checkov

Scan a directory for IaC misconfigurations

$ checkov -d [path/to/directory]

$ checkov -f [path/to/file.tf]

$ checkov -d [path/to/directory] --framework [terraform|kubernetes|cloudformation]

$ checkov -d [path/to/directory] --check [CKV_AWS_1,CKV_AWS_2]

$ checkov -d [path/to/directory] --skip-check [CKV_AWS_1]

$ checkov -d [path/to/directory] --output json

$ checkov -f [tfplan.json] --framework terraform_plan

checkov [-d directory] [-f file] [--framework framework] [--check checks] [--skip-check checks] [--output format] [options...]

Checkov is a static code analysis tool for infrastructure as code (IaC) that detects security and compliance misconfigurations. It supports Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, ARM templates, and other frameworks.
The tool includes over 750 built-in policies covering industry standards like CIS Benchmarks, PCI, and HIPAA. It uses graph-based scanning to analyze resource dependencies and detect complex configuration issues.
Checkov also performs software composition analysis (SCA) and secrets detection using regex, keywords, and entropy-based detection.

-d, --directory path

Directory to scan

Specific file to scan

IaC framework: terraform, cloudformation, kubernetes, helm, dockerfile, etc.

Run only specific checks by ID

Skip specific checks by ID

Output format: cli, json, junitxml, sarif

Show only failed checks

List all available checks

.checkov.yaml

Project-level configuration for default frameworks, skip rules, and output settings.

Custom policies can be written in Python or YAML. For accurate Terraform scanning, consider scanning the plan output (terraform plan -out=tfplan && terraform show -json tfplan > tfplan.json) rather than just the source files.

Checkov was originally developed by Bridgecrew.io and has since been acquired by Palo Alto Networks as part of their Prisma Cloud platform. It remains open source and actively maintained on GitHub.

terraform(1), kubectl(1), tfsec(1)