LinuxCommandLibrary

checkov

static analysis for infrastructure as code

TLDR

Scan a directory for IaC misconfigurations

$ checkov -d [path/to/directory]
copy
Scan a specific file
$ checkov -f [path/to/file.tf]
copy
Scan with a specific framework
$ checkov -d [path/to/directory] --framework [terraform|kubernetes|cloudformation]
copy
Run only specific checks
$ checkov -d [path/to/directory] --check [CKV_AWS_1,CKV_AWS_2]
copy
Skip specific checks
$ checkov -d [path/to/directory] --skip-check [CKV_AWS_1]
copy
Output results in JSON format
$ checkov -d [path/to/directory] --output json
copy
Scan a Terraform plan file
$ checkov -f [tfplan.json] --framework terraform_plan
copy

SYNOPSIS

checkov [-d directory] [-f file] [--framework framework] [--check checks] [--skip-check checks] [--output format] [options...]

DESCRIPTION

Checkov is a static code analysis tool for infrastructure as code (IaC) that detects security and compliance misconfigurations. It supports Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, ARM templates, and other frameworks.
The tool includes over 750 built-in policies covering industry standards like CIS Benchmarks, PCI, and HIPAA. It uses graph-based scanning to analyze resource dependencies and detect complex configuration issues.
Checkov also performs software composition analysis (SCA) and secrets detection using regex, keywords, and entropy-based detection.

PARAMETERS

-d, --directory path

Directory to scan
-f, --file path
Specific file to scan
--framework framework
IaC framework: terraform, cloudformation, kubernetes, helm, dockerfile, etc.
--check ids
Run only specific checks by ID
--skip-check ids
Skip specific checks by ID
--output format
Output format: cli, json, junitxml, sarif
--compact
Show only failed checks
--list
List all available checks

CONFIGURATION

.checkov.yaml

Project-level configuration for default frameworks, skip rules, and output settings.

CAVEATS

Custom policies can be written in Python or YAML. For accurate Terraform scanning, consider scanning the plan output (terraform plan -out=tfplan && terraform show -json tfplan > tfplan.json) rather than just the source files.

HISTORY

Checkov was originally developed by Bridgecrew.io and has since been acquired by Palo Alto Networks as part of their Prisma Cloud platform. It remains open source and actively maintained on GitHub.

SEE ALSO

terraform(1), kubectl(1), tfsec(1)

> TERMINAL_GEAR

Curated for the Linux community

Copied to clipboard

> TERMINAL_GEAR

Curated for the Linux community