Skip to content

checkov

GitHub stars sarif GitHub release (latest SemVer) GitHub last commit GitHub commit activity GitHub contributors

checkov documentation

checkov - GitHub

Configuration in MegaLinter

Variable Description Default value
REPOSITORY_CHECKOV_ARGUMENTS User custom arguments to add in linter CLI call
Ex: -s --foo "bar"
REPOSITORY_CHECKOV_COMMAND_REMOVE_ARGUMENTS User custom arguments to remove from command line before calling the linter
Ex: -s --foo "bar"
REPOSITORY_CHECKOV_PRE_COMMANDS List of bash commands to run before the linter None
REPOSITORY_CHECKOV_POST_COMMANDS List of bash commands to run after the linter None
REPOSITORY_CHECKOV_UNSECURED_ENV_VARIABLES List of env variables explicitly not filtered before calling REPOSITORY_CHECKOV and its pre/post commands None
REPOSITORY_CHECKOV_CONFIG_FILE checkov configuration file nameUse LINTER_DEFAULT to let the linter find it .checkov.yml
REPOSITORY_CHECKOV_RULES_PATH Path where to find linter configuration file Workspace folder, then MegaLinter default rules
REPOSITORY_CHECKOV_DISABLE_ERRORS Run linter but consider errors as warnings false
REPOSITORY_CHECKOV_DISABLE_ERRORS_IF_LESS_THAN Maximum number of errors allowed 0
REPOSITORY_CHECKOV_CLI_EXECUTABLE Override CLI executable ['checkov']

IDE Integration

Use checkov in your favorite IDE to catch errors before MegaLinter !

IDE Extension Name Install
Visual Studio Code Checkov Install in VSCode

MegaLinter Flavours

This linter is available in the following flavours

Flavor Description Embedded linters Info
all Default MegaLinter Flavor 117 Docker Image Size (tag) Docker Pulls
cupcake MegaLinter for the most commonly used languages 85 Docker Image Size (tag) Docker Pulls
documentation MegaLinter for documentation projects 51 Docker Image Size (tag) Docker Pulls
dotnet Optimized for C, C++, C# or VB based projects 63 Docker Image Size (tag) Docker Pulls
dotnetweb Optimized for C, C++, C# or VB based projects with JS/TS 72 Docker Image Size (tag) Docker Pulls
go Optimized for GO based projects 53 Docker Image Size (tag) Docker Pulls
java Optimized for JAVA based projects 55 Docker Image Size (tag) Docker Pulls
javascript Optimized for JAVASCRIPT or TYPESCRIPT based projects 60 Docker Image Size (tag) Docker Pulls
php Optimized for PHP based projects 54 Docker Image Size (tag) Docker Pulls
python Optimized for PYTHON based projects 62 Docker Image Size (tag) Docker Pulls
ruby Optimized for RUBY based projects 51 Docker Image Size (tag) Docker Pulls
rust Optimized for RUST based projects 51 Docker Image Size (tag) Docker Pulls
salesforce Optimized for Salesforce based projects 54 Docker Image Size (tag) Docker Pulls
security Optimized for security 24 Docker Image Size (tag) Docker Pulls
swift Optimized for SWIFT based projects 51 Docker Image Size (tag) Docker Pulls
terraform Optimized for TERRAFORM based projects 55 Docker Image Size (tag) Docker Pulls

Behind the scenes

How are identified applicable files

  • If this linter is active, all files will always be linted

How the linting is performed

checkov is called once on the whole project directory (project CLI lint mode)

  • filtering can not be done using MegaLinter configuration variables,it must be done using checkov configuration or ignore file (if existing)
  • VALIDATE_ALL_CODEBASE: false doesn't make checkov analyze only updated files

