Checkov

Checkov

Category: IaC Security
License: Free (Open-Source, Apache 2.0)
Visit Website →
GitHub (8400★)

Checkov is the most popular open-source Infrastructure as Code (IaC) security scanner. With 8.4k GitHub stars, 406 contributors, and over 850 dependent projects, it has become the go-to tool for IaC security in the open-source community.

It analyzes cloud infrastructure configurations to find misconfigurations before deployment.

What is Checkov?

Checkov is a static code analysis tool for infrastructure as code, developed by Bridgecrew (now part of Palo Alto Networks Prisma Cloud).

It scans Terraform, CloudFormation, Kubernetes, Helm, ARM templates, and Serverless framework files.

With over 1000 built-in policies, Checkov helps prevent security misconfigurations from reaching production.

Key Features

Multi-Framework Support

Checkov 2.0 analyzes multiple IaC frameworks:

  • Terraform - HCL, JSON, and Terraform plan files
  • CloudFormation - YAML and JSON
  • Kubernetes - Manifests and Helm charts
  • ARM Templates - Azure Resource Manager
  • Serverless - AWS SAM and Serverless framework
  • AWS CDK - Cloud Development Kit
  • Dockerfile - Container configurations

1000+ Built-in Policies

Pre-configured checks for:

  • AWS, Azure, GCP resources
  • Kubernetes security
  • Docker best practices
  • Compliance frameworks (CIS, SOC2, HIPAA)

Custom Policies

Create custom checks in Python or YAML:

# custom_policy.yaml
metadata:
  id: "CKV2_CUSTOM_1"
  name: "Ensure S3 bucket has versioning"
  category: "general"
definition:
  cond_type: "attribute"
  resource_types:
    - "aws_s3_bucket"
  attribute: "versioning.enabled"
  operator: "equals"
  value: "true"

Installation

pip

pip install checkov

Homebrew (macOS)

brew install checkov

Docker

docker run -t -v $(pwd):/tf bridgecrew/checkov -d /tf

Usage

Basic Scan

# Scan current directory
checkov -d .

# Scan specific file
checkov -f main.tf

# Scan with specific framework
checkov -d . --framework terraform

Output Formats

# JSON output
checkov -d . -o json

# JUnit XML (for CI)
checkov -d . -o junitxml

# SARIF (for GitHub)
checkov -d . -o sarif

CI/CD Integration

GitHub Actions

- name: Checkov Scan
  uses: bridgecrewio/checkov-action@master
  with:
    directory: terraform/
    framework: terraform
    soft_fail: true

GitLab CI

checkov:
  stage: security
  image: bridgecrew/checkov:latest
  script:
    - checkov -d . --framework terraform

Policy Examples

AWS S3 Encryption

Check: CKV_AWS_19: "Ensure S3 bucket encryption is enabled"
PASSED for resource: aws_s3_bucket.secure
FAILED for resource: aws_s3_bucket.insecure

Kubernetes Security

Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
FAILED for resource: Deployment.default.app

Suppressing Findings

Skip specific checks inline:

# checkov:skip=CKV_AWS_19:Encryption handled by KMS
resource "aws_s3_bucket" "example" {
  bucket = "my-bucket"
}

Or via skip file:

checkov -d . --skip-check CKV_AWS_19,CKV_AWS_20

Prisma Cloud Integration

Checkov integrates with Prisma Cloud for:

  • Centralized policy management
  • Drift detection
  • Supply chain security
  • Enterprise reporting

When to Use Checkov

Checkov is ideal for:

  • Teams using Infrastructure as Code
  • DevOps security automation
  • Compliance checking (CIS, SOC2)
  • Pre-commit and CI/CD security gates

Note: Checkov 2.0 released with major updates including graph-based policies and improved extensibility.

Other IaC Security Tools

KICS
KICS

Checkmarx Open-Source IaC

Kubescape
Kubescape

CNCF Project, 25k+ Users

Snyk IaC
Snyk IaC

IDE, CLI & CI/CD Integration

Terrascan
Terrascan

500+ Policies, OPA Engine

See all IaC Security tools