Checkov is a static code analysis tool for infrastructure-as-code.
It scans cloud infrastructure provisioned using Terraform, Cloudformation, Kubernetes, Dockerfile and detects security and compliance misconfigurations using graph-based scanning.
Checkov is written in Python and provides a siple method to write and manage policies. It follows the CIS Foundations benchmarks where applicable.
Features
- Over 1000 built-in policies cover security and compliance best practices for AWS, Azure and Google Cloud.
- Scans Terraform, Terraform Plan, CloudFormation, Kubernetes, Dockerfile, Serverless framework and ARM template files.
- Supports Context-awareness policies based on in-memory graph-based scanning.
- Supports Python format for attribute policies and YAML format for both attribute and composite policies.
- Detects AWS credentials in EC2 Userdata, Lambda environment variables and Terraform providers.
- Identifies secrets using regular expressions, keywords, and entropy based detection.
- Evaluates Terraform Provider settings to regulate the creation, management, and updates of IaaS, PaaS or SaaS managed through Terraform.
- Policies support evaluation of variables to their optional default value.
- Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures. Also supports global skip from using CLI.
- Output currently available as CLI, CycloneDX, JSON, JUnit XML and github markdown and link to remediation guides.
Checkov supports developers using Terraform, Terraform plan, CloudFormation, Kubernetes, ARM Templates, Serverless, Helm, and AWS CDK.
Links:
- https://securityonline.info/checkov-prevent-cloud-misconfigurations-during-build-time-for-terraform-cloudformation-kubernetes/
- https://github.com/bridgecrewio/checkov