrestricted inbound access on port 22 from 0.0.0.0/0.

The realization hit during the post-mortem: manual peer review is not a security control. We needed an automated policy-as-code gate that executed deterministically on every pull request.


The Solution

I architected a pre-merge GitHub Actions DevSecOps pipeline combining Checkov static code analysis with Infracost financial guardrails. The pipeline inspects raw HCL code before terraform apply can run:

# .github/workflows/terraform-ci.yml - Checkov & Infracost PR Gate
name: 'Terraform DevSecFinOps Security Gate'

on:
  pull_request:
    branches: [main]

jobs:
  security-audit:
    name: 'Checkov & Infracost Static Analysis'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source Code
        uses: actions/checkout@v4

      - name: Setup Terraform CLI
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.7.0

      - name: Run Checkov Security Scanner
        uses: bridgecrewio/checkov-action@master
        with:
          framework: terraform
          output_format: cli
          soft_fail: false # Hard stop PR merge on policy failure
          check: CKV_AZURE_10,CKV_AZURE_11,CKV_AZURE_15,CKV_AZURE_183

When a developer attempts to commit an open SSH ingress rule, Checkov immediately fails the build directly inside the GitHub PR UI:

# main.tf - Triggers Checkov CKV_AZURE_10 Violation
resource "azurerm_network_security_rule" "bad_ssh" {
  name                        = "allow-ssh-all"
  priority                    = 100
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "22"
  source_address_prefix       = "*" # CHECKOV FAIL: CKV_AZURE_10 (0.0.0.0/0 Ingress Forbidden)
  destination_address_prefix  = "*"
  resource_group_name         = azurerm_resource_group.rg.name
  network_security_group_name = azurerm_network_security_group.nsg.name
}

For legitimate enterprise exceptions (such as temporary maintenance gateways), developers must explicitly document rationale via inline Checkov skip annotations:

# main.tf - Legitimate Annotated Exception
# checkov:skip=CKV_AZURE_10: Ingress restricted at upstream ExpressRoute Palo Alto NGFW boundary
resource "azurerm_network_security_rule" "er_maintenance" {
  name                        = "allow-er-maintenance"
  priority                    = 110
  direction                   = "Inbound"
  access                      = "Allow"
  protocol                    = "Tcp"
  source_port_range           = "*"
  destination_port_range      = "22"
  source_address_prefix       = "10.100.0.0/16"
  destination_address_prefix  = "*"
  resource_group_name         = azurerm_resource_group.rg.name
  network_security_group_name = azurerm_network_security_group.nsg.name
}

The Results

Integrating policy-as-code guardrails into our GitHub Actions workflow yielded immediate quantitative benefits:

  • Unreviewed Security Exposure: Reduced from 12 incidents/quarter to 0 prod violations.
  • Pre-Merge PR Scan Time: Completed in 14 seconds per pull request.
  • FinOps Cost Surprises: Blocked 4 accidental multi-terabyte disk provisions prior to terraform apply.

Key Takeaway

Do not rely on human memory for cloud security compliance. Enforce policy-as-code using Checkov and Infracost directly inside your PR pipeline to catch vulnerabilities before they reach production.


Architecture and decisions: mine. Debugging sessions at odd hours: mine. AI assistance: structure, syntax, first draft. β€” Sachin

SKS

Sachin Kumar Sharma

Associate Director (Infrastructure & Cloud Architecture Strategy) | 20+ Yrs Exp

Architecting resilient multi-cloud enterprise landing zones, SDN overlay fabrics, DevSecFinOps automation pipelines, and autonomous Agentic AI platforms.

πŸ“¬

πŸ“¬ Stay Updated on Tech Releases

Sign up to get notified when I publish new production war stories, agentic AI architecture blueprints, or open-source infrastructure tools.

⚑ Theme Adaptive Shift
Switching layouts matching domain reading affinity...