Checkov is an open-source static analysis tool from Bridgecrew/Palo Alto Networks. It scans infrastructure-as-code files—including Terraform—for misconfigurations that could lead to security, compliance, or operational issues.
How the Starter Kit Uses Checkov
| Integration Point | Command | Description |
|---|---|---|
| Local validation | make security-scan | Runs Checkov across all environment directories to catch security issues before they reach AWS |
| CI enforcement | make validate-full | Calls Checkov before any Terraform deployment; failing checks block the pipeline so unsafe changes never reach production |
| Full validation | make validate-full | Includes Checkov as part of comprehensive validation suite alongside Terraform validate, TFLint, and formatting checks |
Running Checkov manually
The starter kit provides convenient make commands:
make security-scan
Or run Checkov directly on a specific environment:
cd environments/test/
checkov --directory . --framework terraform
Target a single file while you iterate:
checkov --file main.tf --framework terraform
Common Security Issues Detected
Checkov scans for hundreds of security and compliance checks.
Security Categories
| Category | Checks |
|---|---|
| S3 Security | Unencrypted buckets, public access, missing versioning |
| IAM Policies | Overly permissive policies, wildcard actions, missing MFA |
| Network Security | Open security groups, unencrypted traffic, missing VPC flow logs |
| Encryption | Missing encryption at rest and in transit |
| Logging | Missing CloudTrail, CloudWatch logs, or access logging |
| Compliance | PCI-DSS, HIPAA, CIS AWS Foundations, SOC2, and more |
Example Output:
Check: CKV_AWS_18: "Ensure S3 bucket has server-side encryption enabled"
FAILED for resource: aws_s3_bucket.data
File: /environments/test/main.tf:15-18
Guide: https://docs.bridgecrew.io/docs/s3_14-data-encrypted-at-rest
Suppressing false positives
When Checkov flags a legitimate design choice, suppress the check with an inline comment:
resource "aws_s3_bucket" "logs" {
#checkov:skip=CKV_AWS_18:Encryption not required for access logs
bucket = "app-access-logs"
}
Always include a justification explaining why the check doesn't apply.
Tuning Results
Output Formats
| Format | Command | Use Case |
|---|---|---|
| Compact | checkov --directory . --framework terraform --compact | CI/CD pipelines |
| JSON | checkov --directory . --framework terraform --output json | Parsing results in custom tooling |
| JUnit XML | checkov --directory . --framework terraform --output junitxml > results.xml | Test reporting systems |
Severity Filtering
Focus on high-severity issues:
checkov --directory . --framework terraform --check CRITICAL,HIGH
Framework Selection
Scan only Terraform (useful if you have mixed IaC):
checkov --directory . --framework terraform
Configuration file
The starter kit includes a pre-configured .checkov.yml file. For details on the default configuration and how to customize it, see the Checkov configuration section.
Create a .checkov.yml file in the repository root for persistent configuration:
# .checkov.yml
framework:
- terraform
skip-check:
- CKV_AWS_18 # S3 encryption - using bucket policies instead
- CKV_AWS_144 # S3 cross-region replication - not required
quiet: false
compact: true
Integration with CI/CD
The GitHub Actions workflow includes Checkov as part of the validation stage:
- name: Validate infrastructure
run: make validate-full
This runs all validation tools including Checkov, ensuring security checks pass before deployment. Failed checks block the pipeline, preventing unsafe infrastructure from reaching production.
For complete details on how Checkov integrates into the automated workflow, see the CI/CD Workflows documentation.
Best practices
- Run locally first: Use
make security-scanbefore committing to catch issues early - Review all failures: Don't blindly suppress checks—understand what they protect against
- Document suppressions: Always add clear justifications when skipping checks
- Update regularly: Keep Checkov up to date to get new security checks
- Combine with TFLint: Use both tools together—Checkov focuses on security while TFLint focuses on best practices
Next steps
Pair Checkov with TFLint for comprehensive code quality coverage, and review the Makefile reference to see all available validation commands.