Search for a command to run...
Static code analysis tool for scanning infrastructure-as-code files for misconfigurations and compliance issues before deployment. Scans Terraform, CloudFormation, Kubernetes, Helm, ARM templates, Serverless, Docker, and AWS CDK with a single CLI, helping teams catch security and compliance problems at build-time rather than in production.
Maintained by Bridgecrew and widely adopted for its policy-as-code approach: teams can use hundreds of predefined checks while extending with custom Python or YAML policies. Stands out with graph-based analysis that evaluates relationships between cloud resources, catching misconfigurations that attribute-only scanners miss. Supports CIS benchmarks and cloud provider security frameworks out of the box.
Key features:
Engineers run Checkov locally before commits or integrate it into pull request workflows to enforce security and compliance. Common scenarios: validating Terraform plans before apply, scanning Helm charts and Kubernetes manifests, and blocking deployments that violate organizational policy. Fits into developer workflows via pre-commit hooks, GitHub Actions, GitLab CI, or other build systems.