checkov

Scan a directory containing IaC (Terraform, Cloudformation, ARM, Ansible, Bicep, Dockerfile, etc)

$ checkov --directory [path/to/directory]

$ checkov --compact --file [path/to/file]

$ checkov --list

checkov [OPTIONS] <PATH_OR_FILE>
Examples:
  checkov --directory /path/to/iac/code
  checkov -f my_terraform_file.tf --framework terraform
  checkov -d . --skip-checks CKV_AWS_1,CKV_K8S_2 -o json

--directory (-d)
    Path to a directory containing IaC files to scan.

--file (-f)
    Path to a specific IaC file to scan.

--framework (-f)
    Specify the IaC framework to scan (e.g., terraform, cloudformation, kubernetes, dockerfile). Can be specified multiple times.

--skip-checks (-s)
    Comma-separated list of check IDs to skip (e.g., CKV_AWS_1,CKV_K8S_2).

--output (-o)
    Output format for scan results (e.g., cli, json, junitxml, sarif, github_checks).

--external-checks-dir
    Path to a directory containing custom external Checkov checks.

--repo-id
    Identifier for the repository, often used with Bridgecrew platform integration.

--config-file
    Path to a Checkov configuration file in YAML format.

--enable-secrets
    Enable secrets scanning (experimental).

--enable-sast
    Enable SAST scanning (experimental).

--help (-h)
    Show the help message and exit.

checkov is an open-source static analysis tool designed to scan Infrastructure-as-Code (IaC) files for security misconfigurations, compliance violations, and best practice adherence. It supports a wide range of IaC frameworks including Terraform, CloudFormation, Kubernetes, Azure Resource Manager (ARM), Serverless Framework, Helm charts, Dockerfile, and more. By integrating checkov into CI/CD pipelines, development teams can identify and remediate security risks early in the development lifecycle, preventing insecure configurations from reaching production environments. It provides out-of-the-box policies based on security best practices and compliance standards, and also allows users to define custom policies to enforce specific organizational requirements. The tool outputs scan results in various formats, making it adaptable for different reporting and automation needs.

checkov is not a native Linux command and must be installed separately (e.g., via pip, brew, or Docker). It performs static analysis, meaning it analyzes code at rest and does not detect runtime vulnerabilities or configuration drift. Its effectiveness relies on the comprehensiveness of its built-in policies and the accuracy of custom policies. False positives or negatives can occur, requiring fine-tuning of checks or exclusions.

checkov can be installed via pip (Python package manager): pip install checkov. Alternatively, it's available via Homebrew on macOS (brew install checkov) or as a Docker image (docker pull bridgecrew/checkov) for easy portability and environment isolation.

Users can extend checkov's capabilities by writing custom checks using Python. These checks are typically placed in a designated directory and referenced using the --external-checks-dir option, allowing organizations to enforce unique security or compliance requirements not covered by built-in policies.

Due to its command-line interface and various output formats, checkov is ideally suited for integration into CI/CD pipelines (e.g., GitHub Actions, GitLab CI/CD, Jenkins, Azure DevOps). This ensures that IaC code is scanned automatically as part of the development workflow, failing builds if critical misconfigurations are detected.

checkov was originally developed by Bridgecrew, an IaC security company. Bridgecrew was acquired by Palo Alto Networks in 2021, integrating checkov into their Prisma Cloud platform. Despite the acquisition, checkov remains an active and widely adopted open-source project, continuously maintained by the community and Palo Alto Networks.

terrascan(1): Another open-source static code analyzer for IaC., tfsec(1): Security scanner specifically for Terraform code., kube-linter(1): Static analysis tool for Kubernetes configurations., yamllint(1): A linter for YAML files., ansible-lint(1): A linter for Ansible playbooks and roles.