add IaC scan examples to docs (bridgecrewio#2259)

* add IaC scan examples

* add cdk example

* add k8, cdk, sam, arm examples

* add kustomize to readme.md

* add kustomize to readme.md

Author: schosterbarak

README.md

@@ -15,7 +15,7 @@
 
 **Checkov** is a static code analysis tool for infrastructure-as-code.
 
-It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), Terraform plan, [Cloudformation](https://aws.amazon.com/cloudformation/), [AWS SAM](https://aws.amazon.com/serverless/sam/), [Kubernetes](https://kubernetes.io/), [Dockerfile](https://www.docker.com/),  [Serverless](https://www.serverless.com/) or [ARM Templates](https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview) and detects security and compliance misconfigurations using graph-based scanning.
+It scans cloud infrastructure provisioned using [Terraform](https://terraform.io/), [Terraform plan](docs/7.Scan%20Examples/Terraform%20Plan%20Scanning.md), [Cloudformation](docs/7.Scan%20Examples/Cloudformation.md), [AWS SAM](docs/7.Scan%20Examples/AWS%20SAM.md), [Kubernetes](docs/7.Scan%20Examples/Kubernetes.md), [Helm charts](docs/7.Scan%20Examples/Helm.md),[Kustomize](docs/7.Scan%20Examples/Kustomize.md), [Dockerfile](docs/7.Scan%20Examples/Dockerfile.md),  [Serverless](docs/7.Scan%20Examples/Serverless%20Framework.md) or [ARM Templates](docs/7.Scan%20Examples/Azure%20ARM%20templates.md) and detects security and compliance misconfigurations using graph-based scanning.
 
 Checkov also powers [**Bridgecrew**](https://bridgecrew.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=checkov), the developer-first platform that codifies and streamlines cloud security throughout the development lifecycle. Bridgecrew identifies, fixes, and prevents misconfigurations in cloud resources and infrastructure-as-code files. 
 

docs/7.Scan Examples/AWS SAM.md

@@ -0,0 +1,106 @@
+---
+layout: default
+published: true
+title: AWS SAM configuration scanning
+nav_order: 20
+---
+
+# AWS SAM framework configuration scanning
+Checkov supports the evaluation of policies on your SAM templates files.
+When using checkov to scan a directory that contains a SAM template it will validate if the file is compliant with AWS best practices such as having logging and auditing enabled, making sure S3 buckets are encrypted, HTTPS is being used, and more.  
+
+Full list of SAM policies checks can be found [here](https://www.checkov.io/5.Policy%20Index/serverless.html).
+The SAM scanning is utilizing checks that are part of the Cloudformation scanning implementation of checkov since SAM resource definition extends the Cloudformation definition.  
+
+### Example misconfigured SAM framework
+
+```yaml
+AWSTemplateFormatVersion: "2010-09-09"
+Transform: AWS::Serverless-2016-10-31
+​
+Resources:
+  Enabled:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: prod
+      TracingEnabled: true
+      CacheClusterEnabled: true
+      AccessLogSetting:
+        DestinationArn: 'arn:aws:logs:us-east-1:123456789:log-group:my-log-group'
+​
+  Default:
+    Type: AWS::Serverless::Api
+    Properties:
+      StageName: prod
+
+
+```
+### Running in CLI
+
+```bash
+checkov -d . --framework cloudformation
+```
+
+### Example output
+
+```bash
+
+      _               _              
+   ___| |__   ___  ___| | _______   __
+  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
+ | (__| | | |  __/ (__|   < (_) \ V / 
+  \___|_| |_|\___|\___|_|\_\___/ \_/  
+                                      
+By bridgecrew.io | version: 2.0.740 
+
+
+cloudformation scan results:
+
+Passed checks: 3, Failed checks: 3, Skipped checks: 0
+
+Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
+	PASSED for resource: AWS::Serverless::Api.Enabled
+	File: /sam.yaml:5-12
+
+Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
+	PASSED for resource: AWS::Serverless::Api.Enabled
+	File: /sam.yaml:5-12
+	Guide: https://docs.bridgecrew.io/docs/logging_15
+
+Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
+	PASSED for resource: AWS::Serverless::Api.Enabled
+	File: /sam.yaml:5-12
+	Guide: https://docs.bridgecrew.io/docs/logging_17
+
+Check: CKV_AWS_120: "Ensure API Gateway caching is enabled"
+	FAILED for resource: AWS::Serverless::Api.Default
+	File: /sam.yaml:14-17
+
+		14 |   Default:
+		15 |     Type: AWS::Serverless::Api
+		16 |     Properties:
+		17 |       StageName: prod
+
+
+Check: CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
+	FAILED for resource: AWS::Serverless::Api.Default
+	File: /sam.yaml:14-17
+	Guide: https://docs.bridgecrew.io/docs/logging_15
+
+		14 |   Default:
+		15 |     Type: AWS::Serverless::Api
+		16 |     Properties:
+		17 |       StageName: prod
+
+
+Check: CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
+	FAILED for resource: AWS::Serverless::Api.Default
+	File: /sam.yaml:14-17
+	Guide: https://docs.bridgecrew.io/docs/logging_17
+
+		14 |   Default:
+		15 |     Type: AWS::Serverless::Api
+		16 |     Properties:
+		17 |       StageName: prod
+
+```

