Skip to content

checkov

checkov documentation

checkov - GitHub

Configuration in MegaLinter

Variable Description Default value
TERRAFORM_CHECKOV_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
TERRAFORM_CHECKOV_FILTER_REGEX_INCLUDE Custom regex including filter
Ex: (src\|lib)
Include every file
TERRAFORM_CHECKOV_FILTER_REGEX_EXCLUDE Custom regex excluding filter
Ex: (test\|examples)
Exclude no file
TERRAFORM_CHECKOV_CLI_LINT_MODE Override default CLI lint mode
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
{linter.cli_lint_mode}
TERRAFORM_CHECKOV_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
[".tf"]
TERRAFORM_CHECKOV_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
TERRAFORM_CHECKOV_PRE_COMMANDS List of bash commands to run before the linter None
TERRAFORM_CHECKOV_POST_COMMANDS List of bash commands to run after the linter None
TERRAFORM_CHECKOV_DISABLE_ERRORS Run linter but consider errors as warnings false
TERRAFORM_CHECKOV_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0

IDE Integration

Use checkov in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Visual Studio Code Checkov Install in VsCode

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 95 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 46 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • File extensions: .tf

How the linting is performed

  • checkov is called one time by identified file

Example calls

checkov --file myfile.tf

Help content

usage: checkov [-h] [-v] [-d DIRECTORY] [--add-check] [-f FILE]
               [--skip-path SKIP_PATH]
               [--external-checks-dir EXTERNAL_CHECKS_DIR]
               [--external-checks-git EXTERNAL_CHECKS_GIT] [-l]
               [-o {cli,cyclonedx,json,junitxml,github_failed_only,sarif}]
               [--output-bc-ids] [--no-guide] [--quiet] [--compact]
               [--framework {cloudformation,terraform,kubernetes,serverless,arm,terraform_plan,helm,dockerfile,secrets,json,all}]
               [--skip-framework {cloudformation,terraform,kubernetes,serverless,arm,terraform_plan,helm,dockerfile,secrets,json}]
               [-c CHECK] [--skip-check SKIP_CHECK]
               [--run-all-external-checks] [--bc-api-key BC_API_KEY]
               [--docker-image DOCKER_IMAGE]
               [--dockerfile-path DOCKERFILE_PATH] [--repo-id REPO_ID]
               [-b BRANCH] [--skip-fixes] [--skip-suppressions]
               [--skip-policy-download]
               [--download-external-modules DOWNLOAD_EXTERNAL_MODULES]
               [--var-file VAR_FILE]
               [--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH]
               [--evaluate-variables EVALUATE_VARIABLES] [-ca CA_CERTIFICATE]
               [--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT]
               [--config-file CONFIG_FILE] [--create-config CREATE_CONFIG]
               [--show-config] [--create-baseline] [--baseline BASELINE]
               [-s | --soft-fail-on SOFT_FAIL_ON | --hard-fail-on HARD_FAIL_ON]

