{"id":7993,"library":"bridgecrew","title":"Bridgecrew CLI","description":"Bridgecrew is an Infrastructure as Code (IaC) static analysis tool that scans cloud configurations and identifies misconfigurations. It serves as a wrapper around the open-source `checkov` library, providing additional features, integrations, and a connection to the Bridgecrew cloud platform. The current version is 3.2.511. It primarily functions as a command-line interface (CLI) tool with continuous releases.","status":"active","version":"3.2.511","language":"en","source_language":"en","source_url":"https://github.com/bridgecrewio/bridgecrew","tags":["security","iac","cli","static-analysis","cloud-security","devsecops","checkov"],"install":[{"cmd":"pip install bridgecrew","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Provides the core IaC static analysis engine. Bridgecrew is built on top of checkov.","package":"checkov","optional":false}],"imports":[{"note":"`bridgecrew` is primarily a command-line interface (CLI) tool. Its Python package installs the `bridgecrew` executable. Direct programmatic import of its internal components like `main` is not officially supported and may lead to unstable behavior. For programmatic IaC scanning, consider using the underlying `checkov` library directly.","wrong":"from bridgecrew.main import main","symbol":"main","correct":"N/A - intended as CLI"}],"quickstart":{"code":"# Save your Infrastructure as Code (e.g., Terraform, CloudFormation, Kubernetes) to a file named 'my_resource.tf'\n# Example content for my_resource.tf:\n# resource \"aws_s3_bucket\" \"bad_bucket\" {\n# bucket = \"my-private-bucket\"\n# acl = \"public-read\"\n# }\n\nimport os\nimport subprocess\n\n# Ensure BC_API_KEY is set in your environment for Bridgecrew platform integration.\n# If not set, Bridgecrew will still run checks but won't send results to the platform.\napi_key = os.environ.get('BC_API_KEY', 'YOUR_BC_API_KEY_HERE_IF_NEEDED')\n\n# Create a dummy IaC file for scanning\nwith open('my_resource.tf', 'w') as f:\n f.write('resource \"aws_s3_bucket\" \"bad_bucket\" {\\n bucket = \"my-private-bucket\"\\n acl = \"public-read\"\\n}\\n')\n\nprint(\"Scanning 'my_resource.tf' with Bridgecrew...\")\ntry:\n # Run bridgecrew CLI via subprocess\n # -f specifies the file/directory to scan\n # --skip-framework checkov skips scanning with checkov only (bridgecrew uses checkov)\n # It is recommended to use the bridgecrew CLI which layers on top of checkov\n # Setting BC_API_KEY for the subprocess call\n result = subprocess.run(\n ['bridgecrew', '-f', 'my_resource.tf'],\n capture_output=True,\n text=True,\n check=True,\n env={**os.environ, 'BC_API_KEY': api_key} # Pass current env + BC_API_KEY\n )\n print(\"Bridgecrew Scan Output:\")\n print(result.stdout)\n if result.stderr:\n print(\"Bridgecrew Scan Errors:\")\n print(result.stderr)\nexcept subprocess.CalledProcessError as e:\n print(f\"Bridgecrew scan failed with error: {e}\")\n print(f\"Stdout: {e.stdout}\")\n print(f\"Stderr: {e.stderr}\")\nexcept FileNotFoundError:\n print(\"Error: 'bridgecrew' command not found. Please ensure Bridgecrew is installed and in your PATH.\")\n\n# Clean up the dummy file\nos.remove('my_resource.tf')\n","lang":"python","description":"The `bridgecrew` library is primarily used as a command-line interface. This quickstart demonstrates how to execute the `bridgecrew` CLI from Python using `subprocess` to scan an Infrastructure as Code file. It highlights the use of the `BC_API_KEY` environment variable for authentication to the Bridgecrew platform."},"warnings":[{"fix":"For programmatic IaC scanning in Python, use the underlying `checkov` library directly, which `bridgecrew` depends on. Alternatively, execute the `bridgecrew` CLI via `subprocess` for full feature parity.","message":"Bridgecrew is primarily a CLI tool; it does not expose a public Python API for library-style programmatic usage. Attempts to import internal modules (e.g., `from bridgecrew.main import main`) are not supported and may break with future updates.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure `BC_API_KEY` is set in your environment (e.g., `export BC_API_KEY='your-api-key'`) or passed to the `subprocess.run` command's `env` parameter.","message":"Authentication to the Bridgecrew platform requires the `BC_API_KEY` environment variable to be set. Without it, scans will run locally but results will not be uploaded to the platform.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Upgrade to the latest version of `bridgecrew` using `pip install --upgrade bridgecrew`.","message":"Older versions of `bridgecrew` might not automatically install necessary platform dependencies or might have different API key handling. Always use the latest version for the best experience and most up-to-date checks.","severity":"deprecated","affected_versions":"< 3.0"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Ensure `pip install bridgecrew` completed successfully. If using a virtual environment, activate it. If globally installed, check your system's PATH configuration.","cause":"The `bridgecrew` executable is not in your system's PATH, or the package was not installed correctly.","error":"bridgecrew: command not found"},{"fix":"Set the environment variable: `export BC_API_KEY='your-api-key'` before running `bridgecrew`. For programmatic use via `subprocess`, pass it in the `env` dictionary.","cause":"The `BC_API_KEY` environment variable is required by the Bridgecrew CLI to connect to the platform, but it was not found.","error":"Error: BC_API_KEY is not set. Please refer to documentation."},{"fix":"Verify the provided path is correct and contains supported IaC files (e.g., `.tf`, `.yaml`, `.json`). Check file permissions.","cause":"The path provided to the `bridgecrew -f` command does not exist, contains no IaC files recognized by Bridgecrew/Checkov, or has incorrect permissions.","error":"No files scanned for given path(s)"}]}