Scan All IaC Frameworks

Beginner

Require Checkov scanning for ALL infrastructure-as-code in the repository — Terraform, Kubernetes, Dockerfiles, CloudFormation, and Helm charts must all pass security checks.

File Patterns

**/*.tf**/Dockerfile***/k8s/****/*.yaml**/helm/**

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Scan All IaC Frameworks

## Rule
Checkov MUST scan ALL infrastructure-as-code in the repository. Scanning only Terraform while ignoring Dockerfiles, Kubernetes manifests, and CloudFormation templates leaves security gaps.

## Required Frameworks
```bash
# Scan all supported frameworks
checkov -d . --framework terraform,cloudformation,kubernetes,dockerfile,helm,kustomize

# Or scan everything (auto-detect)
checkov -d .
```

## Framework Coverage
| Framework | File Patterns | Checks |
|-----------|--------------|--------|
| Terraform | *.tf, *.tfvars | 750+ |
| CloudFormation | *.json, *.yaml, *.template | 200+ |
| Kubernetes | *.yaml, *.yml | 100+ |
| Dockerfile | Dockerfile* | 30+ |
| Helm | Chart.yaml, templates/ | 100+ |
| ARM templates | *.json | 150+ |

## Examples

### Good
```yaml
# CI scans all frameworks
- name: Checkov full scan
  run: checkov -d . --framework terraform,kubernetes,dockerfile
```

### Bad
```yaml
# Only scans Terraform — misses Dockerfile and K8s issues
- name: Checkov scan
  run: checkov -d ./terraform/ --framework terraform
```

## Anti-Patterns
- Scanning only Terraform in a project with Dockerfiles and K8s manifests
- Using --framework to exclude specific IaC types without justification
- Assuming security is covered because "Terraform is scanned"
- Not scanning Helm charts (they generate Kubernetes manifests)

FAQ

Discussion

Loading comments...

# Scan All IaC Frameworks ## Rule Checkov MUST scan ALL infrastructure-as-code in the repository. Scanning only Terraform while ignoring Dockerfiles, Kubernetes manifests, and CloudFormation templates leaves security gaps. ## Required Frameworks ```bash # Scan all supported frameworks checkov -d . --framework terraform,cloudformation,kubernetes,dockerfile,helm,kustomize # Or scan everything (auto-detect) checkov -d . ``` ## Framework Coverage | Framework | File Patterns | Checks | |-----------|--------------|--------| | Terraform | *.tf, *.tfvars | 750+ | | CloudFormation | *.json, *.yaml, *.template | 200+ | | Kubernetes | *.yaml, *.yml | 100+ | | Dockerfile | Dockerfile* | 30+ | | Helm | Chart.yaml, templates/ | 100+ | | ARM templates | *.json | 150+ | ## Examples ### Good ```yaml # CI scans all frameworks - name: Checkov full scan run: checkov -d . --framework terraform,kubernetes,dockerfile ``` ### Bad ```yaml # Only scans Terraform — misses Dockerfile and K8s issues - name: Checkov scan run: checkov -d ./terraform/ --framework terraform ``` ## Anti-Patterns - Scanning only Terraform in a project with Dockerfiles and K8s manifests - Using --framework to exclude specific IaC types without justification - Assuming security is covered because "Terraform is scanned" - Not scanning Helm charts (they generate Kubernetes manifests)