Bridgecrew.io
  • About Bridgecrew by Prisma Cloud
Checkov home
  • Docs
    • Quick start
    • Overview
    • Integrations
  • Download
  • Try Bridgecrew
  • Docs
    • Quick start
    • Overview
    • Integrations

Checkov Documentation

  • 1.Welcome
    • What is Checkov?
    • Terms and Concepts
    • Quick Start
      • Install Checkov from PyPI
      • Select input folder and scan
      • Example
        • S3 Bucket configuration (compliant)
        • Scan output for compliant S3 Bucket configuration
        • S3 Bucket configuration (non-compliant)
        • Scan output for non-compliant S3 Bucket Configuration
      • Visualizing scan output
      • Integrations
      • Add-ons
    • Feature Descriptions
  • 2.Basics
    • Installing Checkov
    • CLI Command Reference
    • Suppressing and Skipping Policies
    • Hard and soft fail
    • Scanning Credentials and Secrets
    • Reviewing Scan Results
    • Visualizing Checkov Output
    • Handling Variables
  • 3.Custom Policies
    • Custom Policies Overview
    • Python Custom Policies
    • YAML Custom Policies
    • Custom YAML Policies Examples
    • Sharing Custom Policies
  • 4.Integrations
    • Jenkins
    • Bitbucket Cloud Pipelines
    • GitHub Actions
    • GitLab CI
    • Kubernetes
    • Pre-Commit
    • Docker
  • 5.Policy Index
    • all resource scans
    • ansible resource scans
    • argo_workflows resource scans
    • arm resource scans
    • azure_pipelines resource scans
    • bicep resource scans
    • bitbucket_configuration resource scans
    • bitbucket_pipelines resource scans
    • circleci_pipelines resource scans
    • cloudformation resource scans
    • dockerfile resource scans
    • github_actions resource scans
    • github_configuration resource scans
    • gitlab_ci resource scans
    • gitlab_configuration resource scans
    • kubernetes resource scans
    • openapi resource scans
    • secrets resource scans
    • serverless resource scans
    • terraform resource scans
  • 6.Contribution
    • Checkov Runner Contribution Guide
    • Implementing CI Metadata extractor
    • Implementing ImageReferencer
    • Contribution Overview
    • Contribute Python-Based Policies
    • Contribute YAML-based Policies
    • Contribute New Terraform Provider
    • Contribute New Argo Workflows configuration policy
    • Contribute New Azure Pipelines configuration policy
    • Contribute New Bitbucket configuration policy
    • Contribute New GitHub configuration policy
    • Contribute New Gitlab configuration policy
  • 7.Scan Examples
    • Terraform Plan Scanning
    • Terraform Scanning
    • Helm
    • Kustomize
    • AWS SAM configuration scanning
    • Ansible configuration scanning
    • Argo Workflows configuration scanning
    • Azure ARM templates configuration scanning
    • Azure Pipelines configuration scanning
    • Azure Bicep configuration scanning
    • Bitbucket configuration scanning
    • AWS CDK configuration scanning
    • Cloudformation configuration scanning
    • Dockerfile configuration scanning
    • GitHub configuration scanning
    • Gitlab configuration scanning
    • Kubernetes configuration scanning
    • OpenAPI configuration scanning
    • SCA scanning
    • Serverless framework configuration scanning
  • 8.Outputs
    • CSV
    • CycloneDX BOM
    • GitLab SAST
    • JUnit XML
    • SARIF
  • 9.Level up
    • Upgrade from Checkov to Bridgecrew
  • Docs
  • 1.welcome
  • Quick Start
Edit on GitHub

Quick Start

This Quick Start guide shows how to install Checkov, run a scan, and analyze the results. For more advanced configuration, see the CLI Reference and the rest of this documentation.