Example calls

checkov --directory .
checkov --directory . --output --sarif

Help content

usage: checkov [-h] [-v] [--support] [-d DIRECTORY] [--add-check]
               [-f FILE [FILE ...]] [--skip-path SKIP_PATH]
               [--external-checks-dir EXTERNAL_CHECKS_DIR]
               [--external-checks-git EXTERNAL_CHECKS_GIT] [-l]
               [-o {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}]
               [--output-file-path OUTPUT_FILE_PATH] [--output-bc-ids]
               [--include-all-checkov-policies] [--quiet] [--compact]
               [--framework FRAMEWORK [FRAMEWORK ...]]
               [--skip-framework SKIP_FRAMEWORK [SKIP_FRAMEWORK ...]]
               [-c CHECK] [--skip-check SKIP_CHECK]
               [--run-all-external-checks] [-s] [--soft-fail-on SOFT_FAIL_ON]
               [--hard-fail-on HARD_FAIL_ON] [--bc-api-key BC_API_KEY]
               [--prisma-api-url PRISMA_API_URL] [--skip-results-upload]
               [--docker-image DOCKER_IMAGE]
               [--dockerfile-path DOCKERFILE_PATH] [--repo-id REPO_ID]
               [-b BRANCH] [--skip-download] [--use-enforcement-rules]
               [--download-external-modules DOWNLOAD_EXTERNAL_MODULES]
               [--var-file VAR_FILE]
               [--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH]
               [--evaluate-variables EVALUATE_VARIABLES] [-ca CA_CERTIFICATE]
               [--no-cert-verify]
               [--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT]
               [--config-file CONFIG_FILE] [--create-config CREATE_CONFIG]
               [--show-config] [--create-baseline] [--baseline BASELINE]
               [--output-baseline-as-skipped]
               [--skip-cve-package SKIP_CVE_PACKAGE]
               [--policy-metadata-filter POLICY_METADATA_FILTER]
               [--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE]
               [--enable-secret-scan-all-files]
               [--block-list-secret-scan BLOCK_LIST_SECRET_SCAN]
               [--summary-position {bottom,top}]
               [--skip-resources-without-violations] [--deep-analysis]
               [--no-fail-on-crash] [--mask MASK] [--scan-secrets-history]
               [--secrets-history-timeout SECRETS_HISTORY_TIMEOUT]
               [--openai-api-key OPENAI_API_KEY]

