Scripts2026年4月15日·1 分钟阅读

Checkov — Static Security Scanning for IaC and Containers

Checkov is a Bridgecrew static-analysis tool that scans Terraform, CloudFormation, Kubernetes, Helm, Dockerfile, and more for misconfigurations and policy violations before anything is deployed.

Script Depot
Script Depot · Community

Introduction

Checkov brings shift-left security to infrastructure code. It ships with 1,000+ built-in policies covering AWS, Azure, GCP, Kubernetes, Dockerfile, GitHub Actions, and Bicep, and it runs fast enough to fit into a pre-commit hook.

What Checkov Does

  • Parses IaC using native Terraform, CFN, Kustomize, and Helm libraries
  • Flags misconfigurations like open S3 buckets or missing encryption
  • Detects secrets in committed code with entropy + regex rules
  • Supports custom policies in Python or Rego/OPA
  • Integrates with CI as SARIF, JUnit, CycloneDX, or JSON output

Architecture Overview

The CLI loads the target files, builds an in-memory resource graph, and evaluates each resource against policy check classes. Graph-based checks (e.g., cross-resource references) run after atomic checks. Results stream to stdout or a structured writer.

Self-Hosting & Configuration

  • Pure-Python; pipx or container image bridgecrew/checkov
  • Configure via .checkov.yaml or CLI flags
  • Suppress with inline # checkov:skip=CKV_AWS_20: reason
  • Wire into pre-commit, GitHub Actions, GitLab CI, Jenkins
  • Pair with Prisma Cloud for centralized reporting (optional)

Key Features

  • 1,000+ policies across 30+ resource providers
  • Secret scanning with a curated regex set
  • Graph-based multi-resource rules (e.g., KMS + S3 pairing)
  • SBOM and license detection in a single pass
  • Apache-2.0 license, community maintained

Comparison with Similar Tools

  • tfsec — Terraform-focused, now in Aqua security's trivy suite
  • Trivy — broader vuln scanning; overlaps on IaC checks
  • KICS — similar IaC scope, fewer CFN policies
  • Terrascan — policy-as-code via Rego, fewer built-ins
  • Snyk IaC — commercial, richer UI

FAQ

Q: How do I write a custom policy? A: Subclass BaseResourceCheck in Python or drop a Rego file in --external-checks-dir.

Q: Does it analyze Helm? A: Yes — it renders charts with helm template and scans the output.

Q: Can it gate pull requests? A: Yes — emit SARIF and enable GitHub code scanning, or fail the job on non-zero exit.

Q: Does it need cloud credentials? A: No for static scans. Optional Bridgecrew platform integration does.

Sources

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

KeyDB — Multithreaded Drop-In Redis Replacement

A fully Redis-compatible fork that is multithreaded by design, supports active-active replication, and delivers up to 5x the throughput of Redis on modern multi-core servers without changing a line of client code.

Script Depot

Bytebase — Database DevOps and CI/CD for Teams

A web-based database CI/CD platform for DBAs and engineers. Schema review, change approval, GitOps migration pipelines and data access control across MySQL, Postgres, Snowflake, Oracle, TiDB, ClickHouse and more.

Script Depot

TiKV — Distributed Transactional Key-Value Store on Raft

A CNCF-graduated distributed key-value store written in Rust that powers TiDB. Provides horizontal scaling, strong consistency via Raft, geo-replication, and ACID transactions with Percolator-style MVCC.

Script Depot
首页🔍搜索👤我的