{"id":618,"library":"checkov","title":"Checkov","description":"Checkov is an open-source static code analysis tool that performs security and compliance scanning for Infrastructure as Code (IaC) and Software Composition Analysis (SCA). It identifies misconfigurations and vulnerabilities in various IaC frameworks (e.g., Terraform, CloudFormation, Kubernetes, Dockerfiles, Bicep, Serverless) and scans container images and open-source packages for Common Vulnerabilities and Exposures (CVEs). Actively maintained by Prisma Cloud, Checkov has a frequent release cadence, often with multiple patch versions released monthly.","status":"active","version":"3.2.513","language":"python","source_language":"en","source_url":"https://github.com/bridgecrewio/checkov","tags":["security","iac","static-analysis","cli","devsecops","cloud-security","terraform","kubernetes","cloudformation","docker"],"install":[{"cmd":"pip install checkov","lang":"bash","label":"Install with pip"}],"dependencies":[{"reason":"Used for AWS-related policy evaluations.","package":"boto3","optional":false},{"reason":"Used for parsing YAML configurations and policies.","package":"pyyaml","optional":false},{"reason":"Used for navigating and querying dictionary structures.","package":"dpath","optional":false},{"reason":"Underpins graph-based scanning for resource relationships.","package":"networkx","optional":false},{"reason":"Used for parsing Terraform HCL files.","package":"hcl2","optional":false}],"imports":[{"note":"Used when writing custom Python policies to define check outcomes.","symbol":"CheckResult","correct":"from checkov.common.models.enums import CheckResult"},{"note":"Used when writing custom Python policies to categorize checks.","symbol":"CheckCategories","correct":"from checkov.common.models.enums import CheckCategories"},{"note":"Base class for creating custom Terraform resource checks in Python.","symbol":"BaseResourceCheck","correct":"from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck"}],"quickstart":{"code":"checkov --directory ./my-iac-code\n# Example: Scan a Terraform directory\n# checkov --directory /path/to/my/terraform/configs\n\n# Example: Scan a specific Kubernetes manifest file\n# checkov --file /path/to/my/k8s/deployment.yaml\n\n# Example: Scan a Terraform plan JSON, ensuring multiline output for better line numbers\n# terraform init\n# terraform plan -out tf.plan\n# terraform show -json tf.plan | jq '.' > tf.json\n# checkov --file tf.json","lang":"bash","description":"The primary way to use Checkov is via its command-line interface. This quickstart demonstrates how to scan a directory containing Infrastructure as Code (IaC) files, a specific file, or a Terraform plan in JSON format. The `--directory` and `--file` flags are fundamental for specifying scan targets."},"warnings":[{"fix":"Review the official Checkov migration guide for v2 to v3. Update custom policy syntax and replace removed flags with their current equivalents (e.g., use `--skip-download` for skipping policy downloads).","message":"The migration from Checkov v2 to v3 introduced several breaking changes. These include the removal of the 'level up' flow, changes to the syntax for Python custom checks, and the replacement of deprecated flags like `--no-guide` and `--skip-suppressions` with the unified `--skip-download` flag.","severity":"breaking","affected_versions":"3.0.0 and later"},{"fix":"Use a tool like `jq` to pretty-print the JSON output before scanning. For example: `terraform show -json tf.plan | jq '.' > tf.json`. This formats the JSON into multiple lines, allowing Checkov to report more accurate line numbers.","message":"When scanning a Terraform plan outputted to JSON (e.g., `terraform show -json tf.plan > tf.json`), the resulting `tf.json` file is often a single line. This causes Checkov to report all findings on line number 0, making it difficult to pinpoint the exact location of issues in the original plan.","severity":"gotcha","affected_versions":"All versions"},{"fix":"For production or CI/CD environments, use officially supported Linux distributions (e.g., Debian, Ubuntu, CentOS) or macOS. If Alpine is necessary, ensure Python 3.11+ is used and conduct thorough testing.","message":"Checkov's installation and usage on Alpine Linux is not officially supported and is generally not recommended for larger Python projects due to potential incompatibilities with C extensions. While it might work with Python 3.11+, stability is not guaranteed.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Always include the `--repo-id <owner/repository_name>` flag when running Checkov with an API key. For example: `checkov -d . --bc-api-key $BC_API_KEY --repo-id my-org/my-repo`.","message":"When using Checkov with an API key (e.g., for integrating with Prisma Cloud), the `--repo-id` flag is now a mandatory requirement. Failing to provide this flag will result in an error or incomplete functionality.","severity":"gotcha","affected_versions":"3.0.0 and later"},{"fix":"To execute Checkov from a Python script, use Python's `subprocess` module (e.g., `import subprocess; subprocess.run(['checkov', '--directory', './my-iac-code'])`) or `os.system()` (e.g., `import os; os.system('checkov --directory ./my-iac-code')`). The `subprocess` module is generally recommended for its flexibility and safety.","message":"When attempting to run `checkov` commands from within a Python script, placing the command directly into the script file (e.g., `checkov --directory .`) will result in a `SyntaxError`. Python interprets these lines as its own code, not as shell commands.