Infrastructure as code static analysis

optional arguments:
  -h, --help            show this help message and exit
  -v, --version         version
  -d DIRECTORY, --directory DIRECTORY
                        IaC root directory (can not be used together with
                        --file).
  --add-check           Generate a new check via CLI prompt
  -f FILE, --file FILE  IaC file(can not be used together with --directory)
  --skip-path SKIP_PATH
                        Path (file or directory) to skip, using regular
                        expression logic, relative to current working
                        directory. Word boundaries are not implicit; i.e.,
                        specifying "dir1" will skip any directory or
                        subdirectory named "dir1". Ignored with -f. Can be
                        specified multiple times.
  --external-checks-dir EXTERNAL_CHECKS_DIR
                        Directory for custom checks to be loaded. Can be
                        repeated
  --external-checks-git EXTERNAL_CHECKS_GIT
                        Github url of external checks to be added. you can
                        specify a subdirectory after a double-slash //. cannot
                        be used together with --external-checks-dir
  -l, --list            List checks
  -o {cli,cyclonedx,json,junitxml,github_failed_only,sarif}, --output {cli,cyclonedx,json,junitxml,github_failed_only,sarif}
                        Report output format. Can be repeated
  --output-bc-ids       Print Bridgecrew platform IDs (BC...) instead of
                        Checkov IDs (CKV...), if the check exists in the
                        platform
  --no-guide            Do not fetch Bridgecrew platform IDs and guidelines
                        for the checkov output report. Note: this prevents
                        Bridgecrew platform check IDs from being used anywhere
                        in the CLI.
  --quiet               in case of CLI output, display only failed checks
  --compact             in case of CLI output, do not display code blocks
  --framework {cloudformation,terraform,kubernetes,serverless,arm,terraform_plan,helm,dockerfile,secrets,json,all}
                        filter scan to run only on a specific infrastructure
                        code frameworks
  --skip-framework {cloudformation,terraform,kubernetes,serverless,arm,terraform_plan,helm,dockerfile,secrets,json}
                        filter scan to skip specific infrastructure code
                        frameworks. will be included automatically for some
                        frameworks if system dependencies are missing.
  -c CHECK, --check CHECK
                        filter scan to run only on a specific check
                        identifier(allowlist), You can specify multiple checks
                        separated by comma delimiter
  --skip-check SKIP_CHECK
                        filter scan to run on all check but a specific check
                        identifier(denylist), You can specify multiple checks
                        separated by comma delimiter
  --run-all-external-checks
                        Run all external checks (loaded via --external-checks
                        options) even if the checks are not present in the
                        --check list. This allows you to always ensure that
                        new checks present in the external source are used. If
                        an external check is included in --skip-check, it will
                        still be skipped.
  --bc-api-key BC_API_KEY
                        Bridgecrew API key [env var: BC_API_KEY]
  --docker-image DOCKER_IMAGE
                        Scan docker images by name or ID. Only works with
                        --bc-api-key flag
  --dockerfile-path DOCKERFILE_PATH
                        Path to the Dockerfile of the scanned docker image
  --repo-id REPO_ID     Identity string of the repository, with form
                        <repo_owner>/<repo_name>
  -b BRANCH, --branch BRANCH
                        Selected branch of the persisted repository. Only has
                        effect when using the --bc-api-key flag
  --skip-fixes          Do not download fixed resource templates from
                        Bridgecrew. Only has effect when using the --bc-api-
                        key flag
  --skip-suppressions   Do not download preconfigured suppressions from the
                        Bridgecrew platform. Code comment suppressions will
                        still be honored. Only has effect when using the --bc-
                        api-key flag
  --skip-policy-download
                        Do not download custom policies configured in the
                        Bridgecrew platform. Only has effect when using the
                        --bc-api-key flag
  --download-external-modules DOWNLOAD_EXTERNAL_MODULES
                        download external terraform modules from public git
                        repositories and terraform registry [env var:
                        DOWNLOAD_EXTERNAL_MODULES]
  --var-file VAR_FILE   Variable files to load in addition to the default
                        files (see https://www.terraform.io/docs/language/valu
                        es/variables.html#variable-definitions-tfvars-
                        files).Currently only supported for source Terraform
                        (.tf file) scans. Requires using --directory, not
                        --file.
  --external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH
                        set the path for the download external terraform
                        modules [env var: EXTERNAL_MODULES_DIR]
  --evaluate-variables EVALUATE_VARIABLES
                        evaluate the values of variables and locals
  -ca CA_CERTIFICATE, --ca-certificate CA_CERTIFICATE
                        custom CA (bundle) file [env var: CA_CERTIFICATE]
  --repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT
                        Directory containing the hcl code used to generate a
                        given plan file. Use with -f.
  --config-file CONFIG_FILE
                        path to the Checkov configuration YAML file
  --create-config CREATE_CONFIG
                        takes the current command line args and writes them
                        out to a config file at the given path
  --show-config         prints all args and config settings and where they
                        came from (eg. commandline, config file, environment
                        variable or default)
  --create-baseline     Alongside outputting the findings, save all results to
                        .checkov.baseline file so future runs will not re-flag
                        the same noise. Works only with `--directory` flag
  --baseline BASELINE   Use a .checkov.baseline file to compare current
                        results with a known baseline. Report will include
                        only failed checks that are newwith respect to the
                        provided baseline
  -s, --soft-fail       Runs checks but suppresses error code
  --soft-fail-on SOFT_FAIL_ON
                        Exits with a 0 exit code for specified checks. You can
                        specify multiple checks separated by comma delimiter
  --hard-fail-on HARD_FAIL_ON
                        Exits with a non-zero exit code for specified checks.
                        You can specify multiple checks separated by comma
                        delimiter

Args that start with '--' (eg. -v) can also be set in a config file
(/.checkov.yaml or /.checkov.yml or /root/.checkov.yaml or /root/.checkov.yml
or specified via --config-file). The config file uses YAML syntax and must
represent a YAML 'mapping' (for details, see
http://learn.getgrav.org/advanced/yaml). If an arg is specified in more than
one place, then commandline values override environment variables which
override config file values which override defaults.

Installation on mega-linter Docker image

  • Dockerfile commands :
RUN pip3 install --upgrade --no-cache-dir pip && pip3 install --upgrade --no-cache-dir setuptools \
    && pip3 install --no-cache-dir checkov