What is Checkov?
Checkov is an open-source static analysis tool from Bridgecrew/Palo Alto Networks. It scans infrastructure-as-code files—including CloudFormation—for misconfigurations that could lead to security, compliance, or operational issues.
How the starter kit uses Checkov
- Local validation:
./scripts/validate-templates.shensures Checkov is installed and then runs it with the repository's.checkov.ymlconfiguration. - CI enforcement: The deploy workflow calls
bridgecrewio/checkov-action@v12before any Rain deployment. Failing checks block the pipeline so unsafe changes never reach AWS. - Custom policy control: The
.checkov.ymlfile lets you enable/disable frameworks, skip findings, or add inline suppressions.
Running Checkov manually
After installing dependencies from requirements.txt, run Checkov with the same options the script uses:
checkov -d templates/ -c .checkov.ymlOr target a single template while you iterate:
checkov -f templates/oidc-provider.yml -c .checkov.ymlUse the --framework cloudformation flag if you want to limit scans to CloudFormation explicitly.
Tuning results
- Ignore specific checks: Add the check ID to
.checkov.ymlunderskip-checks, or use#checkov:skip=<ID>comments directly in your template with a justification. - Enforce severity thresholds: Configure the
soft_failinput in the GitHub Action step if you want warnings to pass but fail on critical findings. - Add custom policies: Create policies under the
checkovdirectory (for examplecustom_policies/) and reference them via the--external-checks-dirflag in the validation script.
Next steps
Pair Checkov with cfn-lint for syntax coverage, and review the Scripts reference to see exactly how validation integrates with your workflows.