checkov
checkov documentation
- Version in MegaLinter: 3.2.311
- Visit Official Web Site
- See How to configure checkov rules
- If custom
.checkov.yml
config file isn't found, .checkov.yml will be used
- If custom
- See How to disable checkov rules in files
- See Index of problems detected by checkov
Configuration in MegaLinter
- Enable checkov by adding
REPOSITORY_CHECKOV
in ENABLE_LINTERS variable - Disable checkov by adding
REPOSITORY_CHECKOV
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
REPOSITORY_CHECKOV_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
REPOSITORY_CHECKOV_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
REPOSITORY_CHECKOV_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
project |
REPOSITORY_CHECKOV_PRE_COMMANDS | List of bash commands to run before the linter | None |
REPOSITORY_CHECKOV_POST_COMMANDS | List of bash commands to run after the linter | None |
REPOSITORY_CHECKOV_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling REPOSITORY_CHECKOV and its pre/post commands | None |
REPOSITORY_CHECKOV_CONFIG_FILE | checkov configuration file nameUse LINTER_DEFAULT to let the linter find it |
.checkov.yml |
REPOSITORY_CHECKOV_RULES_PATH | Path where to find linter configuration file | Workspace folder, then MegaLinter default rules |
REPOSITORY_CHECKOV_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
REPOSITORY_CHECKOV_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
REPOSITORY_CHECKOV_CLI_EXECUTABLE | Override CLI executable | ['checkov'] |
IDE Integration
Use checkov in your favorite IDE to catch errors before MegaLinter !
IDE | Extension Name | Install | |
---|---|---|---|
Visual Studio Code | Checkov |
MegaLinter Flavors
This linter is available in the following flavors
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default MegaLinter Flavor | 124 | ||
c_cpp | Optimized for pure C/C++ projects | 54 | ||
cupcake | MegaLinter for the most commonly used languages | 83 | ||
documentation | MegaLinter for documentation projects | 49 | ||
dotnet | Optimized for C, C++, C# or VB based projects | 62 | ||
dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 71 | ||
go | Optimized for GO based projects | 51 | ||
java | Optimized for JAVA based projects | 52 | ||
javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 | ||
php | Optimized for PHP based projects | 54 | ||
python | Optimized for PYTHON based projects | 62 | ||
ruby | Optimized for RUBY based projects | 50 | ||
rust | Optimized for RUST based projects | 50 | ||
salesforce | Optimized for Salesforce based projects | 54 | ||
security | Optimized for security | 24 | ||
swift | Optimized for SWIFT based projects | 50 | ||
terraform | Optimized for TERRAFORM based projects | 54 |
Behind the scenes
How are identified applicable files
- If this linter is active, all files will always be linted
How the linting is performed
checkov is called once on the whole project directory (project
CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using checkov configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: false
doesn't make checkov analyze only updated files
Example calls
checkov --directory .
checkov --directory . --output --sarif
Help content
usage: checkov [-h] [-v] [--support] [-d DIRECTORY] [--add-check]
[-f FILE [FILE ...]] [--skip-path SKIP_PATH]
[--external-checks-dir EXTERNAL_CHECKS_DIR]
[--external-checks-git EXTERNAL_CHECKS_GIT] [-l]
[-o {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}]
[--output-file-path OUTPUT_FILE_PATH] [--output-bc-ids]
[--include-all-checkov-policies] [--quiet] [--compact]
[--framework FRAMEWORK [FRAMEWORK ...]]
[--skip-framework SKIP_FRAMEWORK [SKIP_FRAMEWORK ...]]
