Bridgecrew CLI

3.2.511 · active · verified Thu Apr 16

Bridgecrew is an Infrastructure as Code (IaC) static analysis tool that scans cloud configurations and identifies misconfigurations. It serves as a wrapper around the open-source `checkov` library, providing additional features, integrations, and a connection to the Bridgecrew cloud platform. The current version is 3.2.511. It primarily functions as a command-line interface (CLI) tool with continuous releases.

Common errors

```
bridgecrew: command not found
```
cause The `bridgecrew` executable is not in your system's PATH, or the package was not installed correctly.

fix Ensure `pip install bridgecrew` completed successfully. If using a virtual environment, activate it. If globally installed, check your system's PATH configuration.
```
Error: BC_API_KEY is not set. Please refer to documentation.
```
cause The `BC_API_KEY` environment variable is required by the Bridgecrew CLI to connect to the platform, but it was not found.

fix Set the environment variable: `export BC_API_KEY='your-api-key'` before running `bridgecrew`. For programmatic use via `subprocess`, pass it in the `env` dictionary.
```
No files scanned for given path(s)
```
cause The path provided to the `bridgecrew -f` command does not exist, contains no IaC files recognized by Bridgecrew/Checkov, or has incorrect permissions.

fix Verify the provided path is correct and contains supported IaC files (e.g., `.tf`, `.yaml`, `.json`). Check file permissions.

Warnings

gotcha Bridgecrew is primarily a CLI tool; it does not expose a public Python API for library-style programmatic usage. Attempts to import internal modules (e.g., `from bridgecrew.main import main`) are not supported and may break with future updates.
Fix: For programmatic IaC scanning in Python, use the underlying `checkov` library directly, which `bridgecrew` depends on. Alternatively, execute the `bridgecrew` CLI via `subprocess` for full feature parity.
gotcha Authentication to the Bridgecrew platform requires the `BC_API_KEY` environment variable to be set. Without it, scans will run locally but results will not be uploaded to the platform.
Fix: Ensure `BC_API_KEY` is set in your environment (e.g., `export BC_API_KEY='your-api-key'`) or passed to the `subprocess.run` command's `env` parameter.
deprecated Older versions of `bridgecrew` might not automatically install necessary platform dependencies or might have different API key handling. Always use the latest version for the best experience and most up-to-date checks.
Fix: Upgrade to the latest version of `bridgecrew` using `pip install --upgrade bridgecrew`.

Install

pip install bridgecrew Install latest version

Imports

main
wrong:
```
from bridgecrew.main import main
```
correct:
```
N/A - intended as CLI
```
`bridgecrew` is primarily a command-line interface (CLI) tool. Its Python package installs the `bridgecrew` executable. Direct programmatic import of its internal components like `main` is not officially supported and may lead to unstable behavior. For programmatic IaC scanning, consider using the underlying `checkov` library directly.

Quickstart

The `bridgecrew` library is primarily used as a command-line interface. This quickstart demonstrates how to execute the `bridgecrew` CLI from Python using `subprocess` to scan an Infrastructure as Code file. It highlights the use of the `BC_API_KEY` environment variable for authentication to the Bridgecrew platform.

# Save your Infrastructure as Code (e.g., Terraform, CloudFormation, Kubernetes) to a file named 'my_resource.tf'
# Example content for my_resource.tf:
# resource "aws_s3_bucket" "bad_bucket" {
#   bucket = "my-private-bucket"
#   acl    = "public-read"
# }

import os
import subprocess

# Ensure BC_API_KEY is set in your environment for Bridgecrew platform integration.
# If not set, Bridgecrew will still run checks but won't send results to the platform.
api_key = os.environ.get('BC_API_KEY', 'YOUR_BC_API_KEY_HERE_IF_NEEDED')

# Create a dummy IaC file for scanning
with open('my_resource.tf', 'w') as f:
    f.write('resource "aws_s3_bucket" "bad_bucket" {\n  bucket = "my-private-bucket"\n  acl    = "public-read"\n}\n')

print("Scanning 'my_resource.tf' with Bridgecrew...")
try:
    # Run bridgecrew CLI via subprocess
    # -f specifies the file/directory to scan
    # --skip-framework checkov skips scanning with checkov only (bridgecrew uses checkov)
    # It is recommended to use the bridgecrew CLI which layers on top of checkov
    # Setting BC_API_KEY for the subprocess call
    result = subprocess.run(
        ['bridgecrew', '-f', 'my_resource.tf'],
        capture_output=True,
        text=True,
        check=True,
        env={**os.environ, 'BC_API_KEY': api_key} # Pass current env + BC_API_KEY
    )
    print("Bridgecrew Scan Output:")
    print(result.stdout)
    if result.stderr:
        print("Bridgecrew Scan Errors:")
        print(result.stderr)
except subprocess.CalledProcessError as e:
    print(f"Bridgecrew scan failed with error: {e}")
    print(f"Stdout: {e.stdout}")
    print(f"Stderr: {e.stderr}")
except FileNotFoundError:
    print("Error: 'bridgecrew' command not found. Please ensure Bridgecrew is installed and in your PATH.")

# Clean up the dummy file
os.remove('my_resource.tf')

view raw JSON →