Checkov

Static analysis for infrastructure as code. Scan Terraform, CloudFormation, Kubernetes, and Dockerfiles for misconfigurations.

45 commands

Browse by Topic

Getting Started

Quick setup and installation

3commands

Scanning

Scan IaC

13commands

Checks

Manage checks

10commands

Output

Reports & format

11commands

Custom Policies

Custom checks

8commands

Install Checkov

$ pip install checkov

Install Checkov infrastructure-as-code scanner using pip

Check Checkov version

$ checkov --version

Verify Checkov is installed and display the current version

Scan current directory

$ checkov -d .

Run Checkov to scan all supported IaC files in the current directory

Scan directory

$ checkov -d .

Scan current directory.

Scan specific file

$ checkov -f main.tf

Scan specific file.

Scan Terraform

$ checkov -d . --framework terraform

Scan Terraform files only.

Scan Kubernetes

$ checkov -d ./k8s --framework kubernetes

Scan Kubernetes manifests.

Scan Dockerfile

$ checkov --dockerfile-path ./Dockerfile

Scan Dockerfile.

Scan Helm chart

$ checkov -d ./charts --framework helm

Scan Helm charts.

Scan CloudFormation

$ checkov -d . --framework cloudformation

Scan CloudFormation templates.

Scan ARM templates

$ checkov -d . --framework arm

Scan Azure ARM templates.

Scan GitHub Actions

$ checkov -d .github/workflows --framework github_actions

Scan GitHub Actions workflows.

Scan multiple frameworks

$ checkov -d . --framework terraform,kubernetes,dockerfile

Scan with multiple frameworks.

Scan with repo ID

$ checkov -d . --repo-id myorg/myrepo

Tag results with repository ID.

Scan from Docker

$ docker run --tty --volume $(pwd):/tf bridgecrew/checkov -d /tf

Run Checkov scan via Docker.

Scan Serverless framework

$ checkov -d . --framework serverless

Scan Serverless Framework config.

List checks

$ checkov --list

List all available checks.

Skip specific check

$ checkov -d . --skip-check CKV_AWS_1

Skip a specific check.

Run specific checks

$ checkov -d . --check CKV_AWS_1,CKV_AWS_2

Run only specific checks.

Skip via comment

$ # checkov:skip=CKV_AWS_1:Reason for skipping

Skip check via inline comment.

Filter by severity

$ checkov -d . --check MEDIUM --check HIGH --check CRITICAL

Run checks at specific severity levels.

Check by framework prefix

$ checkov -d . --check CKV_K8S

Run only Kubernetes-prefixed checks.

Skip entire framework

$ checkov -d . --skip-framework dockerfile

Skip all checks for a framework.

Run external checks

$ checkov -d . --run-all-external-checks

Run all external and custom checks.

Create baseline

$ checkov -d . --create-baseline

Create baseline of current findings.

Scan with baseline

$ checkov -d . --baseline .checkov.baseline

Skip findings already in baseline.

JSON output

$ checkov -d . -o json

Output results as JSON.

SARIF output

$ checkov -d . -o sarif > results.sarif

Output in SARIF format.

JUnit XML

$ checkov -d . -o junitxml > results.xml

Output as JUnit XML.

Compact output

$ checkov -d . --compact

Show compact output.

Soft fail

$ checkov -d . --soft-fail

Exit 0 even with failures.

Output to file

$ checkov -d . -o json --output-file-path results/

Write output to a directory.

CSV output

$ checkov -d . -o csv > results.csv

Output results as CSV.

Multiple outputs

$ checkov -d . -o cli -o json --output-file-path console,results.json

Output to console and JSON file.

Prisma Cloud integration

$ checkov -d . --bc-api-key PRISMA_API_KEY::PRISMA_API_SECRET --repo-id org/repo

Send results to Prisma Cloud.

Hard fail on severity

$ checkov -d . --hard-fail-on CRITICAL,HIGH

Fail only on critical/high findings.

Soft fail on severity

$ checkov -d . --soft-fail-on LOW,MEDIUM

Soft fail on low/medium findings.

External checks

$ checkov -d . --external-checks-dir ./custom-policies

Use custom policy directory.

YAML policy

$ metadata: id: CUSTOM_1 name: Custom check definition: cond_type: attribute resource_types: - aws_s3_bucket attribute: versioning.enabled operator: is_true

Example YAML custom policy.

External Git checks

$ checkov -d . --external-checks-git https://github.com/org/policies

Load policies from Git repo.

Python custom check

$ from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck from checkov.common.models.enums import CheckResult, CheckCategories class MyCheck(BaseResourceCheck): def __init__(self): super().__init__(name="My custom check", id="CKV_CUSTOM_1", categories=[CheckCategories.ENCRYPTION], supported_resources=["aws_s3_bucket"]) def scan_resource_conf(self, conf): return CheckResult.PASSED

Python-based custom check class.

Composite YAML policy

$ metadata: id: CUSTOM_2 name: S3 encryption and versioning definition: and: - cond_type: attribute resource_types: - aws_s3_bucket attribute: versioning.enabled operator: is_true - cond_type: attribute resource_types: - aws_s3_bucket attribute: server_side_encryption_configuration operator: exists

Composite policy with AND logic.

Connection policy

$ metadata: id: CUSTOM_3 name: SG attached to resource definition: cond_type: connection resource_types: - aws_security_group connected_resource_types: - aws_instance operator: exists

Check resource connections.

