Checkov
Custom Policies Commands
Create custom security policies using Python or YAML for organization-specific rules.
8 commands
Pro Tips
Use YAML policies for simpler custom rules
Commands
External checks
$ checkov -d . --external-checks-dir ./custom-policies
Use custom policy directory.
YAML policy
$ metadata:
id: CUSTOM_1
name: Custom check
definition:
cond_type: attribute
resource_types:
- aws_s3_bucket
attribute: versioning.enabled
operator: is_true
Example YAML custom policy.
External Git checks
$ checkov -d . --external-checks-git https://github.com/org/policies
Load policies from Git repo.
Python custom check
$ from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class MyCheck(BaseResourceCheck):
def __init__(self):
super().__init__(name="My custom check", id="CKV_CUSTOM_1",
categories=[CheckCategories.ENCRYPTION],
supported_resources=["aws_s3_bucket"])
def scan_resource_conf(self, conf):
return CheckResult.PASSED
Python-based custom check class.
Composite YAML policy
$ metadata:
id: CUSTOM_2
name: S3 encryption and versioning
definition:
and:
- cond_type: attribute
resource_types:
- aws_s3_bucket
attribute: versioning.enabled
operator: is_true
- cond_type: attribute
resource_types:
- aws_s3_bucket
attribute: server_side_encryption_configuration
operator: exists
Composite policy with AND logic.
Connection policy
$ metadata:
id: CUSTOM_3
name: SG attached to resource
definition:
cond_type: connection
resource_types:
- aws_security_group
connected_resource_types:
- aws_instance
operator: exists
Check resource connections.
Pre-commit hook config
$ repos:
- repo: https://github.com/bridgecrewio/checkov
rev: ''
hooks:
- id: checkov
args: ['--soft-fail']
Add Checkov as pre-commit hook.
GitHub Actions integration
$ - name: Run Checkov
uses: bridgecrewio/checkov-action@master
with:
directory: .
soft_fail: true
framework: terraform
Run Checkov in GitHub Actions.