LinuxCommandLibrary

checkov

Scan infrastructure-as-code for misconfigurations

TLDR

Scan a directory containing IaC (Terraform, Cloudformation, ARM, Ansible, Bicep, Dockerfile, etc)

$ checkov --directory [path/to/directory]
copy

Scan an IaC file, omitting code blocks in the output
$ checkov --compact --file [path/to/file]
copy

List all checks for all IaC types
$ checkov --list
copy

SYNOPSIS

checkov [OPTIONS] [PATH]

PARAMETERS

--directory, -d DIR
    Directory to scan (default: current directory).

--file, -f FILE
    Specific file(s) to scan (repeatable).

--repo-root PATH
    Path to repository root for accurate check IDs.

--framework FRAMEWORK
    Limit to framework(s): terraform,cloudformation,kubernetes,etc. (repeatable).

--check CK_ID
    Run only specific check ID(s) (repeatable).

--skip-check SK_ID
    Skip specific check ID(s) (repeatable).

--output-format, -o FORMAT
    Output: cli,json,junitxml,csv,sarif,github_failed_only (default: cli).

--output-file-path FILE
    Path for output report (default: stdout).

--soft-fail
    Warn on failures instead of exiting non-zero.

--config-file FILE
    Path to Checkov config YAML file.

--external-checks-dir DIR
    Directory for custom check plugins.

--external-checks-git URL
    Git URL for custom checks repository.

--download-external-modules
    Download Terraform external modules (default: true).

--baseline FILE
    Baseline report to suppress known failures.

--create-baseline FILE
    Generate baseline from current scan.

--parallel-threads INT
    Number of parallel threads (default: 8).

--docker-image
    Use Docker runner for checks.

--treat-all-policies-as-warnings
    Treat all passed checks as warnings.

DESCRIPTION

Checkov is an open-source static analysis tool for Infrastructure as Code (IaC) security and compliance. It scans configurations in Terraform, CloudFormation, Kubernetes, Helm, ARM templates, Dockerfiles, and more against a library of thousands of built-in policies from CIS benchmarks, NIST, and custom rules.

Checkov parses IaC files, evaluates them policy-by-policy, and reports misconfigurations, secrets, and vulnerabilities. It supports CI/CD integration with GitHub Actions, GitLab, Jenkins, and others via formats like JSON, SARIF, JUnit XML, and CLI. Features include external module downloads, custom checks in YAML/Python, baselines to track regressions, and parallel scanning.

Ideal for DevSecOps, it enables shifting security left, preventing issues pre-deployment. Run locally or in pipelines to enforce best practices across cloud providers like AWS, Azure, GCP.

CAVEATS

Not a native Linux utility; install via pip install checkov (Python 3.7+ required). May require additional deps for some frameworks. Large repos can be resource-intensive.

INSTALLATION

pip install checkov
Or Homebrew: brew install checkov/tap/checkov

BASIC EXAMPLE

checkov -d . --framework terraform
Scans current dir for Terraform security issues.
checkov --output sarif -o results.sarif my-infra/

SUPPORTED FRAMEWORKS

terraform, cloudformation, kubernetes, helm, arm, serverless, dockerfile, kustomize, cft, prisma, cloudrun, github_actions, circleci

HISTORY

Launched by Bridgecrew in 2019 as an open-source IaC scanner. Rapidly expanded to 15+ frameworks and 2,000+ policies. Bridgecrew acquired by Prisma Cloud (Palo Alto Networks) in 2021; actively maintained with frequent releases.

SEE ALSO

cfn-lint(1), yamllint(1), shellcheck(1), tfsec(1)

Copied to clipboard