Skip to content
Prevent cloud misconfigurations during build time - Terraform static analysis
Python HCL Other
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.


Maintained by build status code_coverage docs PyPI Downloads Terraform Version

Table of contents


Checkov is a static code analysis tool for infrastructure-as-code. It scans cloud infrastructure provisioned using Terraform and detects security and compliance misconfigurations.

Checkov is written in Python and provides a simple method to write and manage policies. It follows the CIS Foundations benchmarks where applicable.


  • 60+ built-in policies cover security and compliance best practices for AWS, Azure & Google Cloud.
  • Policies support evaluation of variables to their optional default value
  • Supports in-line suppression of accepted risks or false-positives to reduce recurring scan failures.
  • Output currently available as CLI, JSON or JUnit XML.


Scan results in CLI


Scheduled scan result in Jenkins


Getting started


pip install checkov

Configure an input folder

checkov -d /user/tf

Or a specific file

checkov -f /user/tf/

Scan result sample (CLI)

Passed Checks: 1, Failed Checks: 1, Suppressed Checks: 0
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
	 Passed for resource: aws_s3_bucket.template_bucket 
Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
	 Failed for resource: aws_s3_bucket.sls_deployment_bucket_name       

Start using Checkov by reading the Getting Started page.

Using Docker

docker pull bridgecrew/checkov
docker run -t -v /user/tf:/tf bridgecrew/checkov -d /tf

Suppressing/Ignoring a check

Like any static-analysis tool it is limited by its analysis scope. For example, if a resource is managed manually, or using subsequent configuration management tooling, a suppression can be inserted as a simple code annotation.

Suppression comment format

To skip a check on a given Terraform definition block, apply the following comment pattern inside it's scope:


  • <check_id> is one of the available check scanners
  • <suppression_comment> is an optional suppression reason to be included in the output


The following comment skip the CKV_AWS_20 check on the resource identified by foo-bucket, where the scan checks if an AWS S3 bucket is private. In the example, the bucket is configured with a public read access; Adding the suppress comment would skip the appropriate check instead of the check to fail.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
    #checkov:skip=CKV_AWS_20:The bucket is a public static content host
  bucket        = local.bucket_name
  force_destroy = true
  acl           = "public-read"

The output would now contain a SKIPPED check result entry:

Check: "S3 Bucket has an ACL defined which allows public access."
	SKIPPED for resource:
	Suppress comment: The bucket is a public static content host
	File: /


For Terraform compliance scanners check out tfsec, Terrascan and Terraform AWS Secure Baseline.

For CloudFormation scanning check out cfripper and cfn_nag.


Contribution is welcomed!

Start by reviewing the contribution guidelines. After that, take a look at a good first issue.

Looking to contribute new checks? Learn how to write a new check (AKA policy) here


Bridgecrew builds and maintains Checkov to make policy-as-code simple and accessible.

Start with our Documentation for quick tutorials and examples.

If you need direct support you can contact us at or open a ticket.

You can’t perform that action at this time.