docs/7.Scan Examples/Azure ARM templates.md

@@ -0,0 +1,226 @@
+---
+layout: default
+published: true
+title: Azure ARM templates configuration scanning
+nav_order: 20
+---
+
+# Azure ARM templates configuration scanning
+Checkov supports the evaluation of policies on your ARM templates files.
+When using checkov to scan a directory that contains a ARM templates template it will validate if the file is compliant with Azure best practices such as having logging and auditing enabled, Ensure that 'Public access level' is set to Private for blob containers	, Ensure no SQL Databases allow ingress from 0.0.0.0/0 (ANY IP), and more.  
+
+Full list of ARM templates policies checks can be found [here](https://www.checkov.io/5.Policy%20Index/arm.html).
+
+### Example misconfigured ARM templates
+
+```json
+{
+   "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+   "contentVersion": "1.0.0.0",
+   "parameters": {
+     "webAppName": {
+       "type": "string",
+       "defaultValue" : "AzureLinuxApp",
+       "metadata": {
+         "description": "Base name of the resource such as web app name and app service plan "
+       },
+       "minLength": 2
+     },
+     "sku":{
+       "type": "string",
+       "defaultValue" : "S1",
+       "metadata": {
+         "description": "The SKU of App Service Plan "
+       }
+     },
+     "linuxFxVersion" : {
+       "type": "string",
+       "defaultValue" : "php|7.0",
+       "metadata": {
+         "description": "The Runtime stack of current web app"
+       }
+     },
+     "location": {
+       "type": "string",
+       "defaultValue": "[resourceGroup().location]",
+       "metadata": {
+         "description": "Location for all resources."
+       }
+     }
+   },
+   "variables": {
+     "webAppPortalName": "[concat(parameters('webAppName'), '-webapp')]",
+     "appServicePlanName": "[concat('AppServicePlan-', parameters('webAppName'))]"
+   },
+   "resources": [
+     {
+       "type": "Microsoft.Web/serverfarms",
+       "apiVersion": "2018-02-01",
+       "name": "[variables('appServicePlanName')]",
+       "location": "[parameters('location')]",
+       "sku": {
+         "name": "[parameters('sku')]"
+       },
+       "kind": "linux",
+       "properties":{
+         "reserved":true
+       }
+     },
+     {
+       "type": "Microsoft.Web/sites",
+       "apiVersion": "2018-11-01",
+       "name": "[variables('webAppPortalName')]",
+       "location": "[parameters('location')]",
+       "kind": "app",
+       "dependsOn": [
+         "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+       ],
+       "properties": {
+         "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+         "siteConfig": {
+           "linuxFxVersion": "[parameters('linuxFxVersion')]"
+         }
+       }
+     }
+   ]
+ }
+
+
+```
+### Running in CLI
+
+```bash
+checkov -d . --framework arm
+```
+
+### Example output
+
+```bash
+       _               _              
+   ___| |__   ___  ___| | _______   __
+  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
+ | (__| | | |  __/ (__|   < (_) \ V / 
+  \___|_| |_|\___|\___|_|\_\___/ \_/  
+                                      
+By bridgecrew.io | version: 2.0.723 
+
+arm scan results:
+
+Passed checks: 0, Failed checks: 5, Skipped checks: 0
+
+Check: CKV_AZURE_15: "Ensure web app is using the latest version of TLS encryption"
+	FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
+	File: /example.json:53-68
+	Guide: https://docs.bridgecrew.io/docs/bc_azr_networking_6
+
+		53 |     {
+		54 |       "type": "Microsoft.Web/sites",
+		55 |       "apiVersion": "2018-11-01",
+		56 |       "name": "[variables('webAppPortalName')]",
+		57 |       "location": "[parameters('location')]",
+		58 |       "kind": "app",
+		59 |       "dependsOn": [
