Checkov is a static analysis tool for infrastructure as code. It scans Terraform, CloudFormation, Kubernetes manifests, Helm charts, ARM templates, Bicep, Dockerfiles, and more for security misconfigurations and compliance violations. It maps findings to CIS benchmarks, SOC2, NIST, and other frameworks.

• Supports Terraform, CloudFormation, Kubernetes, Helm, ARM, Bicep, Dockerfile, GitHub Actions, and more
• Maps findings to CIS, SOC2, NIST, PCI-DSS, HIPAA
• Outputs to CLI, JSON, JUnit XML, SARIF, and CSV

Checkov runs in a Python virtual environment.

cd /opt/checkcov/
. checkov.sh          # activates the venv environment

checkov -d <path-to-scan>      # e.g. checkov -d .

checkov -d <terraform-directory>
checkov -d . --framework terraform

checkov -d <cloudformation-directory> --framework cloudformation

checkov -d <k8s-manifests-directory> --framework kubernetes

checkov -d <helm-chart-directory> --framework helm

checkov -f <Dockerfile>

checkov -d .github/workflows --framework github_actions

checkov -d . -o json > /output/checkov-results.json
checkov -d . -o sarif > /output/checkov-results.sarif

checkov -d . --skip-check CKV_AWS_18,CKV_AWS_21

• Checkov requires Terraform to be initialised (terraform init) before scanning some resource types that rely on provider schemas. Uninitialised directories may produce incomplete results.
• YAML parsing errors in Kubernetes or Helm templates can cause Checkov to skip files silently. Run with --quiet removed to see full output if results seem incomplete.
• Some checks produce false positives against third-party modules where the configuration is correct but the module structure is non-standard. Use --skip-check to suppress known false positives.

• GitHub Repo