checkov
checkov documentation
- Version in Mega-Linter: 2.0.524
- Visit Official Web Site
- See How to disable checkov rules in files
- See Index of problems detected by checkov
Configuration in Mega-Linter
- Enable checkov by adding
TERRAFORM_CHECKOV
in ENABLE_LINTERS variable - Disable checkov by adding
TERRAFORM_CHECKOV
in DISABLE_LINTERS variable
Variable | Description | Default value |
---|---|---|
TERRAFORM_CHECKOV_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
TERRAFORM_CHECKOV_FILTER_REGEX_INCLUDE | Custom regex including filter Ex: (src\|lib) |
Include every file |
TERRAFORM_CHECKOV_FILTER_REGEX_EXCLUDE | Custom regex excluding filter Ex: (test\|examples) |
Exclude no file |
TERRAFORM_CHECKOV_CLI_LINT_MODE | Override default CLI lint mode - file : Calls the linter for each file- list_of_files : Call the linter with the list of files as argument- project : Call the linter from the root of the project |
{linter.cli_lint_mode} |
TERRAFORM_CHECKOV_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".tf"] |
TERRAFORM_CHECKOV_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
TERRAFORM_CHECKOV_PRE_COMMANDS | List of bash commands to run before the linter | None |
TERRAFORM_CHECKOV_POST_COMMANDS | List of bash commands to run after the linter | None |
TERRAFORM_CHECKOV_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
TERRAFORM_CHECKOV_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
IDE Integration
Use checkov in your favorite IDE to catch errors before Mega-Linter !
IDE | Extension Name | Install | |
---|---|---|---|
Visual Studio Code | Checkov |
Mega-Linter Flavours
This linter is available in the following flavours
Flavor | Description | Embedded linters | Info | |
---|---|---|---|---|
all | Default Mega-Linter Flavor | 94 | ||
terraform | Optimized for TERRAFORM based projects | 45 |
Behind the scenes
How are identified applicable files
- File extensions:
.tf
How the linting is performed
- checkov is called one time by identified file
Example calls
checkov --file myfile.tf
Help content
usage: checkov [-h] [-v] [-d DIRECTORY] [-f FILE] [--skip-path SKIP_PATH]
[--external-checks-dir EXTERNAL_CHECKS_DIR]
[--external-checks-git EXTERNAL_CHECKS_GIT] [-l]
[-o {cli,cyclonedx,json,junitxml,github_failed_only,sarif}]
[--output-bc-ids] [--no-guide] [--quiet] [--compact]
[--framework {cloudformation,terraform,kubernetes,serverless,arm,terraform_plan,helm,dockerfile,secrets,json,all}]
[--skip-framework {cloudformation,terraform,kubernetes,serverless,arm,terraform_plan,helm,dockerfile,secrets,json}]
[-c CHECK] [--skip-check SKIP_CHECK]
[--run-all-external-checks] [--bc-api-key BC_API_KEY]
[--docker-image DOCKER_IMAGE]
[--dockerfile-path DOCKERFILE_PATH] [--repo-id REPO_ID]
[-b BRANCH] [--skip-fixes] [--skip-suppressions]
[--skip-policy-download]
[--download-external-modules DOWNLOAD_EXTERNAL_MODULES]
[--var-file VAR_FILE]
[--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH]
[--evaluate-variables EVALUATE_VARIABLES] [-ca CA_CERTIFICATE]
[--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT]
[--config-file CONFIG_FILE] [--create-config CREATE_CONFIG]
[--show-config] [--create-baseline] [--baseline BASELINE]
[-s | --soft-fail-on SOFT_FAIL_ON | --hard-fail-on HARD_FAIL_ON]
Infrastructure as code static analysis
optional arguments:
-h, --help show this help message and exit
-v, --version version
-d DIRECTORY, --directory DIRECTORY
IaC root directory (can not be used together with
--file).
-f FILE, --file FILE IaC file(can not be used together with --directory)
--skip-path SKIP_PATH
Path (file or directory) to skip, using regular
expression logic, relative to current working
directory. Word boundaries are not implicit; i.e.,
specifying "dir1" will skip any directory or
subdirectory named "dir1". Ignored with -f. Can be
specified multiple times.
--external-checks-dir EXTERNAL_CHECKS_DIR
Directory for custom checks to be loaded. Can be
repeated
--external-checks-git EXTERNAL_CHECKS_GIT
Github url of external checks to be added. you can
specify a subdirectory after a double-slash //. cannot
be used together with --external-checks-dir
-l, --list List checks
-o {cli,cyclonedx,json,junitxml,github_failed_only,sarif}, --output {cli,cyclonedx,json,junitxml,github_failed_only,sarif}
Report output format. Can be repeated
--output-bc-ids Print Bridgecrew platform IDs (BC...) instead of
Checkov IDs (CKV...), if the check exists in the
platform
--no-guide Do not fetch Bridgecrew platform IDs and guidelines
for the checkov output report. Note: this prevents
Bridgecrew platform check IDs from being used anywhere
in the CLI.
