# Checkov — Static Security Scanning for IaC and Containers > Checkov is a Bridgecrew static-analysis tool that scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and more for misconfigurations and policy violations before anything is deployed. ## Install Save as a script file and run: # Checkov — Static Security Scanning for IaC and Containers ## Quick Use ```bash # Install pipx install checkov # or: pip install checkov # Scan a directory of Terraform checkov -d ./terraform # Scan a specific file and emit SARIF for GitHub checkov -f main.tf --output sarif --output-file-path results.sarif # Skip low-severity checks in CI checkov -d . --skip-check LOW --soft-fail ``` ## Introduction Checkov brings shift-left security to infrastructure code. It ships with 1,000+ built-in policies covering AWS, Azure, GCP, Kubernetes, Dockerfile, GitHub Actions, and Bicep, and it runs fast enough to fit into a pre-commit hook. ## What Checkov Does - Parses IaC using native Terraform, CFN, Kustomize, and Helm libraries - Flags misconfigurations like open S3 buckets or missing encryption - Detects secrets in committed code with entropy + regex rules - Supports custom policies in Python or Rego/OPA - Integrates with CI as SARIF, JUnit, CycloneDX, or JSON output ## Architecture Overview The CLI loads the target files, builds an in-memory resource graph, and evaluates each resource against policy check classes. Graph-based checks (e.g., cross-resource references) run after atomic checks. Results stream to stdout or a structured writer. ## Self-Hosting & Configuration - Pure-Python; pipx or container image `bridgecrew/checkov` - Configure via `.checkov.yaml` or CLI flags - Suppress with inline `# checkov:skip=CKV_AWS_20: reason` - Wire into pre-commit, GitHub Actions, GitLab CI, Jenkins - Pair with Prisma Cloud for centralized reporting (optional) ## Key Features - 1,000+ policies across 30+ resource providers - Secret scanning with a curated regex set - Graph-based multi-resource rules (e.g., KMS + S3 pairing) - SBOM and license detection in a single pass - Apache-2.0 license, community maintained ## Comparison with Similar Tools - **tfsec** — Terraform-focused, now in Aqua security's trivy suite - **Trivy** — broader vuln scanning; overlaps on IaC checks - **KICS** — similar IaC scope, fewer CFN policies - **Terrascan** — policy-as-code via Rego, fewer built-ins - **Snyk IaC** — commercial, richer UI ## FAQ **Q:** How do I write a custom policy? A: Subclass `BaseResourceCheck` in Python or drop a Rego file in `--external-checks-dir`. **Q:** Does it analyze Helm? A: Yes — it renders charts with `helm template` and scans the output. **Q:** Can it gate pull requests? A: Yes — emit SARIF and enable GitHub code scanning, or fail the job on non-zero exit. **Q:** Does it need cloud credentials? A: No for static scans. Optional Bridgecrew platform integration does. ## Sources - https://github.com/bridgecrewio/checkov - https://www.checkov.io/ --- Source: https://tokrepo.com/en/workflows/accdd5bb-38fa-11f1-9bc6-00163e2b0d79 Author: Script Depot