Infrastructure as code static analysis

options:
  -h, --help            show this help message and exit
  -v, --version         version
  --support             Enable debug logs and upload the logs to the server.
                        Requires a Bridgecrew or Prisma Cloud API key.
  -d DIRECTORY, --directory DIRECTORY
                        IaC root directory (can not be used together with
                        --file).
  --add-check           Generate a new check via CLI prompt
  -f FILE [FILE ...], --file FILE [FILE ...]
                        File to scan (can not be used together with
                        --directory). With this option, Checkov will attempt
                        to filter the runners based on the file type. For
                        example, if you specify a ".tf" file, only the
                        terraform and secrets frameworks will be included. You
                        can further limit this (e.g., skip secrets) by using
                        the --skip-framework argument.
  --skip-path SKIP_PATH
                        Path (file or directory) to skip, using regular
                        expression logic, relative to current working
                        directory. Word boundaries are not implicit; i.e.,
                        specifying "dir1" will skip any directory or
                        subdirectory named "dir1". Ignored with -f. Can be
                        specified multiple times.
  --external-checks-dir EXTERNAL_CHECKS_DIR
                        Directory for custom checks to be loaded. Can be
                        repeated
  --external-checks-git EXTERNAL_CHECKS_GIT
                        Github url of external checks to be added. you can
                        specify a subdirectory after a double-slash //.
                        possible to use ?ref=tags/tagName or
                        ?ref=heads/branchName or ?ref=commit_id cannot be used
                        together with --external-checks-dir
  -l, --list            List checks
  -o {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}, --output {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}
                        Report output format. Add multiple outputs by using
                        the flag multiple times (-o sarif -o cli)
  --output-file-path OUTPUT_FILE_PATH
                        Name of the output folder to save the chosen output
                        formats. Advanced usage: By using -o cli -o junitxml
                        --output-file-path console,results.xml the CLI output
                        will be printed to the console and the JunitXML output
                        to the file results.xml.
  --output-bc-ids       Print Bridgecrew platform IDs (BC...) instead of
                        Checkov IDs (CKV...), if the check exists in the
                        platform
  --include-all-checkov-policies
                        When running with an API key, Checkov will omit any
                        policies that do not exist in the Bridgecrew or Prisma
                        Cloud platform, except for local custom policies
                        loaded with the --external-check flags. Use this key
                        to include policies that only exist in Checkov in the
                        scan. Note that this will make the local CLI results
                        different from the results you see in the platform.
                        Has no effect if you are not using an API key. Use the
                        --check option to explicitly include checks by ID even
                        if they are not in the platform, without using this
                        flag.
  --quiet               in case of CLI output, display only failed checks.
                        Also disables progress bars
  --compact             in case of CLI output, do not display code blocks
  --framework FRAMEWORK [FRAMEWORK ...]
                        Filter scan to run only on specific infrastructure as
                        code frameworks. Defaults to all frameworks. If you
                        explicitly include 'all' as a value, then all other
                        values are ignored. Enter as a comma-separated list or
                        repeat the flag multiple times. For example,
                        --framework terraform,sca_package or --framework
                        terraform --framework sca_package. Possible values:
                        all, ansible, argo_workflows, arm, azure_pipelines,
                        bicep, bitbucket_pipelines, cdk, circleci_pipelines,
                        cloudformation, dockerfile, github_configuration,
                        github_actions, gitlab_configuration, gitlab_ci,
                        bitbucket_configuration, helm, json, yaml, kubernetes,
                        kustomize, openapi, sca_package, sca_image, secrets,
                        serverless, terraform, terraform_json, terraform_plan,
                        sast, sast_python, sast_java, sast_javascript,
                        3d_policy [env var: CKV_FRAMEWORK]
  --skip-framework SKIP_FRAMEWORK [SKIP_FRAMEWORK ...]
                        Filter scan to skip specific infrastructure as code
                        frameworks. This will be included automatically for
                        some frameworks if system dependencies are missing.
                        Enter as a comma-separated list or repeat the flag
                        multiple times. For example, --skip-framework
                        terraform,sca_package or --skip-framework terraform
                        --skip-framework sca_package. Cannot include values
                        that are also included in --framework. Possible
                        values: ansible, argo_workflows, arm, azure_pipelines,
                        bicep, bitbucket_pipelines, cdk, circleci_pipelines,
                        cloudformation, dockerfile, github_configuration,
                        github_actions, gitlab_configuration, gitlab_ci,
                        bitbucket_configuration, helm, json, yaml, kubernetes,
                        kustomize, openapi, sca_package, sca_image, secrets,
                        serverless, terraform, terraform_json, terraform_plan,
                        sast, sast_python, sast_java, sast_javascript,
                        3d_policy
  -c CHECK, --check CHECK
                        Checks to run; any other checks will be skipped. Enter
                        one or more items separated by commas. Each item may
                        be either a Checkov check ID (CKV_AWS_123), a BC check
                        ID (BC_AWS_GENERAL_123), or a severity (LOW, MEDIUM,
                        HIGH, CRITICAL). If you use a severity, then all
                        checks equal to or above the lowest severity in the
                        list will be included. This option can be combined
                        with --skip-check. If it is, then the logic is to
                        first take all checks that match this list, and then
