Skip to content

checkov

GitHub last commit

checkov documentation

checkov - GitHub

Configuration in MegaLinter

Variable Description Default value
TERRAFORM_CHECKOV_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
TERRAFORM_CHECKOV_FILTER_REGEX_INCLUDE Custom regex including filter
Ex: (src\|lib)
Include every file
TERRAFORM_CHECKOV_FILTER_REGEX_EXCLUDE Custom regex excluding filter
Ex: (test\|examples)
Exclude no file
TERRAFORM_CHECKOV_CLI_LINT_MODE Override default CLI lint mode
- file: Calls the linter for each file
- list_of_files: Call the linter with the list of files as argument
- project: Call the linter from the root of the project
file
TERRAFORM_CHECKOV_FILE_EXTENSIONS Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all files
Ex: [".py", ""]
[".tf"]
TERRAFORM_CHECKOV_FILE_NAMES_REGEX File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files
Ex: ["Dockerfile(-.+)?", "Jenkinsfile"]
Include every file
TERRAFORM_CHECKOV_PRE_COMMANDS List of bash commands to run before the linter None
TERRAFORM_CHECKOV_POST_COMMANDS List of bash commands to run after the linter None
TERRAFORM_CHECKOV_DISABLE_ERRORS Run linter but consider errors as warnings false
TERRAFORM_CHECKOV_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0

IDE Integration

Use checkov in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Visual Studio Code Checkov Install in VsCode

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 101 Docker Image Size (tag) Docker Pulls
security Optimized for security 20 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 48 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • File extensions: .tf

How the linting is performed

  • checkov is called one time by identified file

Example calls

checkov --file myfile.tf

Help content

usage: checkov [-h] [-v] [-d DIRECTORY] [--add-check] [-f FILE]
               [--skip-path SKIP_PATH]
               [--external-checks-dir EXTERNAL_CHECKS_DIR]
               [--external-checks-git EXTERNAL_CHECKS_GIT] [-l]
               [-o {cli,cyclonedx,json,junitxml,github_failed_only,sarif,csv}]
               [--output-file-path OUTPUT_FILE_PATH] [--output-bc-ids]
               [--include-all-checkov-policies] [--quiet] [--compact]
               [--framework {bitbucket_pipelines,argo_workflows,arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} [{bitbucket_pipelines,argo_workflows,arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} ...]]
               [--skip-framework {bitbucket_pipelines,argo_workflows,arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan} [{bitbucket_pipelines,argo_workflows,arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan} ...]]
               [-c CHECK] [--skip-check SKIP_CHECK]
               [--run-all-external-checks] [-s] [--soft-fail-on SOFT_FAIL_ON]
               [--hard-fail-on HARD_FAIL_ON] [--bc-api-key BC_API_KEY]
               [--prisma-api-url PRISMA_API_URL] [--docker-image DOCKER_IMAGE]
               [--dockerfile-path DOCKERFILE_PATH] [--repo-id REPO_ID]
               [-b BRANCH] [--skip-download] [--no-guide]
               [--skip-suppressions] [--skip-policy-download] [--skip-fixes]
               [--download-external-modules DOWNLOAD_EXTERNAL_MODULES]
               [--var-file VAR_FILE]
               [--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH]
               [--evaluate-variables EVALUATE_VARIABLES] [-ca CA_CERTIFICATE]
               [--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT]
               [--config-file CONFIG_FILE] [--create-config CREATE_CONFIG]
               [--show-config] [--create-baseline] [--baseline BASELINE]
               [--output-baseline-as-skipped]
               [--skip-cve-package SKIP_CVE_PACKAGE]
               [--policy-metadata-filter POLICY_METADATA_FILTER]
               [--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE]

