Checkov

3.2.513 verified Tue May 12 auth: no python install: verified quickstart: stale

Checkov is an open-source static code analysis tool that performs security and compliance scanning for Infrastructure as Code (IaC) and Software Composition Analysis (SCA). It identifies misconfigurations and vulnerabilities in various IaC frameworks (e.g., Terraform, CloudFormation, Kubernetes, Dockerfiles, Bicep, Serverless) and scans container images and open-source packages for Common Vulnerabilities and Exposures (CVEs). Actively maintained by Prisma Cloud, Checkov has a frequent release cadence, often with multiple patch versions released monthly.

pip install checkov

Common errors

error ModuleNotFoundError: No module named 'checkov' ↓

cause This error occurs when the `checkov` Python package is not installed in the active Python environment or is not accessible within the current Python path.

fix

Install Checkov using pip: pip install checkov or pip3 install checkov if you have multiple Python versions. Ensure your environment's PATH includes the directory where pip installs packages.

error command not found: checkov ↓

cause This shell error indicates that the `checkov` executable is not found in your system's PATH. This usually happens if Checkov was installed but its installation directory isn't in the PATH, or if the installation was incomplete.

fix

Ensure Checkov is installed (pip install checkov) and that your system's PATH environment variable includes the directory where Python scripts (like checkov) are installed. For example, on Linux/macOS, this might be ~/.local/bin or /usr/local/bin.

error AttributeError: type object 'Lark' has no attribute '_load_from_dict' ↓

cause This `AttributeError` often arises from an incompatibility between the installed version of Checkov, its underlying parsing libraries (like `hcl2` or `lark`), and the Python version being used. It typically means a dependency is trying to access a method that doesn't exist in its current version or the Python version it's running on.

fix

Upgrade your Python version (e.g., to Python 3.8+ if currently on an older version) and then reinstall Checkov and its dependencies to ensure compatibility: pip install --upgrade python (if managing with pyenv or similar) followed by pip uninstall checkov -y && pip install checkov.

error checkov: error: unrecognized arguments: --some-invalid-argument ↓

cause This error means you are passing an argument or flag to the `checkov` CLI that it does not recognize, or the argument is formatted incorrectly. This can happen with typos, outdated options, or incorrect syntax in configuration files or direct commands.

fix

Consult the official Checkov documentation or run checkov --help to verify the correct arguments and their syntax for your specific Checkov version. Ensure that arguments are properly separated and spelled correctly.

Warnings

breaking The migration from Checkov v2 to v3 introduced several breaking changes. These include the removal of the 'level up' flow, changes to the syntax for Python custom checks, and the replacement of deprecated flags like `--no-guide` and `--skip-suppressions` with the unified `--skip-download` flag. ↓

fix Review the official Checkov migration guide for v2 to v3. Update custom policy syntax and replace removed flags with their current equivalents (e.g., use `--skip-download` for skipping policy downloads).

gotcha When scanning a Terraform plan outputted to JSON (e.g., `terraform show -json tf.plan > tf.json`), the resulting `tf.json` file is often a single line. This causes Checkov to report all findings on line number 0, making it difficult to pinpoint the exact location of issues in the original plan. ↓

fix Use a tool like `jq` to pretty-print the JSON output before scanning. For example: `terraform show -json tf.plan | jq '.' > tf.json`. This formats the JSON into multiple lines, allowing Checkov to report more accurate line numbers.

gotcha Checkov's installation and usage on Alpine Linux is not officially supported and is generally not recommended for larger Python projects due to potential incompatibilities with C extensions. While it might work with Python 3.11+, stability is not guaranteed. ↓

fix For production or CI/CD environments, use officially supported Linux distributions (e.g., Debian, Ubuntu, CentOS) or macOS. If Alpine is necessary, ensure Python 3.11+ is used and conduct thorough testing.

gotcha When using Checkov with an API key (e.g., for integrating with Prisma Cloud), the `--repo-id` flag is now a mandatory requirement. Failing to provide this flag will result in an error or incomplete functionality. ↓

fix Always include the `--repo-id <owner/repository_name>` flag when running Checkov with an API key. For example: `checkov -d . --bc-api-key $BC_API_KEY --repo-id my-org/my-repo`.

gotcha When attempting to run `checkov` commands from within a Python script, placing the command directly into the script file (e.g., `checkov --directory .`) will result in a `SyntaxError`. Python interprets these lines as its own code, not as shell commands. ↓

fix To execute Checkov from a Python script, use Python's `subprocess` module (e.g., `import subprocess; subprocess.run(['checkov', '--directory', './my-iac-code'])`) or `os.system()` (e.g., `import os; os.system('checkov --directory ./my-iac-code')`). The `subprocess` module is generally recommended for its flexibility and safety.

Install compatibility verified last tested: 2026-05-12

python os / libc status wheel install import disk

3.10 alpine (musl) timeout - - - -

3.10 alpine (musl) - - - -

3.10 slim (glibc) wheel 24.8s 0.01s 255M

3.10 slim (glibc) - - 0.01s 255M

3.11 alpine (musl) wheel - 0.04s 271.4M

3.11 alpine (musl) - - 0.05s 271.5M

3.11 slim (glibc) wheel 22.6s 0.04s 269M

3.11 slim (glibc) - - 0.03s 269M

3.12 alpine (musl) wheel - 0.04s 256.8M

3.12 alpine (musl) - - 0.04s 256.9M

3.12 slim (glibc) wheel 17.9s 0.05s 254M

3.12 slim (glibc) - - 0.04s 255M

3.13 alpine (musl) wheel - 0.05s 256.4M

3.13 alpine (musl) - - 0.04s 256.3M

3.13 slim (glibc) wheel 18.6s 0.04s 254M

3.13 slim (glibc) - - 0.04s 254M

3.9 alpine (musl) timeout - - - -

3.9 alpine (musl) - - - -

3.9 slim (glibc) wheel 28.4s 0.02s 266M

3.9 slim (glibc) - - 0.02s 266M

Imports

CheckResult
```
from checkov.common.models.enums import CheckResult
```
Used when writing custom Python policies to define check outcomes.
CheckCategories
```
from checkov.common.models.enums import CheckCategories
```
Used when writing custom Python policies to categorize checks.

BaseResourceCheck

from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck

Base class for creating custom Terraform resource checks in Python.

Quickstart stale last tested: 2026-04-24

The primary way to use Checkov is via its command-line interface. This quickstart demonstrates how to scan a directory containing Infrastructure as Code (IaC) files, a specific file, or a Terraform plan in JSON format. The `--directory` and `--file` flags are fundamental for specifying scan targets.

checkov --directory ./my-iac-code
# Example: Scan a Terraform directory
# checkov --directory /path/to/my/terraform/configs

# Example: Scan a specific Kubernetes manifest file
# checkov --file /path/to/my/k8s/deployment.yaml

# Example: Scan a Terraform plan JSON, ensuring multiline output for better line numbers
# terraform init
# terraform plan -out tf.plan
# terraform show -json tf.plan | jq '.' > tf.json
# checkov --file tf.json