[-c CHECK] [--skip-check SKIP_CHECK]
[--run-all-external-checks] [-s] [--soft-fail-on SOFT_FAIL_ON]
[--hard-fail-on HARD_FAIL_ON] [--bc-api-key BC_API_KEY]
[--prisma-api-url PRISMA_API_URL] [--skip-results-upload]
[--docker-image DOCKER_IMAGE]
[--dockerfile-path DOCKERFILE_PATH] [--repo-id REPO_ID]
[-b BRANCH] [--skip-download] [--use-enforcement-rules]
[--download-external-modules DOWNLOAD_EXTERNAL_MODULES]
[--var-file VAR_FILE]
[--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH]
[--evaluate-variables EVALUATE_VARIABLES] [-ca CA_CERTIFICATE]
[--no-cert-verify]
[--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT]
[--config-file CONFIG_FILE] [--create-config CREATE_CONFIG]
[--show-config] [--create-baseline] [--baseline BASELINE]
[--output-baseline-as-skipped]
[--skip-cve-package SKIP_CVE_PACKAGE]
[--policy-metadata-filter POLICY_METADATA_FILTER]
[--policy-metadata-filter-exception POLICY_METADATA_FILTER_EXCEPTION]
[--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE]
[--enable-secret-scan-all-files]
[--block-list-secret-scan BLOCK_LIST_SECRET_SCAN]
[--summary-position {bottom,top}]
[--skip-resources-without-violations] [--deep-analysis]
[--no-fail-on-crash] [--mask MASK] [--scan-secrets-history]
[--secrets-history-timeout SECRETS_HISTORY_TIMEOUT]
[--openai-api-key OPENAI_API_KEY]
[--custom-tool-name CUSTOM_TOOL_NAME]
Infrastructure as code static analysis
options:
-h, --help show this help message and exit
-v, --version version
--support Enable debug logs and upload the logs to the server.
Requires a Bridgecrew or Prisma Cloud API key.
-d DIRECTORY, --directory DIRECTORY
IaC root directory (can not be used together with
--file).
--add-check Generate a new check via CLI prompt
-f FILE [FILE ...], --file FILE [FILE ...]
File to scan (can not be used together with
--directory). With this option, Checkov will attempt
to filter the runners based on the file type. For
example, if you specify a ".tf" file, only the
terraform and secrets frameworks will be included. You
can further limit this (e.g., skip secrets) by using
the --skip-framework argument.
--skip-path SKIP_PATH
Path (file or directory) to skip, using regular
expression logic, relative to current working
directory. Word boundaries are not implicit; i.e.,
specifying "dir1" will skip any directory or
subdirectory named "dir1". Ignored with -f. Can be
specified multiple times.
--external-checks-dir EXTERNAL_CHECKS_DIR
Directory for custom checks to be loaded. Can be
repeated. Note that this will run Python code from the
specified directory, so only use this option with
trusted directories.
--external-checks-git EXTERNAL_CHECKS_GIT
GitHub url of external checks to be added. You can
specify a subdirectory after a double-slash //.It is
ossible to use ?ref=tags/tagName or
?ref=heads/branchName or ?ref=commit_id and cannot be
used together with --external-checks-dir. Note that
this will run Python code from the specified
directory, so only use this option with trusted
repositories.
-l, --list List checks
-o {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}, --output {cli,csv,cyclonedx,cyclonedx_json,json,junitxml,github_failed_only,gitlab_sast,sarif,spdx}
Report output format. Add multiple outputs by using
the flag multiple times (-o sarif -o cli)
--output-file-path OUTPUT_FILE_PATH
Name of the output folder to save the chosen output
formats. Advanced usage: By using -o cli -o junitxml
--output-file-path console,results.xml the CLI output
will be printed to the console and the JunitXML output
to the file results.xml.
--output-bc-ids Print Bridgecrew platform IDs (BC...) instead of
Checkov IDs (CKV...), if the check exists in the
platform
--include-all-checkov-policies
When running with an API key, Checkov will omit any
policies that do not exist in Prisma Cloud platform,
except for local custom policies loaded with the
--external-check flags. Use this key to include
policies that only exist in Checkov in the scan. Note
that this will make the local CLI results different
from the results you see in the platform. Has no
effect if you are not using an API key. Use the
--check option to explicitly include checks by ID even
if they are not in the platform, without using this
flag.
--quiet in case of CLI output, display only failed checks.
Also disables progress bars
--compact in case of CLI output, do not display code blocks
--framework FRAMEWORK [FRAMEWORK ...]