Install Checkov from PyPI

pip install checkov

Select input folder and scan

Use the command below to indicate the folder that contains your Terraform plan files and run a scan.

checkov -d /user/tf

Example

S3 Bucket configuration (compliant)

Consider the configuration of an S3 bucket as represented in the Terraform sample below.

resource "aws_s3_bucket" "foo-bucket" {
  region        = var.region
  bucket        = local.bucket_name
  force_destroy = true

  tags = {
    Name = "foo-${data.aws_caller_identity.current.account_id}"
  }
  versioning {
    enabled = true
  }
  logging {
    target_bucket = "${aws_s3_bucket.log_bucket.id}"
    target_prefix = "log/"
  }
  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = "${aws_kms_key.mykey.arn}"
        sse_algorithm     = "aws:kms"
      }
    }
  }
  acl           = "private"
}

Scan output for compliant S3 Bucket configuration

The scan output would be:

Passed checks: 4, Failed checks: 0, Skipped checks: 0

Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
 PASSED for resource: aws_s3_bucket.foo-bucket
 File: /example.tf:1-25


Check: "Ensure the S3 bucket has access logging enabled"
 PASSED for resource: aws_s3_bucket.foo-bucket
 File: /example.tf:1-25


Check: "Ensure all data stored in the S3 bucket have versioning enabled"
 PASSED for resource: aws_s3_bucket.foo-bucket
 File: /example.tf:1-25


Check: "S3 Bucket has an ACL defined which allows public access."
 PASSED for resource: aws_s3_bucket.foo-bucket
 File: /example.tf:1-25

The configuration complies with the policies for AWS S3 resources.

S3 Bucket configuration (non-compliant)

Suppose that now the same bucket is configured to allow public access:

resource "aws_s3_bucket" "foo-bucket" {
#same resource configuration as previous example, but acl set for public access.
  
  acl           = "public-read"
}
data "aws_caller_identity" "current" {}

Scan output for non-compliant S3 Bucket Configuration

The output report would then contain a failed check:

Passed checks: 3, Failed checks: 1, Skipped checks: 0

Check: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
 PASSED for resource: aws_s3_bucket.foo-bucket
 File: /example.tf:1-25


Check: "Ensure the S3 bucket has access logging enabled"
 PASSED for resource: aws_s3_bucket.foo-bucket
 File: /example.tf:1-25


Check: "Ensure all data stored in the S3 bucket have versioning enabled"
 PASSED for resource: aws_s3_bucket.foo-bucket
 File: /example.tf:1-25


Check: "S3 Bucket has an ACL defined which allows public access."
 FAILED for resource: aws_s3_bucket.foo-bucket
 File: /example.tf:1-25

  1 | resource "aws_s3_bucket" "foo-bucket" {
  2 |   region        = var.region
  3 |   bucket        = local.bucket_name
  4 |   force_destroy = true
  5 |
  6 |   tags = {
  7 |     Name = "foo-${data.aws_caller_identity.current.account_id}"
  8 |   }
  9 |   versioning {
  10 |     enabled = true
  11 |   }
  12 |   logging {
  13 |     target_bucket = "${aws_s3_bucket.log_bucket.id}"
  14 |     target_prefix = "log/"
  15 |   }
  16 |   server_side_encryption_configuration {
  17 |     rule {
  18 |       apply_server_side_encryption_by_default {
  19 |         kms_master_key_id = "${aws_kms_key.mykey.arn}"
  20 |         sse_algorithm     = "aws:kms"
  21 |       }
  22 |     }
  23 |   }
  24 |   acl           = "public-read"
  25 | }

Visualizing scan output

In addition to the various formats for seeing scan results (for example, CLI), you can also visualize Checkov results with a quick integration with a free Bridgecrew account. Read more about visualizing scan results in the Bridgecrew platform.

Visualizing Scan Output with Bridgecrew

Integrations

In addition to integrating with your code repository, Checkov can also integrate with your automated build pipeline via CI/CD providers. When your build tests run, Checkov will scan your infrastructure as code files for misconfigurations. You can integrate Checkov with:

  • Jenkins
  • Bitbucket Cloud Pipelines
  • GitHub Actions
  • GitLab CI
  • Kubernetes
  • Pre-Commit
  • Docker
  • Terraform Plans and Third-Party Modules

Add-ons

To get real-time IaC scanning and in-line fixes directly from your IDE, check out the Checkov Visual Studio Code extension and the Checkov JetBrains Plugin.

Powered By

  • Slack Community
  • About Bridgecrew
  • Platform
  • Terms of use
  • GitHub
  • Docs
  • Contact Us
  • Privacy policy