Evaluate Checkov policies on Terraform plan
Checkov supports the evaluation of policies on resources declared in .tf
files. It can also be used to evaluate terraform plan
expressed in a json file.
Plan evaluation provides Checkov additional dependencies and context that can result in a more complete scan result.
Since Terraform plan files may contain arguments (like secrets) that are injected dynamically, it is advised to run a plan evaluation using Checkov in a secure CI/CD pipeline setting.
Example
terraform init
terraform plan --out tfplan.binary
terraform show -json tfplan.binary > tfplan.json
checkov -f tfplan.json