Checkov

3.2.513 · active · verified Sat Mar 28

Checkov is an open-source static code analysis tool that performs security and compliance scanning for Infrastructure as Code (IaC) and Software Composition Analysis (SCA). It identifies misconfigurations and vulnerabilities in various IaC frameworks (e.g., Terraform, CloudFormation, Kubernetes, Dockerfiles, Bicep, Serverless) and scans container images and open-source packages for Common Vulnerabilities and Exposures (CVEs). Actively maintained by Prisma Cloud, Checkov has a frequent release cadence, often with multiple patch versions released monthly.

Warnings

breaking The migration from Checkov v2 to v3 introduced several breaking changes. These include the removal of the 'level up' flow, changes to the syntax for Python custom checks, and the replacement of deprecated flags like `--no-guide` and `--skip-suppressions` with the unified `--skip-download` flag.
Fix: Review the official Checkov migration guide for v2 to v3. Update custom policy syntax and replace removed flags with their current equivalents (e.g., use `--skip-download` for skipping policy downloads).
gotcha When scanning a Terraform plan outputted to JSON (e.g., `terraform show -json tf.plan > tf.json`), the resulting `tf.json` file is often a single line. This causes Checkov to report all findings on line number 0, making it difficult to pinpoint the exact location of issues in the original plan.
Fix: Use a tool like `jq` to pretty-print the JSON output before scanning. For example: `terraform show -json tf.plan | jq '.' > tf.json`. This formats the JSON into multiple lines, allowing Checkov to report more accurate line numbers.
gotcha Checkov's installation and usage on Alpine Linux is not officially supported and is generally not recommended for larger Python projects due to potential incompatibilities with C extensions. While it might work with Python 3.11+, stability is not guaranteed.
Fix: For production or CI/CD environments, use officially supported Linux distributions (e.g., Debian, Ubuntu, CentOS) or macOS. If Alpine is necessary, ensure Python 3.11+ is used and conduct thorough testing.
gotcha When using Checkov with an API key (e.g., for integrating with Prisma Cloud), the `--repo-id` flag is now a mandatory requirement. Failing to provide this flag will result in an error or incomplete functionality.
Fix: Always include the `--repo-id <owner/repository_name>` flag when running Checkov with an API key. For example: `checkov -d . --bc-api-key $BC_API_KEY --repo-id my-org/my-repo`.

Install

pip install checkov Install with pip

Imports

CheckResult
```
from checkov.common.models.enums import CheckResult
```
Used when writing custom Python policies to define check outcomes.
CheckCategories
```
from checkov.common.models.enums import CheckCategories
```
Used when writing custom Python policies to categorize checks.
BaseResourceCheck
```
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
```
Base class for creating custom Terraform resource checks in Python.

Quickstart

The primary way to use Checkov is via its command-line interface. This quickstart demonstrates how to scan a directory containing Infrastructure as Code (IaC) files, a specific file, or a Terraform plan in JSON format. The `--directory` and `--file` flags are fundamental for specifying scan targets.

checkov --directory ./my-iac-code
# Example: Scan a Terraform directory
# checkov --directory /path/to/my/terraform/configs

# Example: Scan a specific Kubernetes manifest file
# checkov --file /path/to/my/k8s/deployment.yaml

# Example: Scan a Terraform plan JSON, ensuring multiline output for better line numbers
# terraform init
# terraform plan -out tf.plan
# terraform show -json tf.plan | jq '.' > tf.json
# checkov --file tf.json

view raw JSON →