Integrate Checkov with Github Actions

You can integrate Checkov into Github Actions. This provides a simple, automatic way of applying policies to your Terraform code both during merge request review and as part of any build process.

Use a checkov action from the marketplace:

go to and use a pre-made action!

Create your own action: Basic Set-up

Add a new step in the workflow.yml.

│   └───workflows

Here is a basic example:

name: Checkov
      - master

    runs-on: ubuntu-latest
        python-version: [3.7]
      - uses: actions/checkout@v2
      - name: Set up Python $
        uses: actions/setup-python@v1
          python-version: $
      - name: Test with Checkov
        run: |
          pip install checkov
          checkov -d .

Example Results

Any time after you push your code to Github, it will run this job. If Checkov finds any issues, it will fail the build.

Action Failure

In the original examples code, the file

resource "aws_efs_file_system" "sharedstore" {
  creation_token = var.efs["creation_token"]

  lifecycle_policy {
    transition_to_ia = var.efs["transition_to_ia"]

  kms_key_id                      = var.efs["kms_key_id"]
  encrypted                       = false
  performance_mode                = var.efs["performance_mode"]
  provisioned_throughput_in_mibps = var.efs["provisioned_throughput_in_mibps"]
  throughput_mode                 = var.efs["throughput_mode"]

Is not set to be encrypted. This will fail a Checkov test:

Actions Failure

Pipeline Success

The previous error can be fixed by setting the value of encyption to true. Actions success

Further Reading

For more details on using Python in Github Actions

The test code sample: