Static analysis that catches misconfigurations in infrastructure as code
- Stars8.8k
- Forks1.4k
- Open Issues143
Apache-2.0
- Python
- HCL
- TypeScript
About Checkov
Checkov is a static analysis tool for infrastructure as code, with software composition analysis layered on top for container images and open source packages. It catches security and compliance misconfigurations at build time, before flawed infrastructure ever reaches the cloud.
It reads Terraform, CloudFormation, AWS SAM, Kubernetes, Helm, Kustomize, Dockerfile, Serverless, Bicep, ARM, OpenAPI, and OpenTofu definitions, plus CI workflow files, and applies over 1000 built-in policies through a graph-based engine that understands relationships between resources. Results export to CLI, CycloneDX, JSON, JUnit XML, CSV, SARIF, and Markdown.
Checkov is built and maintained by Prisma Cloud, and it powers Prisma Cloud Application Security. It runs locally from pip or Homebrew and is also published as a Docker image.
Key features
- Scans Terraform, CloudFormation, Kubernetes, Helm, and more IaC
- Software composition analysis for images and open source packages
- Graph-based policy engine with inline suppression
- Detects secrets via regex, keywords, and entropy
- Exports CLI, CycloneDX, JSON, JUnit XML, CSV, and SARIF
Details
- First released
- 2019
- Platforms
- CLI · Docker
- Deployment
- self-hostable · docker · offline
- Runtime
- Python 3.9+
- Built-in policies
- Over 1000
- Governance
- Built by Prisma Cloud (Bridgecrew)