Infrastructure as code static analysis

options:
  -h, --help            show this help message and exit
  -v, --version         version
  -d DIRECTORY, --directory DIRECTORY
                        IaC root directory (can not be used together with
                        --file).
  --add-check           Generate a new check via CLI prompt
  -f FILE, --file FILE  File to scan (can not be used together with
                        --directory). With this option, Checkov will attempt
                        to filter the runners based on the file type. For
                        example, if you specify a ".tf" file, only the
                        terraform and secrets frameworks will be included. You
                        can further limit this (e.g., skip secrets) by using
                        the --skip-framework argument.
  --skip-path SKIP_PATH
                        Path (file or directory) to skip, using regular
                        expression logic, relative to current working
                        directory. Word boundaries are not implicit; i.e.,
                        specifying "dir1" will skip any directory or
                        subdirectory named "dir1". Ignored with -f. Can be
                        specified multiple times.
  --external-checks-dir EXTERNAL_CHECKS_DIR
                        Directory for custom checks to be loaded. Can be
                        repeated
  --external-checks-git EXTERNAL_CHECKS_GIT
                        Github url of external checks to be added. you can
                        specify a subdirectory after a double-slash //. cannot
                        be used together with --external-checks-dir
  -l, --list            List checks
  -o {cli,cyclonedx,json,junitxml,github_failed_only,sarif,csv}, --output {cli,cyclonedx,json,junitxml,github_failed_only,sarif,csv}
                        Report output format. Add multiple outputs by using
                        the flag multiple times (-o sarif -o cli)
  --output-file-path OUTPUT_FILE_PATH
                        Name for output file. The first selected output via
                        output flag will be saved to the file (default output
                        is cli)
  --output-bc-ids       Print Bridgecrew platform IDs (BC...) instead of
                        Checkov IDs (CKV...), if the check exists in the
                        platform
  --include-all-checkov-policies
                        When running with an API key, Checkov will omit any
                        policies that do not exist in the Bridgecrew or Prisma
                        Cloud platform, except for local custom policies
                        loaded with the --external-check flags. Use this key
                        to include policies that only exist in Checkov in the
                        scan. Note that this will make the local CLI results
                        different from the results you see in the platform.
                        Has no effect if you are not using an API key. Use the
                        --check option to explicitly include checks by ID even
                        if they are not in the platform, without using this
                        flag.
  --quiet               in case of CLI output, display only failed checks.
                        Also disables progress bars
  --compact             in case of CLI output, do not display code blocks
  --framework {bitbucket_pipelines,argo_workflows,arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} [{bitbucket_pipelines,argo_workflows,arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan,all} ...]
                        Filter scan to run only on specific infrastructure
                        code frameworks [env var: CKV_FRAMEWORK]
  --skip-framework {bitbucket_pipelines,argo_workflows,arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan} [{bitbucket_pipelines,argo_workflows,arm,bicep,cloudformation,dockerfile,github_configuration,github_actions,gitlab_configuration,gitlab_ci,bitbucket_configuration,helm,json,yaml,kubernetes,kustomize,openapi,sca_package,sca_image,secrets,serverless,terraform,terraform_plan} ...]
                        Filter scan to skip specific infrastructure code
                        frameworks. will be included automatically for some
                        frameworks if system dependencies are missing.
  -c CHECK, --check CHECK
                        Checks to run; any other checks will be skipped. Enter
                        one or more items separated by commas. Each item may
                        be either a Checkov check ID (CKV_AWS_123), a BC check
                        ID (BC_AWS_GENERAL_123), or a severity (LOW, MEDIUM,
                        HIGH, CRITICAL). If you use a severity, then all
                        checks equal to or above the lowest severity in the
                        list will be included. This option can be combined
                        with --skip-check. If it is, priority is given to
                        checks explicitly listed by ID or wildcard over checks
                        listed by severity. For example, if you use --check
                        CKV_123 and --skip-check LOW, then CKV_123 will run
                        even if it is a LOW severity. In the case of a tie
                        (e.g., --check MEDIUM and --skip-check HIGH for a