Filter scan to run only on specific infrastructure as
code frameworks. Defaults to all frameworks. If you
explicitly include 'all' as a value, then all other
values are ignored. Enter as a comma-separated list or
repeat the flag multiple times. For example,
--framework terraform,sca_package or --framework
terraform --framework sca_package. Possible values:
all, ansible, argo_workflows, arm, azure_pipelines,
bicep, bitbucket_pipelines, cdk, circleci_pipelines,
cloudformation, dockerfile, github_configuration,
github_actions, gitlab_configuration, gitlab_ci,
bitbucket_configuration, helm, json, yaml, kubernetes,
kustomize, openapi, sca_package, sca_image, secrets,
serverless, terraform, terraform_json, terraform_plan,
sast, sast_python, sast_java, sast_javascript,
sast_typescript, sast_golang, 3d_policy [env var:
CKV_FRAMEWORK]
--skip-framework SKIP_FRAMEWORK [SKIP_FRAMEWORK ...]
Filter scan to skip specific infrastructure as code
frameworks. This will be included automatically for
some frameworks if system dependencies are missing.
Enter as a comma-separated list or repeat the flag
multiple times. For example, --skip-framework
terraform,sca_package or --skip-framework terraform
--skip-framework sca_package. Cannot include values
that are also included in --framework. Possible
values: ansible, argo_workflows, arm, azure_pipelines,
bicep, bitbucket_pipelines, cdk, circleci_pipelines,
cloudformation, dockerfile, github_configuration,
github_actions, gitlab_configuration, gitlab_ci,
bitbucket_configuration, helm, json, yaml, kubernetes,
kustomize, openapi, sca_package, sca_image, secrets,
serverless, terraform, terraform_json, terraform_plan,
sast, sast_python, sast_java, sast_javascript,
sast_typescript, sast_golang, 3d_policy
-c CHECK, --check CHECK
Checks to run; any other checks will be skipped. Enter
one or more items separated by commas. Each item may
be either a Checkov check ID (CKV_AWS_123), a BC check
ID (BC_AWS_GENERAL_123), or a severity (LOW, MEDIUM,
HIGH, CRITICAL). If you use a severity, then all
checks equal to or above the lowest severity in the
list will be included. This option can be combined
with --skip-check. If it is, then the logic is to
first take all checks that match this list, and then
remove all checks that match the skip list. For
example, if you use --check CKV_123 and --skip-check
LOW, then CKV_123 will not run if it is a LOW
severity. Similarly, if you use --check CKV_789
--skip-check MEDIUM, then CKV_789 will run if it is a
HIGH severity. If you use a check ID here along with
an API key, and the check is not part of the BC / PC
platform, then the check will still be run (see
--include-all-checkov-policies for more info). [env
var: CKV_CHECK]
--skip-check SKIP_CHECK
Checks to skip; any other checks will not be run.
Enter one or more items separated by commas. Each item
may be either a Checkov check ID (CKV_AWS_123), a BC
check ID (BC_AWS_GENERAL_123), or a severity (LOW,
MEDIUM, HIGH, CRITICAL). If you use a severity, then
all checks equal to or below the highest severity in
the list will be skipped. This option can be combined
with --check. If it is, priority is given to checks
explicitly listed by ID or wildcard over checks listed
by severity. For example, if you use --skip-check
CKV_123 and --check HIGH, then CKV_123 will be skipped
even if it is a HIGH severity. In the case of a tie
(e.g., --check MEDIUM and --skip-check HIGH for a
medium severity check), then the check will be
skipped. [env var: CKV_SKIP_CHECK]
--run-all-external-checks
Run all external checks (loaded via --external-checks
options) even if the checks are not present in the
--check list. This allows you to always ensure that
new checks present in the external source are used. If
an external check is included in --skip-check, it will
still be skipped.
-s, --soft-fail Runs checks but always returns a 0 exit code. Using
either --soft-fail-on and / or --hard-fail-on
overrides this option, except for the case when a
result does not match either of the soft fail or hard
fail criteria, in which case this flag determines the
result.
--soft-fail-on SOFT_FAIL_ON
Exits with a 0 exit code if only the specified items
fail. Enter one or more items separated by commas.