                        remove all checks that match the skip list. For
                        example, if you use --check CKV_123 and --skip-check
                        LOW, then CKV_123 will not run if it is a LOW
                        severity. Similarly, if you use --check CKV_789
                        --skip-check MEDIUM, then CKV_789 will run if it is a
                        HIGH severity. If you use a check ID here along with
                        an API key, and the check is not part of the BC / PC
                        platform, then the check will still be run (see
                        --include-all-checkov-policies for more info). [env
                        var: CKV_CHECK]
  --skip-check SKIP_CHECK
                        Checks to skip; any other checks will not be run.
                        Enter one or more items separated by commas. Each item
                        may be either a Checkov check ID (CKV_AWS_123), a BC
                        check ID (BC_AWS_GENERAL_123), or a severity (LOW,
                        MEDIUM, HIGH, CRITICAL). If you use a severity, then
                        all checks equal to or below the highest severity in
                        the list will be skipped. This option can be combined
                        with --check. If it is, priority is given to checks
                        explicitly listed by ID or wildcard over checks listed
                        by severity. For example, if you use --skip-check
                        CKV_123 and --check HIGH, then CKV_123 will be skipped
                        even if it is a HIGH severity. In the case of a tie
                        (e.g., --check MEDIUM and --skip-check HIGH for a
                        medium severity check), then the check will be
                        skipped. [env var: CKV_SKIP_CHECK]
  --run-all-external-checks
                        Run all external checks (loaded via --external-checks
                        options) even if the checks are not present in the
                        --check list. This allows you to always ensure that
                        new checks present in the external source are used. If
                        an external check is included in --skip-check, it will
                        still be skipped.
  -s, --soft-fail       Runs checks but always returns a 0 exit code. Using
                        either --soft-fail-on and / or --hard-fail-on
                        overrides this option, except for the case when a
                        result does not match either of the soft fail or hard
                        fail criteria, in which case this flag determines the
                        result.
  --soft-fail-on SOFT_FAIL_ON
                        Exits with a 0 exit code if only the specified items
                        fail. Enter one or more items separated by commas.
                        Each item may be either a Checkov check ID
                        (CKV_AWS_123), a BC check ID (BC_AWS_GENERAL_123), or
                        a severity (LOW, MEDIUM, HIGH, CRITICAL). If you use a
                        severity, then any severity equal to or less than the
                        highest severity in the list will result in a soft
                        fail. This option may be used with --hard-fail-on,
                        using the same priority logic described in --check and
                        --skip-check options above, with --hard-fail-on taking
                        precedence in a tie. If a given result does not meet
                        the --soft-fail-on nor the --hard-fail-on criteria,
                        then the default is to hard fail
  --hard-fail-on HARD_FAIL_ON
                        Exits with a non-zero exit code for specified checks.
                        Enter one or more items separated by commas. Each item
                        may be either a Checkov check ID (CKV_AWS_123), a BC
                        check ID (BC_AWS_GENERAL_123), or a severity (LOW,
                        MEDIUM, HIGH, CRITICAL). If you use a severity, then
                        any severity equal to or greater than the lowest
                        severity in the list will result in a hard fail. This
                        option can be used with --soft-fail-on, using the same
                        priority logic described in --check and --skip-check
                        options above, with --hard-fail-on taking precedence
                        in a tie.
  --bc-api-key BC_API_KEY
                        Bridgecrew API key or Prisma Cloud Access Key (see
                        --prisma-api-url) [env var: BC_API_KEY]
  --prisma-api-url PRISMA_API_URL
                        The Prisma Cloud API URL (see:
                        https://prisma.pan.dev/api/cloud/api-urls). Requires
                        --bc-api-key to be a Prisma Cloud Access Key in the
                        following format: <access_key_id>::<secret_key> [env
                        var: PRISMA_API_URL]
  --skip-results-upload
                        Do not upload scan results to the platform to view in
                        the console. Results are only available locally. If
                        you use the --support flag, logs will still get
                        uploaded.
  --docker-image DOCKER_IMAGE, --image DOCKER_IMAGE
                        Scan docker images by name or ID. Only works with
                        --bc-api-key flag
  --dockerfile-path DOCKERFILE_PATH
                        Path to the Dockerfile of the scanned docker image
  --repo-id REPO_ID     Identity string of the repository, with form
                        <repo_owner>/<repo_name>. Required when using the
                        platform integration (API key).
  -b BRANCH, --branch BRANCH
                        Selected branch of the persisted repository. Only has
                        effect when using the --bc-api-key flag
  --skip-download       Do not download any data from Bridgecrew. This will
                        omit doc links, severities, etc., as well as custom
                        policies and suppressions if using an API token. Note:
                        it will prevent BC platform IDs from being available
                        in Checkov.
  --use-enforcement-rules
                        Use the Enforcement rules configured in the platform
                        for hard / soft fail logic. With this option, the
                        enforcement rule matching this repo, or the default
                        rule if there is no match, will determine this
                        behavior: any check with a severity below the selected
                        rule's soft-fail threshold will be skipped; any check
                        with a severity equal to or greater than the rule's
                        hard-fail threshold will be part of the hard-fail
                        list, and any check in between will be part of the
