Overview
Checkov is an open-source static analysis tool from Bridgecrew/Palo Alto Networks. It scans infrastructure-as-code files for misconfigurations that could lead to security, compliance, or operational issues.
How the starter kit uses Checkov
| Integration Point | Description |
|---|---|
| Local validation | ./scripts/validate-templates.sh runs Checkov with .checkov.yml configuration |
| CI enforcement | Deploy workflow calls bridgecrewio/checkov-action@v12; failing checks block the pipeline |
| Custom policy control | .checkov.yml enables/disables frameworks, skips findings, or adds inline suppressions |
Running Checkov
Via validation script
./scripts/validate-templates.sh
Directly
# Scan all templates
checkov -d templates/ --framework cloudformation
# With configuration file
checkov -d templates/ -c .checkov.yml
# Scan a single template
checkov -f templates/oidc-provider.yml --framework cloudformation
Common security issues detected
| Category | Checks |
|---|---|
| S3 Security | Unencrypted buckets, public access, missing versioning |
| IAM Policies | Overly permissive policies, wildcard actions, missing MFA |
| Network Security | Open security groups, unencrypted traffic, missing VPC flow logs |
| Encryption | Missing encryption at rest and in transit |
| Logging | Missing CloudTrail, CloudWatch logs, or access logging |
| Compliance | PCI-DSS, HIPAA, CIS AWS Foundations, SOC2 |
Example output:
Check: CKV_AWS_18: "Ensure S3 bucket has server-side encryption enabled"
FAILED for resource: AWS::S3::Bucket.DataBucket
File: /templates/storage.yml:10-15
Guide: https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
Suppressing false positives
When Checkov flags a legitimate design choice, suppress the check with an inline comment:
Resources:
LogBucket:
# checkov:skip=CKV_AWS_18:Encryption not required for access logs
Type: AWS::S3::Bucket
Properties:
BucketName: app-access-logs
Always include a justification explaining why the check doesn't apply.
Configuration
The starter kit includes a .checkov.yml file. See the Checkov configuration section for customization details.
Configuration file format
branch: main
directory:
- templates
download-external-modules: false
evaluate-variables: true
external-modules-download-path: .external_modules
framework:
- cloudformation
secrets-scan-file-type: []
skip-check:
- CKV_AWS_7
- CKV_AWS_18
- CKV_AWS_21
- CKV_AWS_62
- CKV_AWS_107
- CKV_AWS_108
- CKV_AWS_109
- CKV_AWS_110
- CKV_AWS_111
- CKV_AWS_115
- CKV_AWS_116
- CKV_AWS_117
- CKV_AWS_157
- CKV_AWS_162
- CKV_SECRET_14
Configuration options
| Option | Description |
|---|---|
framework | Set to cloudformation for template scanning |
directory | Directories to scan |
evaluate-variables | Evaluate CloudFormation parameters and conditions |
skip-check | List of check IDs to skip |
Output formats
| Format | Command | Use Case |
|---|---|---|
| Compact | checkov -d templates/ --compact | CI/CD pipelines |
| JSON | checkov -d templates/ --output json | Custom tooling |
| JUnit XML | checkov -d templates/ --output junitxml > results.xml | Test reporting |
Severity filtering
Focus on high-severity issues:
checkov -d templates/ --framework cloudformation --check CRITICAL,HIGH
CI/CD integration
The GitHub Actions workflow includes Checkov:
- name: Validate templates
run: ./scripts/validate-templates.sh
Failed checks block the pipeline, preventing unsafe infrastructure from reaching production.
For workflow details, see CI/CD Workflows.
Best practices
- Run locally first - Use
./scripts/validate-templates.shbefore committing - Review all failures - Don't blindly suppress checks; understand what they protect against
- Document suppressions - Always add clear justifications when skipping checks
- Update regularly - Keep Checkov up to date for new security checks
- Combine with cfn-lint - Checkov focuses on security; cfn-lint focuses on correctness
Next steps
- cfn-lint reference - Template validation
- Scripts reference - Validation automation
- Local Development - Daily workflow