Bridgecrew Terraform: Pricing, Use Cases, Best Practices & Alternatives

Bridgecrew helps teams catch infrastructure misconfigurations early in the development process. Since Palo Alto Networks acquired it in 2021, the platform has become part of Prisma Cloud while maintaining its developer-friendly approach through the open-source Checkov scanner.

What Bridgecrew Does for Terraform

Bridgecrew provides static analysis for Terraform configurations, scanning for security vulnerabilities, compliance violations, and best practice deviations. The platform works through two main components:

1. Checkov - The open-source CLI scanner that runs locally or in CI/CD pipelines
2. Bridgecrew Platform - The SaaS dashboard for policy management, reporting, and team collaboration

Here's what it catches:

• Publicly exposed resources (S3 buckets, databases)
• Missing encryption configurations
• Overly permissive IAM policies
• Non-compliant resource configurations (CIS, NIST, HIPAA, PCI)
• Network security group misconfigurations

Current Pricing Structure

Additional resources on Standard plan cost $49/month per 10-resource block. The open-source Checkov tool remains completely free without limitations.

Installation and Basic Usage

Installing Checkov

# Install via pip
pip install checkov

# Or using Homebrew on macOS
brew install checkov

# Or run with Docker
docker run --rm -v $(pwd):/tf bridgecrew/checkov -d /tf

Basic Terraform Scan

# Scan current directory
checkov -d .

# Scan specific file
checkov -f main.tf

# Output results as JSON
checkov -d . -o json

# Run specific check
checkov -d . --check CKV_AWS_20

Example Vulnerable Terraform Code

# This S3 bucket has multiple security issues
resource "aws_s3_bucket" "vulnerable" {
  bucket = "my-public-bucket"
  acl    = "public-read"  # Issue: Public access
  
  # Issue: No encryption
  # Issue: No versioning
  # Issue: No logging
}

resource "aws_security_group" "wide_open" {
  name = "allow_all"
  
  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]  # Issue: Open to world
  }
}

Fixed Version with Checkov Suppressions

resource "aws_s3_bucket" "secure" {
  bucket = "my-private-bucket"
}

resource "aws_s3_bucket_acl" "secure" {
  bucket = aws_s3_bucket.secure.id
  acl    = "private"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "secure" {
  bucket = aws_s3_bucket.secure.id
  
  rule {
    apply_server_side_encryption_by_default {
      sse_algorithm = "AES256"
    }
  }
}

# Suppression example when public access is intended
resource "aws_s3_bucket" "static_website" {
  #checkov:skip=CKV_AWS_20:Public website bucket
  bucket = "my-website-files"
  acl    = "public-read"
}

CI/CD Integration Best Practices

GitHub Actions Example

name: Terraform Security Scan

on: [pull_request]

jobs:
  checkov:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Run Checkov
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: .
          framework: terraform
          output_format: sarif
          output_file_path: results.sarif
          
      - name: Upload SARIF results
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: results.sarif

GitLab CI Example

checkov:
  stage: test
  image:
    name: bridgecrew/checkov:latest
    entrypoint: [""]
  script:
    - checkov -d . -o junitxml --output-file-path checkov.test.xml
  artifacts:
    reports:
      junit: checkov.test.xml
    paths:
      - checkov.test.xml

Pre-commit Hook Configuration

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/bridgecrewio/checkov.git
    rev: 2.5.0
    hooks:
      - id: checkov
        args: ['--framework', 'terraform', '--compact']

Implementation Best Practices

1. Phased Rollout

Start with soft-fail mode to establish baseline:

# Don't fail builds initially
checkov -d . --soft-fail

Then gradually enforce by severity:

# Fail only on critical issues
checkov -d . --check CKV_AWS_20,CKV_AWS_21 --hard-fail-on HIGH

2. Custom Policies

Create organization-specific policies in Python:

# my_custom_check.py
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories

class S3BucketNaming(BaseResourceCheck):
    def __init__(self):
        name = "Ensure S3 buckets follow naming convention"
        id = "CKV_CUSTOM_1"
        supported_resources = ['aws_s3_bucket']
        categories = [CheckCategories.CONVENTION]
        super().__init__(name=name, id=id, categories=categories, 
                        supported_resources=supported_resources)

    def scan_resource_conf(self, conf, entity_type):
        bucket_name = conf.get("bucket", [""])[0]
        if bucket_name.startswith("company-"):
            return CheckResult.PASSED
        return CheckResult.FAILED

check = S3BucketNaming()

3. Handle False Positives

Use inline suppressions with justification:

resource "aws_db_instance" "main" {
  #checkov:skip=CKV_AWS_17:Dev environment doesn't need encryption
  #checkov:skip=CKV_AWS_16:Using default master username is acceptable
  
  identifier     = "dev-database"
  engine         = "postgres"
  instance_class = "db.t3.micro"
}

Alternative Tools Comparison

Key Takeaways

1. Start with Checkov - It's free and covers most use cases
2. Implement gradually - Use soft-fail mode initially
3. Scan early and often - Pre-commit hooks catch issues fastest
4. Customize for your org - Write policies for internal standards
5. Consider paid tiers - When you need centralized reporting and team management

For teams just starting, Checkov provides immediate value. As organizations mature, the Bridgecrew platform adds collaboration features and compliance reporting that justify the paid tiers.

For more reading, a comprehensive guide can be found here: IaC Security Tools for Terraform and OpenTofu.