Pre-commit hook config

$ repos: - repo: https://github.com/bridgecrewio/checkov rev: '' hooks: - id: checkov args: ['--soft-fail']

Add Checkov as pre-commit hook.

GitHub Actions integration

$ - name: Run Checkov uses: bridgecrewio/checkov-action@master with: directory: . soft_fail: true framework: terraform

Run Checkov in GitHub Actions.

Discussion

Loading comments...

Checkov

Static analysis for infrastructure as code. Scan Terraform, CloudFormation, Kubernetes, and Dockerfiles for misconfigurations.

45 commands

Browse by Topic

Getting Started

Quick setup and installation

3commands

Scanning

Scan IaC

13commands

Checks

Manage checks

10commands

Output

Reports & format

11commands

Custom Policies

Custom checks

8commands

Install Checkov

$ pip install checkov

Install Checkov infrastructure-as-code scanner using pip

Check Checkov version

$ checkov --version

Verify Checkov is installed and display the current version

Scan current directory

$ checkov -d .

Run Checkov to scan all supported IaC files in the current directory

Scan directory

$ checkov -d .

Scan current directory.

Scan specific file

$ checkov -f main.tf

Scan specific file.

Scan Terraform

$ checkov -d . --framework terraform

Scan Terraform files only.

Scan Kubernetes

$ checkov -d ./k8s --framework kubernetes

Scan Kubernetes manifests.

Scan Dockerfile

$ checkov --dockerfile-path ./Dockerfile

Scan Dockerfile.

Scan Helm chart

$ checkov -d ./charts --framework helm

Scan Helm charts.

Scan CloudFormation

$ checkov -d . --framework cloudformation

Scan CloudFormation templates.

Scan ARM templates

$ checkov -d . --framework arm

Scan Azure ARM templates.

Scan GitHub Actions

$ checkov -d .github/workflows --framework github_actions

Scan GitHub Actions workflows.

Scan multiple frameworks

$ checkov -d . --framework terraform,kubernetes,dockerfile

Scan with multiple frameworks.

Scan with repo ID

$ checkov -d . --repo-id myorg/myrepo

Tag results with repository ID.

Scan from Docker

$ docker run --tty --volume $(pwd):/tf bridgecrew/checkov -d /tf

Run Checkov scan via Docker.

Scan Serverless framework

$ checkov -d . --framework serverless

Scan Serverless Framework config.

List checks

$ checkov --list

List all available checks.

Skip specific check

$ checkov -d . --skip-check CKV_AWS_1

Skip a specific check.

Run specific checks

$ checkov -d . --check CKV_AWS_1,CKV_AWS_2

Run only specific checks.

Skip via comment

$ # checkov:skip=CKV_AWS_1:Reason for skipping

Skip check via inline comment.

Filter by severity

$ checkov -d . --check MEDIUM --check HIGH --check CRITICAL

Run checks at specific severity levels.

Check by framework prefix

$ checkov -d . --check CKV_K8S

Run only Kubernetes-prefixed checks.

Skip entire framework

$ checkov -d . --skip-framework dockerfile

Skip all checks for a framework.

Run external checks

$ checkov -d . --run-all-external-checks

Run all external and custom checks.

Create baseline

$ checkov -d . --create-baseline

Create baseline of current findings.

Scan with baseline

$ checkov -d . --baseline .checkov.baseline

Skip findings already in baseline.

JSON output

$ checkov -d . -o json

Output results as JSON.

SARIF output

$ checkov -d . -o sarif > results.sarif

Output in SARIF format.

JUnit XML

$ checkov -d . -o junitxml > results.xml

Output as JUnit XML.

Compact output

$ checkov -d . --compact

Show compact output.

Soft fail

$ checkov -d . --soft-fail

Exit 0 even with failures.

Output to file

$ checkov -d . -o json --output-file-path results/

Write output to a directory.

CSV output

$ checkov -d . -o csv > results.csv

Output results as CSV.

Multiple outputs

$ checkov -d . -o cli -o json --output-file-path console,results.json

Output to console and JSON file.

Prisma Cloud integration

$ checkov -d . --bc-api-key PRISMA_API_KEY::PRISMA_API_SECRET --repo-id org/repo

Send results to Prisma Cloud.

Hard fail on severity

$ checkov -d . --hard-fail-on CRITICAL,HIGH

Fail only on critical/high findings.

Soft fail on severity

$ checkov -d . --soft-fail-on LOW,MEDIUM

Soft fail on low/medium findings.

External checks

$ checkov -d . --external-checks-dir ./custom-policies

Use custom policy directory.

YAML policy

$ metadata: id: CUSTOM_1 name: Custom check definition: cond_type: attribute resource_types: - aws_s3_bucket attribute: versioning.enabled operator: is_true

Example YAML custom policy.

External Git checks

$ checkov -d . --external-checks-git https://github.com/org/policies

Load policies from Git repo.

Python custom check

Python-based custom check class.

Composite YAML policy

Composite policy with AND logic.

Connection policy

$ metadata: id: CUSTOM_3 name: SG attached to resource definition: cond_type: connection resource_types: - aws_security_group connected_resource_types: - aws_instance operator: exists

Check resource connections.

Pre-commit hook config

$ repos: - repo: https://github.com/bridgecrewio/checkov rev: '' hooks: - id: checkov args: ['--soft-fail']

Add Checkov as pre-commit hook.

GitHub Actions integration

$ - name: Run Checkov uses: bridgecrewio/checkov-action@master with: directory: . soft_fail: true framework: terraform

Run Checkov in GitHub Actions.

Discussion

Loading comments...