Each item may be either a Checkov check ID
(CKV_AWS_123), a BC check ID (BC_AWS_GENERAL_123), or
a severity (LOW, MEDIUM, HIGH, CRITICAL). If you use a
severity, then any severity equal to or less than the
highest severity in the list will result in a soft
fail. This option may be used with --hard-fail-on,
using the same priority logic described in --check and
--skip-check options above, with --hard-fail-on taking
precedence in a tie. If a given result does not meet
the --soft-fail-on nor the --hard-fail-on criteria,
then the default is to hard fail
--hard-fail-on HARD_FAIL_ON
Exits with a non-zero exit code for specified checks.
Enter one or more items separated by commas. Each item
may be either a Checkov check ID (CKV_AWS_123), a BC
check ID (BC_AWS_GENERAL_123), or a severity (LOW,
MEDIUM, HIGH, CRITICAL). If you use a severity, then
any severity equal to or greater than the lowest
severity in the list will result in a hard fail. This
option can be used with --soft-fail-on, using the same
priority logic described in --check and --skip-check
options above, with --hard-fail-on taking precedence
in a tie.
--bc-api-key BC_API_KEY
Bridgecrew API key or Prisma Cloud Access Key (see
--prisma-api-url) [env var: BC_API_KEY]
--prisma-api-url PRISMA_API_URL
The Prisma Cloud API URL (see:
https://prisma.pan.dev/api/cloud/api-urls). Requires
--bc-api-key to be a Prisma Cloud Access Key in the
following format: <access_key_id>::<secret_key> [env
var: PRISMA_API_URL]
--skip-results-upload
Do not upload scan results to the platform to view in
the console. Results are only available locally. If
you use the --support flag, logs will still get
uploaded.
--docker-image DOCKER_IMAGE, --image DOCKER_IMAGE
Scan docker images by name or ID. Only works with
--bc-api-key flag
--dockerfile-path DOCKERFILE_PATH
Path to the Dockerfile of the scanned docker image
--repo-id REPO_ID Identity string of the repository, with form
<repo_owner>/<repo_name>. Required when using the
platform integration (API key).
-b BRANCH, --branch BRANCH
Selected branch of the persisted repository. Only has
effect when using the --bc-api-key flag
--skip-download Do not download any data from Prisma Cloud. This will
omit doc links, severities, etc., as well as custom
policies and suppressions if using an API token. Note:
it will prevent BC platform IDs from being available
in Checkov.
--use-enforcement-rules
Use the Enforcement rules configured in the platform
for hard / soft fail logic. With this option, the
enforcement rule matching this repo, or the default
rule if there is no match, will determine this
behavior: any check with a severity below the selected
rule's soft-fail threshold will be skipped; any check
with a severity equal to or greater than the rule's
hard-fail threshold will be part of the hard-fail
list, and any check in between will be part of the
soft-fail list. For example, if the given enforcement
rule has a hard-fail value of HIGH and a soft-fail
value of MEDIUM,this is the equivalent of using the
flags `--skip-check LOW --hard-fail-on HIGH`. You can
use --check, --skip-check, --soft-fail, --soft-fail-
on, or --hard-fail-on to override portions of an
enforcement rule. Note, however, that the logic of
applying the --check list and then the --skip-check
list (as described above under --check) still applies
here. Requires a BC or PC platform API key.
--download-external-modules DOWNLOAD_EXTERNAL_MODULES
download external terraform modules from public git
repositories and terraform registry [env var:
DOWNLOAD_EXTERNAL_MODULES]
--var-file VAR_FILE Variable files to load in addition to the default
files (see https://www.terraform.io/docs/language/valu
es/variables.html#variable-definitions-tfvars-
files).Currently only supported for source Terraform
(.tf file), and Helm chart scans.Requires using
--directory, not --file. [env var: CKV_VAR_FILE]
--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH
set the path for the download external terraform
modules [env var: EXTERNAL_MODULES_DIR]
--evaluate-variables EVALUATE_VARIABLES
evaluate the values of variables and locals [env var:
CKV_EVAL_VARS]
-ca CA_CERTIFICATE, --ca-certificate CA_CERTIFICATE
Custom CA certificate (bundle) file [env var:
BC_CA_BUNDLE]
--no-cert-verify Skip SSL certificate verification. Use this to bypass
errors related to SSL certificates. Warning: this
should only be used for testing purposes. Skipping
certificate verification is dangerous as invalid and
falsified certificates cannot be detected.
--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT
Directory containing the hcl code used to generate a
given plan file. Use with -f.
