Command Palette

Search for a command to run...

Static code analysis tool for scanning infrastructure-as-code files for misconfigurations and compliance issues before deployment. Scans Terraform, CloudFormation, Kubernetes, Helm, ARM templates, Serverless, Docker, and AWS CDK with a single CLI, helping teams catch security and compliance problems at build-time rather than in production.

Maintained by Bridgecrew and widely adopted for its policy-as-code approach: teams can use hundreds of predefined checks while extending with custom Python or YAML policies. Stands out with graph-based analysis that evaluates relationships between cloud resources, catching misconfigurations that attribute-only scanners miss. Supports CIS benchmarks and cloud provider security frameworks out of the box.

Key features:

  • 750+ predefined policies across major cloud providers and IaC frameworks
  • Custom policies in Python or YAML, including graph-based policies for resource relationships
  • CLI-first design with integrations for CI/CD pipelines and version control
  • Compliance mappings for CIS benchmarks and cloud foundations
  • Extensible framework for custom providers and suppression terms

Engineers run Checkov locally before commits or integrate it into pull request workflows to enforce security and compliance. Common scenarios: validating Terraform plans before apply, scanning Helm charts and Kubernetes manifests, and blocking deployments that violate organizational policy. Fits into developer workflows via pre-commit hooks, GitHub Actions, GitLab CI, or other build systems.

GitHub Repositories
0
No noticeable change in usage since last week

Top repositories using Checkov

Most popular GitHub repositories that import or use Checkov
No open-source repositories are using Checkov yet.
Missing something?