--quiet in case of CLI output, display only failed checks
--compact in case of CLI output, do not display code blocks
--framework {cloudformation,terraform,kubernetes,serverless,arm,terraform_plan,helm,dockerfile,secrets,json,all}
filter scan to run only on a specific infrastructure
code frameworks
--skip-framework {cloudformation,terraform,kubernetes,serverless,arm,terraform_plan,helm,dockerfile,secrets,json}
filter scan to skip specific infrastructure code
frameworks. will be included automatically for some
frameworks if system dependencies are missing.
-c CHECK, --check CHECK
filter scan to run only on a specific check
identifier(allowlist), You can specify multiple checks
separated by comma delimiter
--skip-check SKIP_CHECK
filter scan to run on all check but a specific check
identifier(denylist), You can specify multiple checks
separated by comma delimiter
--run-all-external-checks
Run all external checks (loaded via --external-checks
options) even if the checks are not present in the
--check list. This allows you to always ensure that
new checks present in the external source are used. If
an external check is included in --skip-check, it will
still be skipped.
--bc-api-key BC_API_KEY
Bridgecrew API key [env var: BC_API_KEY]
--docker-image DOCKER_IMAGE
Scan docker images by name or ID. Only works with
--bc-api-key flag
--dockerfile-path DOCKERFILE_PATH
Path to the Dockerfile of the scanned docker image
--repo-id REPO_ID Identity string of the repository, with form
<repo_owner>/<repo_name>
-b BRANCH, --branch BRANCH
Selected branch of the persisted repository. Only has
effect when using the --bc-api-key flag
--skip-fixes Do not download fixed resource templates from
Bridgecrew. Only has effect when using the --bc-api-
key flag
--skip-suppressions Do not download preconfigured suppressions from the
Bridgecrew platform. Code comment suppressions will
still be honored. Only has effect when using the --bc-
api-key flag
--skip-policy-download
Do not download custom policies configured in the
Bridgecrew platform. Only has effect when using the
--bc-api-key flag
--download-external-modules DOWNLOAD_EXTERNAL_MODULES
download external terraform modules from public git
repositories and terraform registry [env var:
DOWNLOAD_EXTERNAL_MODULES]
--var-file VAR_FILE Variable files to load in addition to the default
files (see https://www.terraform.io/docs/language/valu
es/variables.html#variable-definitions-tfvars-
files).Currently only supported for source Terraform
(.tf file) scans. Requires using --directory, not
--file.
--external-modules-download-path EXTERNAL_MODULES_DOWNLOAD_PATH
set the path for the download external terraform
modules [env var: EXTERNAL_MODULES_DIR]
--evaluate-variables EVALUATE_VARIABLES
evaluate the values of variables and locals
-ca CA_CERTIFICATE, --ca-certificate CA_CERTIFICATE
custom CA (bundle) file [env var: CA_CERTIFICATE]
--repo-root-for-plan-enrichment REPO_ROOT_FOR_PLAN_ENRICHMENT
Directory containing the hcl code used to generate a
given plan file. Use with -f.
--config-file CONFIG_FILE
path to the Checkov configuration YAML file
--create-config CREATE_CONFIG
takes the current command line args and writes them
out to a config file at the given path
--show-config prints all args and config settings and where they
came from (eg. commandline, config file, environment
variable or default)
--create-baseline Alongside outputting the findings, save all results to
.checkov.baseline file so future runs will not re-flag
the same noise. Works only with `--directory` flag
--baseline BASELINE Use a .checkov.baseline file to compare current
results with a known baseline. Report will include
only failed checks that are newwith respect to the
provided baseline
-s, --soft-fail Runs checks but suppresses error code
--soft-fail-on SOFT_FAIL_ON
Exits with a 0 exit code for specified checks. You can
specify multiple checks separated by comma delimiter
--hard-fail-on HARD_FAIL_ON
Exits with a non-zero exit code for specified checks.
You can specify multiple checks separated by comma
delimiter
Args that start with '--' (eg. -v) can also be set in a config file
(/.checkov.yaml or /.checkov.yml or /root/.checkov.yaml or /root/.checkov.yml
or specified via --config-file). The config file uses YAML syntax and must
represent a YAML 'mapping' (for details, see
http://learn.getgrav.org/advanced/yaml). If an arg is specified in more than
one place, then commandline values override environment variables which
override config file values which override defaults.
Installation on mega-linter Docker image
- PIP packages (Python):