Overview
Checkov is an open-source static analysis tool from Bridgecrew/Palo Alto Networks. It scans Terraform configurations for misconfigurations that could lead to security, compliance, or operational issues.
Integration
| Command | Description |
|---|---|
make security-scan | Run Checkov across all environments |
make validate-full | Run Checkov as part of full validation |
Running manually
# Using make
make security-scan
# Or directly
cd environments/staging/
checkov --directory . --framework terraform
Target a single file:
checkov --file main.tf --framework terraform
Security issues detected
| Category | Checks |
|---|---|
| S3 Security | Unencrypted buckets, public access, missing versioning |
| IAM Policies | Overly permissive policies, wildcard actions, missing MFA |
| Network Security | Open security groups, unencrypted traffic, missing VPC flow logs |
| Encryption | Missing encryption at rest and in transit |
| Logging | Missing CloudTrail, CloudWatch logs, access logging |
| Compliance | PCI-DSS, HIPAA, CIS AWS Foundations, SOC2 |
Example output:
Check: CKV_AWS_18: "Ensure S3 bucket has server-side encryption enabled"
FAILED for resource: aws_s3_bucket.data
File: /environments/staging/main.tf:15-18
Guide: https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
Suppressing false positives
Use inline comments with justification:
resource "aws_s3_bucket" "logs" {
#checkov:skip=CKV_AWS_18:Encryption not required for access logs
bucket = "app-access-logs"
}
Always include a justification explaining why the check doesn't apply.
Configuration
The starter kit includes .checkov.yml:
---
# Checkov configuration file
# Framework to scan
framework: terraform
# Skip specific checks (add check IDs as needed)
skip-check:
# Example: Skip S3 bucket logging checks for demo buckets
# - CKV_AWS_18 # S3 Bucket should have access logging enabled
# - CKV_AWS_21 # S3 Bucket should have versioning enabled
# Exclude specific directories
skip-path:
- .terraform/
- .git/
- tests/
# Enable downloading external modules
download-external-modules: true
Output formats
| Format | Command | Use case |
|---|---|---|
| Compact | --compact | CI/CD pipelines |
| JSON | --output json | Custom tooling |
| JUnit XML | --output junitxml | Test reporting |
Severity filtering
Focus on high-severity issues:
checkov --directory . --framework terraform --check CRITICAL,HIGH
Best practices
- Run locally first: Use
make security-scanbefore committing - Review all failures: Understand what checks protect against
- Document suppressions: Always add clear justifications
- Update regularly: Keep Checkov up to date for new checks
- Combine with TFLint: Security (Checkov) + code quality (TFLint)
Next steps
- TFLint - Code quality linting
- Makefile - Validation commands
- Linting Configuration - Full configuration