                        medium severity check), then the check will be
                        skipped. If you use a check ID here along with an API
                        key, and the check is not part of the BC / PC
                        platform, then the check will still be run (see
                        --include-all-checkov-policies for more info). [env
                        var: CKV_CHECK]
  --skip-check SKIP_CHECK
                        Checks to skip; any other checks will not be run.
                        Enter one or more items separated by commas. Each item
                        may be either a Checkov check ID (CKV_AWS_123), a BC
                        check ID (BC_AWS_GENERAL_123), or a severity (LOW,
                        MEDIUM, HIGH, CRITICAL). If you use a severity, then
                        all checks equal to or below the highest severity in
                        the list will be skipped. This option can be combined
                        with --check. If it is, priority is given to checks
                        explicitly listed by ID or wildcard over checks listed
                        by severity. For example, if you use --skip-check
                        CKV_123 and --check HIGH, then CKV_123 will be skipped
                        even if it is a HIGH severity. In the case of a tie
                        (e.g., --check MEDIUM and --skip-check HIGH for a
                        medium severity check), then the check will be
                        skipped. [env var: CKV_SKIP_CHECK]
  --run-all-external-checks
                        Run all external checks (loaded via --external-checks
                        options) even if the checks are not present in the
                        --check list. This allows you to always ensure that
                        new checks present in the external source are used. If
                        an external check is included in --skip-check, it will
                        still be skipped.
  -s, --soft-fail       Runs checks but always returns a 0 exit code. Using
                        either --soft-fail-on and / or --hard-fail-on
                        overrides this option, except for the case when a
                        result does not match either of the soft fail or hard
                        fail criteria, in which case this flag determines the
                        result.
  --soft-fail-on SOFT_FAIL_ON
                        Exits with a 0 exit code if only the specified items
                        fail. Enter one or more items separated by commas.
                        Each item may be either a Checkov check ID
                        (CKV_AWS_123), a BC check ID (BC_AWS_GENERAL_123), or
                        a severity (LOW, MEDIUM, HIGH, CRITICAL). If you use a
                        severity, then any severity equal to or less than the
                        highest severity in the list will result in a soft
                        fail. This option may be used with --hard-fail-on,
                        using the same priority logic described in --check and
                        --skip-check options above, with --hard-fail-on taking
                        precedence in a tie. If a given result does not meet
                        the --soft-fail-on nor the --hard-fail-on criteria,
                        then the default is to hard fail
  --hard-fail-on HARD_FAIL_ON
                        Exits with a non-zero exit code for specified checks.
                        Enter one or more items separated by commas. Each item
                        may be either a Checkov check ID (CKV_AWS_123), a BC
                        check ID (BC_AWS_GENERAL_123), or a severity (LOW,
                        MEDIUM, HIGH, CRITICAL). If you use a severity, then
                        any severity equal to or greater than the lowest
                        severity in the list will result in a hard fail. This
                        option can be used with --soft-fail-on, using the same
                        priority logic described in --check and --skip-check
                        options above, with --hard-fail-on taking precedence
                        in a tie.
  --bc-api-key BC_API_KEY
                        Bridgecrew API key or Prisma Cloud Access Key (see
                        --prisma-api-url) [env var: BC_API_KEY]
  --prisma-api-url PRISMA_API_URL
                        The Prisma Cloud API URL (see:
                        https://prisma.pan.dev/api/cloud/api-urls). Requires
                        --bc-api-key to be a Prisma Cloud Access Key in the
                        following format: <access_key_id>::<secret_key> [env
                        var: PRISMA_API_URL]
  --docker-image DOCKER_IMAGE
                        Scan docker images by name or ID. Only works with
                        --bc-api-key flag
  --dockerfile-path DOCKERFILE_PATH
                        Path to the Dockerfile of the scanned docker image
  --repo-id REPO_ID     Identity string of the repository, with form
                        <repo_owner>/<repo_name>
  -b BRANCH, --branch BRANCH
                        Selected branch of the persisted repository. Only has
                        effect when using the --bc-api-key flag