                        soft-fail list. For example, if the given enforcement
                        rule has a hard-fail value of HIGH and a soft-fail
                        value of MEDIUM,this is the equivalent of using the
                        flags `--skip-check LOW --hard-fail-on HIGH`. You can
                        use --check, --skip-check, --soft-fail, --soft-fail-
                        on, or --hard-fail-on to override portions of an
                        enforcement rule. Note, however, that the logic of
                        applying the --check list and then the --skip-check
                        list (as described above under --check) still applies
                        here. Requires a BC or PC platform API key.
  --download-external-modules DOWNLOAD_EXTERNAL_MODULES
                        download external terraform modules from public git
                        repositories and terraform registry [env var:
                        DOWNLOAD_EXTERNAL_MODULES]
  --var-file VAR_FILE   Variable files to load in addition to the default
                        files (see https://www.terraform.io/docs/language/valu
                        es/variables.html#variable-definitions-tfvars-
                        files).Currently only supported for source Terraform
                        (.tf file), and Helm chart scans.Requires using
                        --directory, not --file. [env var: CKV_VAR_FILE]
  --external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH
                        set the path for the download external terraform
                        modules [env var: EXTERNAL_MODULES_DIR]
  --evaluate-variables EVALUATE_VARIABLES
                        evaluate the values of variables and locals [env var:
                        CKV_EVAL_VARS]
  -ca CA_CERTIFICATE, --ca-certificate CA_CERTIFICATE
                        Custom CA certificate (bundle) file [env var:
                        BC_CA_BUNDLE]
  --no-cert-verify      Skip SSL certificate verification. Use this to bypass
                        errors related to SSL certificates. Warning: this
                        should only be used for testing purposes. Skipping
                        certificate verification is dangerous as invalid and
                        falsified certificates cannot be detected.
  --repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT
                        Directory containing the hcl code used to generate a
                        given plan file. Use with -f.
  --config-file CONFIG_FILE
                        path to the Checkov configuration YAML file
  --create-config CREATE_CONFIG
                        takes the current command line args and writes them
                        out to a config file at the given path
  --show-config         prints all args and config settings and where they
                        came from (eg. commandline, config file, environment
                        variable or default)
  --create-baseline     Alongside outputting the findings, save all results to
                        .checkov.baseline file so future runs will not re-flag
                        the same noise. Works only with `--directory` flag
  --baseline BASELINE   Use a .checkov.baseline file to compare current
                        results with a known baseline. Report will include
                        only failed checks that are new with respect to the
                        provided baseline
  --output-baseline-as-skipped
                        output checks that are skipped due to baseline file
                        presence
  --skip-cve-package SKIP_CVE_PACKAGE
                        filter scan to run on all packages but a specific
                        package identifier (denylist), You can specify this
                        argument multiple times to skip multiple packages
  --policy-metadata-filter POLICY_METADATA_FILTER
                        comma separated key:value string to filter policies
                        based on Prisma Cloud policy metadata. See https://pri
                        sma.pan.dev/api/cloud/cspm/policy#operation/get-
                        policy-filters-and-options for information on allowed
                        filters. Format: policy.label=test,cloud.type=aws
  --secrets-scan-file-type SECRETS_SCAN_FILE_TYPE
                        not in use [env var: CKV_SECRETS_SCAN_FILE_TYPE]
  --enable-secret-scan-all-files
                        enable secret scan for all files [env var:
                        CKV_SECRETS_SCAN_ENABLE_ALL]
  --block-list-secret-scan BLOCK_LIST_SECRET_SCAN
                        List of files to filter out from the secret scanner
                        [env var: CKV_SECRETS_SCAN_BLOCK_LIST]
  --summary-position {bottom,top}
                        Chose whether the summary will be appended on top
                        (before the checks results) or on bottom (after check
                        results), default is on top.
  --skip-resources-without-violations
                        exclude extra resources (resources without violations)
                        from report output [env var:
                        CKV_SKIP_RESOURCES_WITHOUT_VIOLATIONS]
  --deep-analysis       Combine the TF Plan and TF graphs to make connections
                        not available in either
  --no-fail-on-crash    Return exit code 0 instead of 2 [env var:
                        CKV_NO_FAIL_ON_CRASH]
  --mask MASK           List of <resource_type>:<variable> OR <variable> only.
                        Each entry in the list will be used formasking the
                        desired attribute for resource (or for all resources,
                        if no resource given).Notice: one entry can contain
                        several variables, seperated with a comma. For
                        example:<resource_type>:<variable1>,<variable2> OR
                        <variable1>,<variable2>
  --scan-secrets-history
                        will scan the history of commits for secrets
  --secrets-history-timeout SECRETS_HISTORY_TIMEOUT
                        maximum time to stop the scan
  --openai-api-key OPENAI_API_KEY
                        Add an OpenAI API key to enhance finding guidelines by
                        sending violated policies and resource code to OpenAI
                        to request remediation guidance. This will use your
                        OpenAI credits. Set your number of findings that will
                        receive enhanced guidelines using
                        CKV_OPENAI_MAX_FINDINGS [env var: CKV_OPENAI_API_KEY]

Args that start with '--' can also be set in a config file (/.checkov.yaml or
/.checkov.yml or /root/.checkov.yaml or /root/.checkov.yml or specified via
--config-file). The config file uses YAML syntax and must represent a YAML
'mapping' (for details, see http://learn.getgrav.org/advanced/yaml). In
general, command-line values override environment variables which override
config file values which override defaults.

Installation on mega-linter Docker image