+		60 |         "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+		61 |       ],
+		62 |       "properties": {
+		63 |         "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+		64 |         "siteConfig": {
+		65 |           "linuxFxVersion": "[parameters('linuxFxVersion')]"
+		66 |         }
+		67 |       }
+		68 |     }
+
+
+Check: CKV_AZURE_17: "Ensure the web app has 'Client Certificates (Incoming client certificates)' set"
+	FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
+	File: /example.json:53-68
+	Guide: https://docs.bridgecrew.io/docs/bc_azr_networking_7
+
+		53 |     {
+		54 |       "type": "Microsoft.Web/sites",
+		55 |       "apiVersion": "2018-11-01",
+		56 |       "name": "[variables('webAppPortalName')]",
+		57 |       "location": "[parameters('location')]",
+		58 |       "kind": "app",
+		59 |       "dependsOn": [
+		60 |         "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+		61 |       ],
+		62 |       "properties": {
+		63 |         "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+		64 |         "siteConfig": {
+		65 |           "linuxFxVersion": "[parameters('linuxFxVersion')]"
+		66 |         }
+		67 |       }
+		68 |     }
+
+
+Check: CKV_AZURE_14: "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service"
+	FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
+	File: /example.json:53-68
+	Guide: https://docs.bridgecrew.io/docs/bc_azr_networking_5
+
+		53 |     {
+		54 |       "type": "Microsoft.Web/sites",
+		55 |       "apiVersion": "2018-11-01",
+		56 |       "name": "[variables('webAppPortalName')]",
+		57 |       "location": "[parameters('location')]",
+		58 |       "kind": "app",
+		59 |       "dependsOn": [
+		60 |         "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+		61 |       ],
+		62 |       "properties": {
+		63 |         "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+		64 |         "siteConfig": {
+		65 |           "linuxFxVersion": "[parameters('linuxFxVersion')]"
+		66 |         }
+		67 |       }
+		68 |     }
+
+
+Check: CKV_AZURE_16: "Ensure that Register with Azure Active Directory is enabled on App Service"
+	FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
+	File: /example.json:53-68
+	Guide: https://docs.bridgecrew.io/docs/bc_azr_iam_1
+
+		53 |     {
+		54 |       "type": "Microsoft.Web/sites",
+		55 |       "apiVersion": "2018-11-01",
+		56 |       "name": "[variables('webAppPortalName')]",
+		57 |       "location": "[parameters('location')]",
+		58 |       "kind": "app",
+		59 |       "dependsOn": [
+		60 |         "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+		61 |       ],
+		62 |       "properties": {
+		63 |         "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+		64 |         "siteConfig": {
+		65 |           "linuxFxVersion": "[parameters('linuxFxVersion')]"
+		66 |         }
+		67 |       }
+		68 |     }
+
+
+Check: CKV_AZURE_18: "Ensure that 'HTTP Version' is the latest if used to run the web app"
+	FAILED for resource: Microsoft.Web/sites.[concat(parameters('webAppName'), '-webapp')]
+	File: /example.json:53-68
+	Guide: https://docs.bridgecrew.io/docs/bc_azr_networking_8
+
+		53 |     {
+		54 |       "type": "Microsoft.Web/sites",
+		55 |       "apiVersion": "2018-11-01",
+		56 |       "name": "[variables('webAppPortalName')]",
+		57 |       "location": "[parameters('location')]",
+		58 |       "kind": "app",
+		59 |       "dependsOn": [
+		60 |         "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]"
+		61 |       ],
+		62 |       "properties": {
+		63 |         "serverFarmId": "[resourceId('Microsoft.Web/serverfarms', variables('appServicePlanName'))]",
+		64 |         "siteConfig": {
+		65 |           "linuxFxVersion": "[parameters('linuxFxVersion')]"
+		66 |         }
+		67 |       }
+		68 |     }
+
+
+```