Infrastructure as Code Security with Checkov

Overview

Checkov is a static code analysis tool that scans Infrastructure as Code (IaC) files for security misconfigurations and compliance violations before deployment. With 750+ built-in policies, Checkov helps prevent cloud security issues by detecting problems in Terraform, CloudFormation, Kubernetes, Dockerfiles, Helm charts, and ARM templates.

Checkov performs graph-based scanning to understand resource relationships and detect complex misconfigurations that span multiple resources, making it more powerful than simple pattern matching.

Quick Start

Install Checkov

# Via pip
pip install checkov

# Via Homebrew (macOS)
brew install checkov

# Via Docker
docker pull bridgecrew/checkov

Scan Terraform Directory

# Scan all Terraform files in directory
checkov -d ./terraform

# Scan specific file
checkov -f ./terraform/main.tf

# Scan with specific framework
checkov -d ./infrastructure --framework terraform

Scan Kubernetes Manifests

# Scan Kubernetes YAML files
checkov -d ./k8s --framework kubernetes

# Scan Helm chart
checkov -d ./helm-chart --framework helm

Scan CloudFormation Template

# Scan CloudFormation template
checkov -f ./cloudformation/template.yaml --framework cloudformation

Core Workflow

Step 1: Understand Scan Scope

Identify IaC files and frameworks to scan:

# Supported frameworks
checkov --list-frameworks

# Output:
# terraform, cloudformation, kubernetes, dockerfile, helm,
# serverless, arm, secrets, ansible, github_actions, gitlab_ci

Scope Considerations:

• Scan entire infrastructure directory for comprehensive coverage
• Focus on specific frameworks during initial adoption
• Exclude generated or vendor files
• Include both production and non-production configurations

Step 2: Run Basic Scan

Execute Checkov with appropriate output format:

# CLI output (human-readable)
checkov -d ./terraform

# JSON output (for automation)
checkov -d ./terraform -o json

# Multiple output formats
checkov -d ./terraform -o cli -o json -o sarif

# Save output to file
checkov -d ./terraform -o json --output-file-path ./reports

What Checkov Detects:

• Security misconfigurations (unencrypted resources, public access)
• Compliance violations (CIS benchmarks, industry standards)
• Secrets and hardcoded credentials
• Missing security controls (logging, monitoring, encryption)
• Insecure network configurations
• Resource relationship issues (via graph analysis)

Step 3: Filter and Prioritize Findings

Focus on critical issues first:

# Show only high severity issues
checkov -d ./terraform --check CKV_AWS_*

# Skip specific checks (false positives)
checkov -d ./terraform --skip-check CKV_AWS_8,CKV_AWS_21

# Check against specific compliance framework
checkov -d ./terraform --compact --framework terraform \
  --check CIS_AWS,CIS_AZURE

# Run only checks with specific severity
checkov -d ./terraform --check HIGH,CRITICAL

Severity Levels:

• CRITICAL: Immediate security risks (public S3 buckets, unencrypted databases)
• HIGH: Significant security concerns (missing MFA, weak encryption)
• MEDIUM: Important security best practices (missing tags, logging disabled)
• LOW: Recommendations and hardening (resource naming conventions)

Step 4: Suppress False Positives

Use inline suppression for legitimate exceptions:

# Terraform example
resource "aws_s3_bucket" "example" {
  # checkov:skip=CKV_AWS_18:This bucket is intentionally public for static website
  bucket = "my-public-website"
  acl    = "public-read"
}

# Kubernetes example
apiVersion: v1
kind: Pod
metadata:
  name: privileged-pod
  annotations:
    checkov.io/skip: CKV_K8S_16=Legacy application requires privileged mode
spec:
  containers:
  - name: app
    securityContext:
      privileged: true

See references/suppression_guide.md for comprehensive suppression strategies.

Step 5: Create Custom Policies

Define organization-specific policies:

# custom_checks/require_s3_versioning.py
from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
from checkov.common.models.enums import CheckResult, CheckCategories

class S3BucketVersioning(BaseResourceCheck):
    def __init__(self):
        name = "Ensure S3 bucket has versioning enabled"
        id = "CKV_AWS_CUSTOM_001"
        supported_resources = ['aws_s3_bucket']
        categories = [CheckCategories.BACKUP_AND_RECOVERY]
        super().__init__(name=name, id=id, categories=categories,
                         supported_resources=supported_resources)

    def scan_resource_conf(self, conf):
        if 'versioning' in conf:
            if conf['versioning'][0].get('enabled') == [True]:
                return CheckResult.PASSED
        return CheckResult.FAILED

check = S3BucketVersioning()

Run with custom policies:

checkov -d ./terraform --external-checks-dir ./custom_checks

See references/custom_policies.md for advanced policy development.

Step 6: Generate Compliance Reports

Create reports for audit and compliance:

# Generate comprehensive report
checkov -d ./terraform \
  -o cli -o json -o junitxml \
  --output-file-path ./compliance-reports \
  --repo-id my-infrastructure \
  --branch main

# CycloneDX SBOM for IaC
checkov -d ./terraform -o cyclonedx

# SARIF for GitHub Security
checkov -d ./terraform -o sarif --output-file-path ./sarif-report.json

Report Types:

• CLI: Human-readable console output
• JSON: Machine-readable for automation
• JUnit XML: CI/CD integration (Jenkins, GitLab)
• SARIF: GitHub/Azure DevOps Security tab
• CycloneDX: Software Bill of Materials for IaC

Map findings to compliance frameworks using references/compliance_mapping.md.

CI/CD Integration

GitHub Actions

Add Checkov scanning to pull request checks:

# .github/workflows/checkov.yml
name: Checkov IaC Security Scan
on: [push, pull_request]

jobs:
  checkov-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Run Checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: infrastructure/
          framework: terraform
          output_format: sarif
          output_file_path: checkov-results.sarif
          soft_fail: false

      - name: Upload SARIF Report
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: checkov-results.sarif

Pre-Commit Hook

Prevent committing insecure IaC:

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/bridgecrewio/checkov
    rev: 2.5.0
    hooks:
      - id: checkov
        args: [--soft-fail]
        files: \.(tf|yaml|yml|json)$

Install pre-commit hooks:

pip install pre-commit
pre-commit install

GitLab CI

# .gitlab-ci.yml
checkov_scan:
  image: bridgecrew/checkov:latest
  stage: security
  script:
    - checkov -d ./terraform -o json -o junitxml
      --output-file-path $CI_PROJECT_DIR/checkov-report
  artifacts:
    reports:
      junit: checkov-report/results_junitxml.xml
    paths:
      - checkov-report/
    when: always

Jenkins Pipeline

// Jenkinsfile
pipeline {
    agent any
    stages {
        stage('Checkov Scan') {
            steps {
                sh 'pip install checkov'
                sh '''
                    checkov -d ./terraform \
                      -o cli -o junitxml \
                      --output-file-path ./reports
                '''
            }
        }
    }
    post {
        always {
            junit 'reports/results_junitxml.xml'
        }
    }
}

See assets/ directory for complete CI/CD templates.

Framework-Specific Workflows

Terraform

Scan Terraform with Variable Files:

# Scan with tfvars
checkov -d ./terraform --v