  --skip-download       Do not download any data from Bridgecrew. This will
                        omit doc links, severities, etc., as well as custom
                        policies and suppressions if using an API token. Note:
                        it will prevent BC platform IDs from being available
                        in Checkov.
  --no-guide            Deprecated - use --skip-download
  --skip-suppressions   Deprecated - use --skip-download
  --skip-policy-download
                        Deprecated - use --skip-download
  --skip-fixes          Do not download fixed resource templates from
                        Bridgecrew. Only has effect when using the API key.
  --download-external-modules DOWNLOAD_EXTERNAL_MODULES
                        download external terraform modules from public git
                        repositories and terraform registry [env var:
                        DOWNLOAD_EXTERNAL_MODULES]
  --var-file VAR_FILE   Variable files to load in addition to the default
                        files (see https://www.terraform.io/docs/language/valu
                        es/variables.html#variable-definitions-tfvars-
                        files).Currently only supported for source Terraform
                        (.tf file), and Helm chart scans.Requires using
                        --directory, not --file.
  --external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH
                        set the path for the download external terraform
                        modules [env var: EXTERNAL_MODULES_DIR]
  --evaluate-variables EVALUATE_VARIABLES
                        evaluate the values of variables and locals [env var:
                        CKV_EVAL_VARS]
  -ca CA_CERTIFICATE, --ca-certificate CA_CERTIFICATE
                        Custom CA certificate (bundle) file [env var:
                        BC_CA_BUNDLE]
  --repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT
                        Directory containing the hcl code used to generate a
                        given plan file. Use with -f.
  --config-file CONFIG_FILE
                        path to the Checkov configuration YAML file
  --create-config CREATE_CONFIG
                        takes the current command line args and writes them
                        out to a config file at the given path
  --show-config         prints all args and config settings and where they
                        came from (eg. commandline, config file, environment
                        variable or default)
  --create-baseline     Alongside outputting the findings, save all results to
                        .checkov.baseline file so future runs will not re-flag
                        the same noise. Works only with `--directory` flag
  --baseline BASELINE   Use a .checkov.baseline file to compare current
                        results with a known baseline. Report will include
                        only failed checks that are new with respect to the
                        provided baseline
  --output-baseline-as-skipped
                        output checks that are skipped due to baseline file
                        presence
  --skip-cve-package SKIP_CVE_PACKAGE
                        filter scan to run on all packages but a specific
                        package identifier (denylist), You can specify this
                        argument multiple times to skip multiple packages
  --policy-metadata-filter POLICY_METADATA_FILTER
                        comma separated key:value string to filter policies
                        based on Prisma Cloud policy metadata. See https://pri
                        sma.pan.dev/api/cloud/cspm/policy#operation/get-
                        policy-filters-and-options for information on allowed
                        filters. Format: policy.label=test,cloud.type=aws
  --secrets-scan-file-type SECRETS_SCAN_FILE_TYPE
                        add scan secret for requested files. You can specify
                        this argument multiple times to add multiple file
                        types. To scan all types (".tf", ".yml", ".yaml",
                        ".json", ".template", ".py", ".js", ".properties",
                        ".pem", ".php", ".xml", ".ts", ".env", "Dockerfile",
                        ".java", ".rb", ".go", ".cs", ".txt") specify the
                        argument with `--secrets-scan-file-type all`. default
                        scan will be for ".tf", ".yml", ".yaml", ".json",
                        ".template" and exclude "Pipfile.lock", "yarn.lock",
                        "package-lock.json", "requirements.txt" [env var:
                        CKV_SECRETS_SCAN_FILE_TYPE]

Args that start with '--' (eg. -v) can also be set in a config file
(/.checkov.yaml or /.checkov.yml or /root/.checkov.yaml or /root/.checkov.yml
or specified via --config-file). The config file uses YAML syntax and must
represent a YAML 'mapping' (for details, see
http://learn.getgrav.org/advanced/yaml). If an arg is specified in more than
one place, then commandline values override environment variables which
override config file values which override defaults.

Installation on mega-linter Docker image

  • Dockerfile commands :
RUN pip3 install --upgrade --no-cache-dir pip && pip3 install --upgrade --no-cache-dir setuptools \
    && pip3 install --no-cache-dir checkov