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-05-12T16:49:50.581Z","next_check":"2026-06-26T00:00:00.000Z","problems":[{"fix":"Install Checkov using pip: `pip install checkov` or `pip3 install checkov` if you have multiple Python versions. Ensure your environment's PATH includes the directory where pip installs packages.","cause":"This error occurs when the `checkov` Python package is not installed in the active Python environment or is not accessible within the current Python path.","error":"ModuleNotFoundError: No module named 'checkov'"},{"fix":"Ensure Checkov is installed (`pip install checkov`) and that your system's PATH environment variable includes the directory where Python scripts (like `checkov`) are installed. For example, on Linux/macOS, this might be `~/.local/bin` or `/usr/local/bin`.","cause":"This shell error indicates that the `checkov` executable is not found in your system's PATH. This usually happens if Checkov was installed but its installation directory isn't in the PATH, or if the installation was incomplete.","error":"command not found: checkov"},{"fix":"Upgrade your Python version (e.g., to Python 3.8+ if currently on an older version) and then reinstall Checkov and its dependencies to ensure compatibility: `pip install --upgrade python` (if managing with pyenv or similar) followed by `pip uninstall checkov -y && pip install checkov`.","cause":"This `AttributeError` often arises from an incompatibility between the installed version of Checkov, its underlying parsing libraries (like `hcl2` or `lark`), and the Python version being used. It typically means a dependency is trying to access a method that doesn't exist in its current version or the Python version it's running on.","error":"AttributeError: type object 'Lark' has no attribute '_load_from_dict'"},{"fix":"Consult the official Checkov documentation or run `checkov --help` to verify the correct arguments and their syntax for your specific Checkov version. Ensure that arguments are properly separated and spelled correctly.","cause":"This error means you are passing an argument or flag to the `checkov` CLI that it does not recognize, or the argument is formatted incorrectly. This can happen with typos, outdated options, or incorrect syntax in configuration files or direct commands.","error":"checkov: error: unrecognized arguments: --some-invalid-argument"}],"ecosystem":"pypi","meta_description":null,"install_score":93,"install_tag":"verified","quickstart_score":0,"quickstart_tag":"stale","pypi_latest":"3.2.528","install_checks":{"last_tested":"2026-05-12","tag":"verified","tag_description":"installs cleanly on critical runtimes, fast import, recently tested","results":[{"runtime":"python:3.10-alpine","python_version":"3.10","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":1,"wheel_type":null,"failure_reason":"timeout","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.10-alpine","python_version":"3.10","os_libc":"alpine (musl)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.10-slim","python_version":"3.10","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":24.8,"import_time_s":0.01,"mem_mb":1.2,"disk_size":"255M"},{"runtime":"python:3.10-slim","python_version":"3.10","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.01,"mem_mb":1.2,"disk_size":"255M"},{"runtime":"python:3.11-alpine","python_version":"3.11","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":null,"import_time_s":0.04,"mem_mb":1.4,"disk_size":"271.4M"},{"runtime":"python:3.11-alpine","python_version":"3.11","os_libc":"alpine (musl)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.05,"mem_mb":1.4,"disk_size":"271.5M"},{"runtime":"python:3.11-slim","python_version":"3.11","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":22.6,"import_time_s":0.04,"mem_mb":1.4,"disk_size":"269M"},{"runtime":"python:3.11-slim","python_version":"3.11","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.03,"mem_mb":1.4,"disk_size":"269M"},{"runtime":"python:3.12-alpine","python_version":"3.12","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":null,"import_time_s":0.04,"mem_mb":1.2,"disk_size":"256.8M"},{"runtime":"python:3.12-alpine","python_version":"3.12","os_libc":"alpine (musl)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.04,"mem_mb":1.2,"disk_size":"256.9M"},{"runtime":"python:3.12-slim","python_version":"3.12","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":17.9,"import_time_s":0.05,"mem_mb":1.2,"disk_size":"254M"},{"runtime":"python:3.12-slim","python_version":"3.12","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.04,"mem_mb":1.2,"disk_size":"255M"},{"runtime":"python:3.13-alpine","python_version":"3.13","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":null,"import_time_s":0.05,"mem_mb":1.9,"disk_size":"256.4M"},{"runtime":"python:3.13-alpine","python_version":"3.13","os_libc":"alpine (musl)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.04,"mem_mb":1.5,"disk_size":"256.3M"},{"runtime":"python:3.13-slim","python_version":"3.13","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":18.6,"import_time_s":0.04,"mem_mb":1.8,"disk_size":"254M"},{"runtime":"python:3.13-slim","python_version":"3.13","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.04,"mem_mb":1.3,"disk_size":"254M"},{"runtime":"python:3.9-alpine","python_version":"3.9","os_libc":"alpine (musl)","variant":" $EXIT -eq 0 ","exit_code":1,"wheel_type":null,"failure_reason":"timeout","install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.9-alpine","python_version":"3.9","os_libc":"alpine (musl)","variant":"default","exit_code":1,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":null,"mem_mb":null,"disk_size":null},{"runtime":"python:3.9-slim","python_version":"3.9","os_libc":"slim (glibc)","variant":" $EXIT -eq 0 ","exit_code":0,"wheel_type":"wheel","failure_reason":null,"install_time_s":28.4,"import_time_s":0.02,"mem_mb":1.2,"disk_size":"266M"},{"runtime":"python:3.9-slim","python_version":"3.9","os_libc":"slim (glibc)","variant":"default","exit_code":0,"wheel_type":null,"failure_reason":null,"install_time_s":null,"import_time_s":0.02,"mem_mb":1.2,"disk_size":"266M"}]},"quickstart_checks":{"last_tested":"2026-04-24","tag":"stale","tag_description":"widespread failures or data too old to trust","results":[{"runtime":"python:3.10-alpine","exit_code":-1},{"runtime":"python:3.10-slim","exit_code":1},{"runtime":"python:3.11-alpine","exit_code":1},{"runtime":"python:3.11-slim","exit_code":1},{"runtime":"python:3.12-alpine","exit_code":1},{"runtime":"python:3.12-slim","exit_code":1},{"runtime":"python:3.13-alpine","exit_code":1},{"runtime":"python:3.13-slim","exit_code":1},{"runtime":"python:3.9-alpine","exit_code":-1},{"runtime":"python:3.9-slim","exit_code":1}]}}