Checkov

Learn how the starter kit uses Checkov to enforce security and compliance on Terraform configurations.

What is Checkov?

Checkov is an open-source static analysis tool from Bridgecrew/Palo Alto Networks. It scans infrastructure-as-code files—including Terraform—for misconfigurations that could lead to security, compliance, or operational issues.

How the starter kit uses Checkov

  • Local validation: make security-scan runs Checkov across all environment directories to catch security issues before they reach AWS.
  • CI enforcement: The deploy workflow calls Checkov via make validate-full before any Terraform deployment. Failing checks block the pipeline so unsafe changes never reach production.
  • Full validation: Running make validate-full includes Checkov as part of a comprehensive validation suite alongside Terraform validate, TFLint, and formatting checks.

Running Checkov manually

The starter kit provides convenient make commands:

make security-scan

Or run Checkov directly on a specific environment:

cd environments/test/
checkov --directory . --framework terraform

Target a single file while you iterate:

checkov --file main.tf --framework terraform

Common security issues detected

Checkov scans for hundreds of security and compliance checks, including:

  • S3 security: Unencrypted buckets, public access, missing versioning
  • IAM policies: Overly permissive policies, wildcard actions, missing MFA
  • Network security: Open security groups, unencrypted traffic, missing VPC flow logs
  • Encryption: Missing encryption at rest and in transit
  • Logging: Missing CloudTrail, CloudWatch logs, or access logging
  • Compliance: PCI-DSS, HIPAA, CIS AWS Foundations, SOC2, and more

Example output:

Check: CKV_AWS_18: "Ensure S3 bucket has server-side encryption enabled"
  FAILED for resource: aws_s3_bucket.data
  File: /environments/test/main.tf:15-18
  Guide: https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest

Suppressing false positives

When Checkov flags a legitimate design choice, suppress the check with an inline comment:

resource "aws_s3_bucket" "logs" {
  #checkov:skip=CKV_AWS_18:Encryption not required for access logs
  bucket = "app-access-logs"
}

Always include a justification explaining why the check doesn't apply.

Tuning results

Output formats

Control output format for different use cases:

# Compact output for CI
checkov --directory . --framework terraform --compact

# JSON output for parsing
checkov --directory . --framework terraform --output json

# JUnit XML for test reporting
checkov --directory . --framework terraform --output junitxml > results.xml

Severity filtering

Focus on high-severity issues:

checkov --directory . --framework terraform --check CRITICAL,HIGH

Framework selection

Scan only Terraform (useful if you have mixed IaC):

checkov --directory . --framework terraform

Configuration file

The starter kit includes a pre-configured .checkov.yml file. For details on the default configuration and how to customize it, see the Checkov configuration section.

Create a .checkov.yml file in the repository root for persistent configuration:

# .checkov.yml
framework:
  - terraform

skip-check:
  - CKV_AWS_18  # S3 encryption - using bucket policies instead
  - CKV_AWS_144 # S3 cross-region replication - not required

quiet: false
compact: true

Integration with CI/CD

The GitHub Actions workflow includes Checkov as part of the validation stage:

- name: Validate infrastructure
  run: make validate-full

This runs all validation tools including Checkov, ensuring security checks pass before deployment. Failed checks block the pipeline, preventing unsafe infrastructure from reaching production.

For complete details on how Checkov integrates into the automated workflow, see the CI/CD Workflow documentation.

Best practices

  • Run locally first: Use make security-scan before committing to catch issues early
  • Review all failures: Don't blindly suppress checks—understand what they protect against
  • Document suppressions: Always add clear justifications when skipping checks
  • Update regularly: Keep Checkov up to date to get new security checks
  • Combine with TFLint: Use both tools together—Checkov focuses on security while TFLint focuses on best practices

Next steps

Pair Checkov with TFLint for comprehensive code quality coverage, and review the Makefile reference to see all available validation commands.

MakefileTFLint