explaingit

bridgecrewio/checkov

8,709PythonAudience · ops devopsComplexity · 2/5Setup · easy

TLDR

Open-source security scanner that reads your infrastructure-as-code files (Terraform, Kubernetes, Docker, CloudFormation) before deployment and flags misconfigurations and leaked secrets.

Mindmap

mindmap
  root((Checkov))
    What it does
      Scan before deploy
      Flag misconfigs
      Detect secrets
    Supported formats
      Terraform
      Kubernetes
      Dockerfile
      CloudFormation
    Cloud providers
      AWS
      Azure
      Google Cloud
    Output formats
      Terminal
      JSON
      SARIF
      JUnit XML
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Scan a Terraform project before deployment to catch public S3 buckets, missing encryption, or over-privileged roles.

USE CASE 2

Add checkov to a CI/CD pipeline to automatically fail builds that introduce cloud security misconfigurations.

USE CASE 3

Detect accidentally committed API keys or passwords inside Kubernetes manifests, Dockerfiles, or CI config files.

USE CASE 4

Export scan results as SARIF to upload security findings directly to GitHub's security dashboard.

Tech stack

PythonTerraformKubernetesDockerCloudFormationHelm

Getting it running

Difficulty · easy Time to first run · 5min

In plain English

Checkov is a security scanning tool that reads your infrastructure configuration files before you deploy anything and flags settings that could expose your cloud environment to risk. Instead of finding problems after a breach, it catches them at the point where you write your infrastructure code. It is maintained by Prisma Cloud, a Palo Alto Networks product, and is available as a free open-source tool. The tool understands a wide range of configuration formats used to describe cloud resources. It can scan Terraform files, CloudFormation templates, Kubernetes manifests, Helm charts, Dockerfiles, Ansible playbooks, and CI/CD pipeline definitions from GitHub Actions, GitLab, Bitbucket, and others. It includes over 1,000 built-in rules covering common security and compliance requirements for AWS, Azure, and Google Cloud. For example, it can detect an S3 bucket left open to the public, a database missing encryption, or a container running with more system privileges than it needs. Beyond configuration checks, Checkov also scans open-source packages and container images for known security vulnerabilities, a process called software composition analysis. It can also detect secrets such as cloud API keys or passwords that were accidentally written into configuration files. You install it with pip3 install checkov or Homebrew, then point it at a folder: checkov -d /path/to/code. Results appear in the terminal and can also be exported as JSON, CSV, SARIF (for uploading to GitHub's security dashboard), or JUnit XML for CI systems. Individual findings can be silenced inline with a comment if the risk is accepted, so the tool fits into automated pipelines without generating noise on known exceptions.

Copy-paste prompts

Prompt 1
Run checkov on my Terraform directory and show me how to silence a specific finding inline with a comment when the risk is accepted.
Prompt 2
How do I add checkov to a GitHub Actions workflow so it fails the PR if any HIGH severity issues are found in CloudFormation templates?
Prompt 3
Show me the checkov command to scan a folder of Kubernetes manifests and export results as JUnit XML for a CI reporting dashboard.
Prompt 4
How does checkov detect secrets in config files, and what happens when it finds a hardcoded AWS access key?
Open on GitHub → Explain another repo

← bridgecrewio on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.