--config-file CONFIG_FILE
path to the Checkov configuration YAML file
--create-config CREATE_CONFIG
takes the current command line args and writes them
out to a config file at the given path
--show-config prints all args and config settings and where they
came from (eg. commandline, config file, environment
variable or default)
--create-baseline Alongside outputting the findings, save all results to
.checkov.baseline file so future runs will not re-flag
the same noise. Works only with `--directory` flag
--baseline BASELINE Use a .checkov.baseline file to compare current
results with a known baseline. Report will include
only failed checks that are new with respect to the
provided baseline
--output-baseline-as-skipped
output checks that are skipped due to baseline file
presence
--skip-cve-package SKIP_CVE_PACKAGE
filter scan to run on all packages but a specific
package identifier (denylist), You can specify this
argument multiple times to skip multiple packages
--policy-metadata-filter POLICY_METADATA_FILTER
comma separated key:value string to filter policies
based on Prisma Cloud policy metadata. When used with
--policy-metadata-filter-exception, the exceptions
override any policies selected asa result of the
--policy-metadata-filter flag.See https://prisma.pan.d
ev/api/cloud/cspm/policy#operation/get-policy-filters-
and-options for information on allowed filters.
Example:
policy.label=label1,policy.label=label2,cloud.type=aws
--policy-metadata-filter-exception POLICY_METADATA_FILTER_EXCEPTION
comma separated key:value string to exclude filtered
policies based on Prisma Cloud policy metadata. When
used with --policy-metadata-filter, the exceptions
override any policies selected asa result of the
--policy-metadata-filter flag.See https://prisma.pan.d
ev/api/cloud/cspm/policy#operation/get-policy-filters-
and-options for information on allowed filters.
Example:
policy.label=label1,policy.label=label2,cloud.type=aws
--secrets-scan-file-type SECRETS_SCAN_FILE_TYPE
not in use [env var: CKV_SECRETS_SCAN_FILE_TYPE]
--enable-secret-scan-all-files
enable secret scan for all files [env var:
CKV_SECRETS_SCAN_ENABLE_ALL]
--block-list-secret-scan BLOCK_LIST_SECRET_SCAN
List of files to filter out from the secret scanner
[env var: CKV_SECRETS_SCAN_BLOCK_LIST]
--summary-position {bottom,top}
Chose whether the summary will be appended on top
(before the checks results) or on bottom (after check
results), default is on top.
--skip-resources-without-violations
exclude extra resources (resources without violations)
from report output [env var:
CKV_SKIP_RESOURCES_WITHOUT_VIOLATIONS]
--deep-analysis Combine the TF Plan and TF graphs to make connections
not available in either
--no-fail-on-crash Return exit code 0 instead of 2 [env var:
CKV_NO_FAIL_ON_CRASH]
--mask MASK List of <resource_type>:<variable> OR <variable> only.
Each entry in the list will be used formasking the
desired attribute for resource (or for all resources,
if no resource given).Notice: one entry can contain
several variables, seperated with a comma. For
example:<resource_type>:<variable1>,<variable2> OR
<variable1>,<variable2>
--scan-secrets-history
will scan the history of commits for secrets
--secrets-history-timeout SECRETS_HISTORY_TIMEOUT
maximum time to stop the scan
--openai-api-key OPENAI_API_KEY
Add an OpenAI API key to enhance finding guidelines by
sending violated policies and resource code to OpenAI
to request remediation guidance. This will use your
OpenAI credits. Set your number of findings that will
receive enhanced guidelines using
CKV_OPENAI_MAX_FINDINGS [env var: CKV_OPENAI_API_KEY]
--custom-tool-name CUSTOM_TOOL_NAME
Add a tool name if you want your output to be tagged
with a specific tool name,this is useful when
integrating with other tools such as uploading SARIF
files to github code scanning
Args that start with '--' can also be set in a config file (/.checkov.yaml or
/.checkov.yml or /root/.checkov.yaml or /root/.checkov.yml or specified via
--config-file). The config file uses YAML syntax and must represent a YAML
'mapping' (for details, see http://learn.getgrav.org/advanced/yaml). In
general, command-line values override environment variables which override
config file values which override defaults.