Skip to content
Prevent cloud misconfigurations during build time
Python HCL Other
Branch: master
Clone or download
GitHub Action
GitHub Action bump version
Latest commit efb836d Jan 17, 2020


Maintained by build status code_coverage docs PyPI Downloads Terraform Version

Table of contents


Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform and detects security and compliance misconfigurations.

Checkov is written in Python and provides a simple method to write and manage policies. It follows the CIS Foundations benchmarks where applicable.


  • 50+ built-in policies cover security and compliance best practices for AWS, Azure & Google Cloud.
  • Policies support variable scanning by building a dynamic code dependency graph (coming soon).
  • Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures.
  • Output currently available as CLI, JSON or JUnit XML.


Scan results in CLI


Scheduled scan result in Jenkins


Getting started


pip install checkov

Configure an input folder

checkov -d /user/tf

Or a specific file

checkov -f /user/tf/

Scan result sample (CLI)

Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
	 Passed for resource: aws_s3_bucket.template_bucket 
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name       

Start using Checkov by reading the Getting Started page.

Using Docker

docker pull bridgecrew/checkov
docker run bridgecrew/checkov -i -v /user/tf:/tf -d /tf


For Terraform compliance scanners check out tfsec, Terrascan and Terraform AWS Secure Baseline.

For CloudFormation scanning check out cfripper and cfn_nag.


Contribution is welcomed!

Start by reviewing the contribution guidelines. After that, take a look at a good first issue.

Looking to contribute new checks? Learn how to write a new check (AKA policy) here


Bridgecrew builds and maintains Checkov to make policy-as-code simple and accessible.

Start with our Documentation for quick tutorials and examples.

If you need direct support you can contact us at or open a ticket.

You can’t perform that action at this time.